Every major breach targeting financial services organizations involves compromised credentials. Knowing this, one could state that if an organization can ensure that their credentials are not compromised, then they could prevent a breach. But how do you know if a user’s credentials are not compromised? The answer is that you can never be 100% sure. So if you cannot prevent breaches you should be prepared to respond to breach activity.
Financial services organizations are especially attractive to attackers because they hold data that enables theft of money. And this is not only credit card numbers. In the past ten years, we have seen thieves target databases and point-of-sale terminals to collect mass quantities of credit card data like Jimmy John’s and CVS Pharmacy data breach cases. As organizations become smarter about securing their PCI data and point-of-sale (POS) terminals, attackers are adjusting their attacks. Additionally, as banks and credit card companies move to chipped cards, thieves will also adapt to these new layers of security. The industry needs to be prepared for the next evolution of attack methodologies that will target the financial services industry.
In one example of adaptation, Nigerian “419” scammers have become smarter and adapted to an evolving world. I remember 10 years ago standing behind a lady at the Western Union counter at the grocery store. She was upset because she wanted to pull-back a payment she sent to Africa for $2,000. She said that she had several conversations via email with an individual that promised her money, but she realized too late that they were not trustworthy. Of course, Western Union was unable to pull the money back. The lady was distraught and near tears. I pulled her to the side and told her that she more than likely would never see her money again, but I advised her to contact the local FBI office and report the situation. Ten years ago, many email users, especially those new to email, were not aware of the threat that existed.
Today, the world (in general) is a little wiser. So, too, are the thieves. We all still get the mass money scam emails and I doubt that these will ever go away. However, the scammers are now using more targeted social engineering campaigns against businesses to get funds wired through multiple banks. In two cases that happened very recently, a scammer sent an email to an executive of a company complaining that the wire transfer they were supposed to send had not gone through yet – “and what is the hold up!?” The executive, seeing the spoofed “From” email address as being legitimate, forwarded the emails to their finance department to make the wire transfers pushed through. In one case, close to $500K was transferred to overseas banks.
As long as money is a motivating factor for hackers, attackers, scammers, and thieves, the financial services industry will continuously be targeted. New processes and technologies emerge to defend and detect attack attempts, but bad guys will continue to innovate and reengineer their processes and technologies to steal data. Join me on Tuesday, September 29th @ 2:00 pm ET for a Webinar Financial Services: Time to give risk management a voice in cyber security to learn about implementing risk management and defense in-depth strategy to help financial services stay ahead of the adversary.