Cyber Security

Top 5 Cyber Threats Facing Banks in 2020

With all the cyber threats that exist today, banks are more vulnerable than ever to becoming the next victim of a malicious cyberattack. With the growing list of fintech solutions offered in banking and the most recent Cloud Hopper investigation released by WSJ, 2019 was an early indicator of cyberthreats still to come in the year ahead.

According to a new report released by the Federal Reserve Bank of New York, just a single cyberattack targeting one of the largest U.S. banks would likely have a major ripple effect on the global financial system. Even today, with a growing awareness of the cyber-risks involved in a banking sector driven by technology, there’s a greater risk facing banks than ever before.

With all this in mind, here are the top five cyber risks every financial institution should be prepared to defend against in 2020.

1. Credential Stuffing

Credential stuffing is a type of cyberattack that usually targets the personal data of banking customers. Using stolen account credentials, hackers can gain unauthorized access to user accounts using automated large-scale login requests. The stolen information can then be used to bombard websites and servers in order to try to gain access to critical IT infrastructure. This practice is known as credential stuffing.

List of keys and logins are often obtained via the dark web and allows hackers to save lots of time by avoiding the need to play the password guessing game.

“There is an automated process where the hacker can log thousands to millions of breached passwords and usernames using standard web automation tools,” says Brian Brannon, VP of security product strategy for Safe Systems, an IT security firm that works with community and small banks.

Credential stuffing differs from a brute force attack because in credential stuffing operations attackers are often using usernames and passwords that are known to have been good at some point or another. For banks, credential stuffing is an emerging and credible threat that will only get worse as the number of data breaches increases.

2. Cloud Providers

Cloud services come in very useful by helping banks offset IT expenses, boost system uptime and ensure their data is being stored safely. But the promises of the cloud have come with a few hard-earned lessons when it comes to customer data and security.

With so much information stored on the cloud, particularly for the use of public services, cloud providers have become easy targets for malicious attackers looking to gain access to financial institutions. To get a clearer picture of the problem, consider that over 1.4 billion records were lost to data breaches in March 2017 alone –– many of which involved cloud servers.

With the Wall Street Journal’s recent release of their investigation into the global hacking campaign known only as ‘Cloud Hopper,’ the true depth of the risks associated with compromised cloud data couldn’t be more evident, or alarming.

For the Cloud Hopper attack, hackers known as APT10 gained access to cloud service providers, where companies believed their data was being safely stored and protected. Once in, the hackers freely and anonymously hopped from client to client, evading investigator’s attempts to eliminate them for years.

According to WSJ, the attack went far beyond the 14 companies listed in the indictment, stretching across at least a dozen cloud providers, including CGI Group Inc., Tieto Oyj, and International Business Machines Corp.

To make things worse, investigators said many major cloud companies stonewalled clients as to what was happening inside their networks. Contrary to what many bank executives might think, the sole responsibility for protecting corporate data in the cloud lies with the cloud customer, not the service provider. Hence, no cloud provider is legally or contractually obligated to ensure the safety of customer data –– as much as they may promise to do so.

3. Phishing Attacks

Phishing is a common type of cyberattack that’s often used to steal user data, including login credentials and credit card numbers. But lately, there’s been an increase in phishing attacks targeting bank employees. Phishing occurs when an attacker tricks an unsuspecting victim into opening a malicious link, leading to an installation of malware which then freezes the system as part of a ransomware attack.

An attack can have devastating results on a business –– especially a financial institution like a bank. Phishing can be used to gain a foothold in a network as a part of a larger attack like an advanced persistent threat (APT) event. In this scenario, an employee is compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data.

With access to an employee’s email account, cybercriminals can read a bank’s sensitive information, send emails on the bank’s behalf, hack into the employee’s bank accounts, and gain access to internal documents and customer financial information. This can result in millions of dollars worth of damage in both financial and reputational risks for the institution and its employees.

4. Ransomware

Ransomware is a type of malware that encrypts data, making it impossible for the owners of that data to access it unless they pay a hefty fee. In March 2017, the WannaCry virus spread independently through the networks of unpatched Microsoft Windows devices, leaving thousands of computers infected and making off with a total of 327 payments totaling $130,700.

