Cybersecurity: Bankers’ Nightmare
If FinTech were the Superman of the financial sector, cybersecurity would have been its kryptonite.
Last year we reported how COVID-19 exploited the financial sector’s vulnerabilities and how the demand boost for e-commerce and internet banking highlighted the vulnerabilities of many prominent corporations’ online presences and led to several major cybersecurity attacks. Phishing, scamming, and other cyber-attack activities were on the rise. Ransomware attacks against the financial sector were discovered to increase nine times from the beginning of February to the end of April 2020.
The US Federal Trade Commission data from February 2021 revealed that consumers lost $3.3 billion to phishing schemes and other fraud in 2020, nearly doubling the losses in 2019. Accordingly, online shopping, internet services, prizes, sweepstakes, lotteries, and telephone and mobile services consisted of the top fraud categories.
That was then; this is now:
- (October 2021) An investigation into the defrauding of $35 million USD from a bank in the United Arab Emirates in January of 2020 has found that deepfake voice technology was used to imitate a company director known to a bank branch manager, who then authorized the transactions. The request states that the branch manager of an unnamed victim bank in UAE received a phone call from a familiar voice, which, together with accompanying emails from a lawyer named Martin Zelner, convinced the manager to disburse the funds, which were apparently intended for the acquisition of a company. (Source: Unite AI)
- (October 2021) Millions of pounds were swiped from Barclays accounts in a series of coordinated cyberattacks by a fraudster using a Monzo account and a payments initiation service provider (PISP) in May. (Source: Pymnts.com)
- (October 2021) Cyberattack disrupts services at Ecuador’s largest bank, forcing the bank to shut down portions of their network to prevent the attack’s spread to other systems. Customers of the bank continued to experience service disruptions on a Friday following a cyberattack on the institution several days earlier. In a statement the following Monday, the bank acknowledged that it had identified a cybersecurity incident in systems that have partially disabled its services. (Source: AP News)
- (October 2021) The Reserve Bank of Australia warns that a successful hack on a bank is almost inevitable as it prepares for an assault that could put trillions of dollars worth of deposits and loans at risk. (Source: The Sydney Morning Herald)
- (October 2021) Coinbase, one of the world’s biggest cryptocurrency exchanges, admitted that hackers stole cryptocurrency from at least 6,000 customers between March and May of 2021. The hackers needed to know the email addresses, passwords, and phone numbers linked to the affected Coinbase accounts and have access to personal emails, the company said; however, added that there was no evidence to suggest the information was obtained from the company. (Source: Reuters) After the attack was revealed, Coinbase acknowledged a multi-factor authentication flaw that allowed hackers to receive an SMS-based two-factor authentication token required to retrieve user accounts. (Source: CPO Magazine)
- (September 2021) Bitcoin.org hack nets give scammers $17,000 overnight. The website was taken down in the early hours of yesterday morning (September 23). A pop-up message began appearing that promised visitors claiming that they could double their money by sending cash to a bitcoin wallet. Visitors were reportedly unable to navigate away from the pop-up. The scammers appear to have accrued more than $17,000 worth of Bitcoin from 10 transactions and have already emptied the wallet. (Source: The Daily Swig)
- (September 2021) Monetary Authority of Singapore (MAS) confirms that hackers abroad pose as bank customers by stealing OTPs of 75 bank customers, making $500k in fake credit card payments. (Source: The Straits Times)
- (May 2021) Sweden’s financial watchdog is investigating whether the famous buy-now-pay-later (BNPL) fintech Klarna violated bank secrecy laws following a security breach in May. During the incident, users were able to access information on other customers for a limited time. (Source: Finextra)
- (April 2021) Personal data, including that of several African Bank loan customers under debt review, has been compromised after a cyber-attack on African debt collector Debt-IN. (Source: Sunday Times).
- (March 2021) Israeli car financing company K.L.S. Capital got hacked. After the attack, the hacker group announced, “We are here to inform you a (sic) cyberattack against K.L.S. CAPITAL LTD which is in Israel. Their servers are destroyed, and the client data is in our hands,” saying that they waited 72 hours for the company to give them the ten bitcoins they demanded as ransom for the information, but the company failed to pay them. (Source: The Jerusalem Post)
- (January 2021) Though not aware of it, the Reserve Bank of New Zealand had suffered a severe data breach. The breach ended up costing around NZ$3.5m, with Reserve Bank Governor Adrian Orr admitting that the agency was “over-reliant on third-party file-sharing software application Accellion” to alert them to any vulnerabilities in the system. (Source: Security Brief New Zeland)
The list continues. What is the takeaway? Cyber-security concerns and threats are valid regardless of the region, the sector, the focus, the size, and the technologies behind financial institutions.
