We're providing valuable insight into global financial security and efforts to mitigate fraud
Worldwide, banks and other financial institutions are fighting a growing problem of fraud, advanced money-laundering and social engineering that has put the security of the global economy in jeopardy. Consumers lost $16 billion to identity theft and fraud in 2016, a number that continues to rise annually.
Traditional Bank Fraud
Attempts to steal money or trick people with paper documents are not as prevalent as they once were, but are still used, often on unsuspecting vulnerable individuals.
Forged checks can be convincing enough to get by trained bank tellers. If they pass that first screening, it can take weeks to identify a bad check. In many cases, the bank will clear the check and later remove the funds from the account, leaving the account-holder with nothing. This technique can apply to faked cashier’s checks, which are usually considered a safe form of payment.
Other forms of traditional scamming involve fake lottery prizes or awards or telephone calls impersonating bank employees or government officials.
Denial of Service
A Denial of Service (DoS) attack is an attempt to take down a website by flooding it with fake connections until it is overwhelmed and crashes.
DoS attacks against the financial industry are occasionally politically motivated but are most often seen as attempts to probe vulnerabilities in the bank’s systems or create a large enough distraction to cover up other hacking attempts.
DoS attempts can cost potentially up to $100,000 for every hour that a bank’s site is down and/or vulnerable to outside access. These costs allow attackers to attempt to extort a financial institution by preventing its normal commercial website activities.
Phishing
Protecting the endpoints by strengthening authentication checks and improving user education will go a long way towards a secure financial infrastructure. Many of the weak points in the system come from attempts to extract information via phony emails or websites. This sort of attack is known as Phishing.
Phishing attacks resemble emails from trusted sources. The emails may prompt a user to verify personal or account information that is then captured and used to steal money or personal information. Phishing has evolved and become more sophisticated over the last few years, but the prevalence of “Phishing kits” that are available criminals worldwide means that there are millions of attacks a day ranging from complex attempts to socially engineer a user to sloppy obviously fake emails that still manage to trick a small section of the userbase.
New Tech Bank Fraud
Technology’s biggest contribution to the abilities of criminals to commit bank fraud has been the rise of automation that allows them to commit thousands or millions of bogus transactions that are too small to easily notice.
Large-scale theft of customer data from companies such as Target or Home Depot get all the headlines and consumer attention, but according to the Identity Theft Resource Center, there have been more than 8,000 data breaches covering more than a billion records since 2005.
As the technology to protect customer and bank data from fraud has tightened internal security, fraudsters are turning their attention elsewhere, directing their efforts towards endpoints such as customer home computers or mobile devices.
Device & Account Takeover
While DoS attacks against banks are common, deploying strong internal defenses is usually a matter of investing in the right infrastructure and properly configuring internal networks. So attackers will often ignore the big internal network and go after a more vulnerable spot. User-controlled endpoints are usually the weakest link in any corporate IT system. User error, phishing, or other vulnerabilities lead to compromised user accounts, PCs or mobile devices.
Device vulnerabilities can allow the installation of malicious code interception of information (including passwords and bank account information) via man-in-the-middle attacks or exploitation of well-known security flaws that have not been properly patched.
One of the solutions implemented by financial firms is more aggressive and complex forms of identity verification. Going beyond cookies, passwords and CAPTCHA, banks and other financial firms are adopting two-factor authentication, unique device ID schema and improved password challenge questions. This creates a more complex authentication procedure but also potentially more hurdles for a legitimate user to access his or her account.