Zeus, OddJob, Gozi-Prinimalka, Citadel. These are just a few of the thousands of known threats. The ever-growing variety of malware actively targeting banks and their customers is having a marked impact on the financial services industry. The malware, which consists of sophisticated, evolving pieces of software designed to compromise online credentials, is deployed by international organized criminal rings that are nimble, innovative and constantly transforming their attacks on financial institutions (FIs) and their customers.
Cyber threats are growing at a frightening pace, with more than 150,000 new strains of malware deployed per day. Add to this the increasing effectiveness of distributed denial-of-service attacks, brute-force attacks and the never-ending threat of corporate espionage backed by nation-states, and it all equals a daunting challenge for FI information security professionals.
In the face of this threat environment, FIs and their customers need to be more vigilant than ever and continue to deploy their own innovative techniques to protect their financial information. Session- and perimeter-based security is no longer sufficient. Regulators advocate multiple layers of security, a strategy that's already in use at many financial institutions. This approach combines a number of complementary technologies that protect against the wide variety of attack vectors. Because the bad guys have proved adept at compromising in-progress Web sessions, security must take a holistic approach, securing not only the session but also the transaction and the network.
Considering the extent to which cybercriminals study their targets and the pace with which the cyber threats are evolving, financial institutions need to be equally responsive in their defensive strategies. And since the bad guys don't need to make business cases to justify their innovations -- while the good guys at the banks generally do -- it's doubly important that FIs place their bets with the most effective technologies as they develop and evolve their layered defense. Here are a few recommendations:
- Don't put all your eggs in one basket. Cybercriminals have proved adept at bypassing virtually every form of online fraud mitigation and authentication when deployed as a single point solution. To be effective in the war against cybercriminals, FIs need to adopt a layered approach that protects not only the session but also the transaction itself.
- Multifactor is still a good bet. For application-level security, multifactor authentication is still a safe bet, but the approach has necessarily come a long way from the early days when multifactor authentication simply consisted of a few challenge questions. Now multifactor also implies multiple channels, blending online and mobile communication, and doing so in a secure manner that isn't susceptible to known forms of compromise.
- Continue to perform ongoing risk assessments. It's important to stay abreast of the latest malware capabilities and understand how current defenses can (or cannot) be effective against them.
- Include the ability to detect and interdict anomalous transactions. There are often behavioral clues in the fraudulent transaction, whether it's the transaction size, the timing of the transaction or the way in which the site navigation is being performed. This is applicable for client-facing transactions as well as internal ones.
[10 Financial Services Cyber Security Trends for 2013]
The most important thing to remember is that when it comes to cyber threat mitigation, there is no destination. There's little disincentive for the bad guys and a vast pool of funds fueling their innovation. It is incumbent upon financial institutions to be equally nimble and innovative in their efforts to protect themselves and their clients.
Julie Conroy is a research director for Aite Group's Retail Banking practice and covers fraud, data security, anti-money laundering and compliance issues.