The Bank of England’s recent systemic risk survey for bankers and other financial sector players reveals that the banks are more worried about hackers than pandemics, geopolitical risk, or operation risks, including climate change. Rightfully so. Whether it’s a data breach, ransomware, or a spam project, it would do the trick. According to research by Atlas VPN dated August 2021, the financial cost of data breaches soared to 6 years high as of 2021. The results reveal that in 2020, a data breach caused an average of $3.86 million in monetary damages, while in 2021, the number spiked to $4.24 million, representing a 9.84% increase. For financial services, this number stays above the average, corresponding to $5.72 million.
Source: Atlas VPN
All the existing data point out a straightforward fact: cyberthreats are just around the corner, and most financial service players are not ready for it. So should the banks take modest measures and accept that an attack is inevitable, or is there anything else for them to do?
To Err is Human
Last year we shared some actionable points for financial institutions, advising them to create a battle plan against cyber insurgency. However, with so many expert consultants and software packages available in the market, cybersecurity remains a weak spot for most financial service players. We have observed this weakness not being due to lack of preparation but due to lack of continuous R&D and education. All in all, cybercriminals spend more time analyzing and understanding their opponent and testing for weak spots than financial institutions do. Once the soft spot is detected, it is only inevitable that the financial institution gets recurring attacks. Therefore, in addition to deploying sophisticated protection and recovery products, financial players should:
- consult with external cybersecurity experts to understand the existing risks and solutions and to create a battle plan,
- organize cybersecurity competitions to understand organization’s vulnerabilities and to test responding times,
- regularly catch up with their competitors and peers to exchange know-how and intelligence,
- invest in educating their employees to make them a part of the defense mechanism,
- focus on closing the digital and financial literacy gap of their customers to
After all, to err is human, but repeatedly becoming a victim as a supervised financial entity doesn’t signal the right message about the institutions centered around reliability and trust.
Filling The Cybersecurity Skill Gap
Cybercriminals are becoming more sophisticated, but are the financial institution employees and management leveling up in parallel? Most organizations’ cybersecurity training does not match with the skill sets cybercriminals own. Many banks’ onboarding education programs do not go beyond basic information, while cybercriminals dive deep into deep tech. Resilient cybersecurity mechanisms should extend beyond technical and engineering skills. In addition to becoming an expert in the existing platforms and their securities, they should be aware of the fraudsters and hackers’ techniques. Cybersecurity staff is required to have strong attention to detail, analytical and documentation skills, and specialize in problem-solving, intra-organizational communication, data management, and protection. All in all, cybersecurity professionals must resort to a combination of technical, analytical, leadership, management, and soft skills to fulfill the task successfully.
To build a durable, long-term strategy, organizations can rely on qualified and experienced internal and external cybersecurity professionals. However, cybersecurity experts cannot hold the fort forever on their own. Therefore, elaborate and detailed cybersecurity training programs should extend beyond the cybersecurity experts as most victims are operational personnel, the management, and the users.
Digital and Financial Literacy Becoming the Biggest Priority
According to the US Federal Trade Commission data from February 2021, younger people (age 22-19) reported losing money to fraud more often than older people with 44%. Still, when people aged over had a loss, the median loss was higher.
Source: FTC / Tableau
The above-cited US Federal Trade Commission research re-establishes the reasons behind WealthTech becoming a thing in the last two years. Factors such as the will to make quick and easy money, desperation in the post-pandemic era, and greed seem to have encouraged the younger consumers to click on baits, use unverified and untrustworthy resources. Positive media coverage and social media touts have so far fulfilled their purpose, bringing in a lot of new starters.
Although it is not mentioned in the official job description, financial institutions should take it on as a duty to educate consumers where financial education fails. Informing the consumers about how to differentiate right investment strategies from wrong, identifying fraudsters and scams, which networks and devices to use, and password creation and sharing education is just the tip of the iceberg of what FinServ providers can cover to make the ecosystem better. As skill resources are limited with qualified cybersecurity professionals, extending the defense mechanism beyond the organizations’ brick walls is an opportunity. After all, regardless of its source and victims, frauds, scams, and cyber-attacks impact the industry’s credibility as a whole, and a bad apple can easily ruin the whole bunch. Therefore, financial institutions should prioritize creating customer awareness and take on essential financial and cybersecurity education initiatives to protect their customers, reputation, and the ecosystem dynamics. After all, financial services spearhead the highest cybercrime costs incurring all industries, and when it happens, the remediation goes beyond covering economic losses.
For financial institutions, every day is cybersecurity day; however, October is particularly significant. It is the US National Cybersecurity Awareness Month. The month of October additionally hosts the Cybersecurity Week Luxembourg for 20 years.
As part of the European Cybersecurity Month campaign, the Cybersecurity Week Luxembourg is being held from 18-28 October 2021 back to its on-site version this year. The event is bringing together cybersecurity experts, IT players, and tech enthusiasts as we speak. Would you like to know more about what is new in cybersecurity? Join the campaign.
Click here for more information.
by S. Elif Kocaoglu Ulbrich