The Bank of England (BoE) recently simulated a major cyber-attack against the British financial system that yielded some disturbing results: many of the UK’s largest financial institutions are unprepared for large-scale online identity-based attacks.
More surprisingly, many of them are also uneducated on how to detect and report cyber security breaches. The Telegraph UK reported that even small-scale attacks have led to major security breaches and caused the collapse of core systems.
Entrust senior vice president Mark Reeves shared Entrust’s recommendations with Business Computing World UK and other UK-based security publications for how financial institutions should bolster defenses against these attacks. These best practices are globally relevant against identity-based online threats.
Today, financial institutions (FIs) offering internet-based and mobile-banking services face increasing pressure to provide enhanced consumer protection against phishing, sophisticated malware and fraudulent activities.
Malware, phishing and fraud attacks are increasing. According to Kaspersky Labs IT Threat and Evolution Report for Q2 2013 more than 100,000 unique mobile malware samples were detected in that quarter which is substantially more than the previous quarter.
In fact, this was the most significant statistical category in both quantity and complexity in the report, indicating that not only are cybercriminals developing more malware targeting mobile platforms, they’re also advancing their capabilities and behaviors.
The UK also has the third-highest incidents of phishing websites. Not surprisingly, payment services (47.6 percent) and financial services (27.32 percent) are the most targeted verticals.
How can FIs protect themselves against online attacks? Our advice is to invest in long-term solutions that enable FIs to adjust their security controls to keep pace with ever-changing and evolving threats.
1. Drive better risk assessment
Assess online transactions, and the level of risk these present by type of transaction or user group, in order to develop risk mitigation strategies. Be sure to assess specific attributes such as customer type, volume and capability of your transaction methods, information sensitivity and existing security, ease of use and the customer experience, and how mobile devices are interacting with your environment.
Consider not only financial loss, but also liability, corporate risk and reputational damage. And don’t just do this once, review and refresh this assessment at least every 12 months. The risk assessment will help you to map out potential impacts and the security service levels required.
2. Adopt strong authentication standards
Today’s threats require stronger means of authentication than simple usernames and passwords, particularly for high-risk financial transactions such as wire transfers. When used alone, traditional two-factor authentication solutions such as one-time-passcode (OTP) tokens are no longer effective against, for example, sophisticated man-in-the-browser attacks.
There are a number of newer techniques that provide the level of protection required, either through the use of a separate communication channel with the user or by relying on advanced behavior-based fraud detection engines that can automatically detect transaction or website navigation anomalies in real-time.
3. Take a layered approach
It is worth noting that no single authentication or traditional fraud detection solution can stop advanced malware on banks and other FIs. It is the layering of different, complementary security technologies — such as strong authentication, behavioral fraud detection, out-of-band transaction verification, mobile authentication and extended validation SSL digital certificates — that provide the best method of protecting customer identities and transactions in a banking environment.
4. Explore advanced authentication techniques
There are a wide range of strong advanced authentication techniques available today. As online fraud attacks increase in sophistication, so does the innovation in authentication technology required to stop these attacks in the consumer space.
FIs should explore these advanced techniques like mobile-based transaction verification, dynamic device authentication — including one-time session cookies and digital fingerprints — rather than broadly using static device cookie-based approaches.
Remember, however, threats are ever-changing and growing. This means FIs must have an ongoing program of investment to evolve their technology, people and processes. Security in this area should not be a one-time exercise.
5. Enhance customer awareness and education
Finally, we also advise that FIs involve the customer as much as possible to help fight fraud. Ongoing education and training programs should be in place to ensure that everyone does their best to help protect and mitigate today’s threats.
For example, some progressive banks are deploying security measures that notify customers when suspicious transactions are in progress and ask the customer to confirm that a given transaction is valid.
It is vital that consumer confidence is maintained. No bank or FI can afford the reputational damage that an online attack can cause. Continuous investment in security systems, processes and people is a must, rather than a nice-to have. Otherwise, banks risk leaving customer data vulnerable to attack.
If you are interested in finding out more about how FIs can implement identity-based security to win the war against online attacks, download our latest whitepaper: “It’s Cyber Warfare