Although ransomware has costs businesses more than $75 billion per year in damages (Datto), ransomware still remains one of the most common forms of cyberattack. Banks remain top targets for ransomware attacks, as cybercriminals follow the money for big payoffs. According to a Kapersky Labs report, cybersecurity statistics show attacks were launched from within more than 190 countries, with financial services the second most targeted industry after healthcare.

Successful ransomware attacks, especially on smaller banks, are the result of a lack of IT resources, outdated security tech and protocols, and inadequate endpoint cyber-protection. To help protect themselves against ransomware, financial institutions should place many uniquely-tailored protection layers throughout their networks –– each one acting as an obstacle to block malicious software attacks.

5. Internet of Things (IoT) Exploitation

While a majority of exploitation attempts stem from software vulnerabilities, they can just as easily begin from vulnerable pieces of hardware. Anything from an employee device to a router connected to an unsecured network can put an entire organization’s digital infrastructure at risk

For many CISOs, this may sound like preaching to the choir –– but unbeknownst to many is how easily exploitable their IoT devices are since they’re often not required to have the same level of security scrutiny as computers. Unsecured IoT devices, such as, home routers, printers, and IP cameras are all vulnerable to attack. 

As institutions continue to connect more gadgetry to the internet, the number of potential security weaknesses on their networks are also more likely to increase. To breach a financial institution, attackers will target insecure devices to create a pathway to other systems. Once they have an entryway from an IoT device, they have full access to the entire network, including all customer data. 

Today’s hackers also have the unfavorable ability to easily exploit a bank’s API system since many legacy APIs weren’t designed with the cloud in mind. This leaves many systems vulnerable from the get-go –– and open banking has just been making the problem worse.

What Banks Can Do

If after reading this article, you’re starting to doubt the security of your organization’s IT structure, know you’re not alone. Here are just a few methods you can adopt in order to create a more safe and secure digital landscape and defend against potential cyberthreats.

1. Assess Your Cloud Security

Regularly review your cloud infrastructure to ensure it’s up to date. Assess your cloud security’s current state compared to security benchmarks, best practices and compliance standards.

2. Monitor Your Cloud Security

Use a vulnerability management tool to help you automate threat detection and protect against potential threats before they become a problem.

3. Establish Strict Access Management Policies

By only providing access permissions to employees who require it, you’re ensuring your organization is well-protected from within –– especially if you employ contractors or part-time workers.

4. Establish a Disaster Recovery Plan

Having a plan in place helps you avoid data loss and allows your to minimize downtime after a disruption. This only works if you backup your data regularly and often.

5. Encrypt Your Data

Encrypting your data cryptographically, and protecting the cryptographic keys to that kingdom, ensures your most sensitive digital assets are always protected –– even if your IT structure is critically compromised.

Want to learn more on cyber threats and Hub Security? Leave your details and we will get back to you shortly


FBI Warns Against IoT Vulnerabilities

In the not-that-unlikely chance a business’s network is compromised, their entire infrastructure is at risk of exploitation. Gaining access to high-risk digital assets can lead to devastating revenue damages –– which is nothing to take lightly.

EY Focuses on Blockchain Security with Launch of Smart Contract Analyzer

rnst & Young (EY) launched its token and smart contract review service. The tool will allow companies and individuals to evaluate smart contracts and tokens for known security risks.

State Street Turns to Tokenization in an Unguarded Digital Era

In a recent survey by the quantitative analysis firm Oxford Economics, 94 percent of State Street clients hold digital assets

Hub Security HSM & Mini-HSM Demo

Live HSM and minihsm video demo

December 2019 Newsletter – Subscribe!

Our December Newsletter is live! Subscribe to follow our product, updates, events and cyber security news.

Here are the highlights:

Blockchain & Key Management: Trending

With increasing movement towards blockchain platforms by banks and financial institutions, there is a rise in key management hacking. The Hub Security team weighs in:

Tamper Proof HSM – New Video!

Our latest product video is live! Watch our new self-destructing chip go up in flames when there is an attempt to tamper with it.

HUB’s APAC Team @ CyberTech Tokyo 

Our APAC team, along with CEO Eyal Moshe, exhibited at CyberTech Tokyo, a great event and venue to meet new & existing clients. The energy on the floor was palpable as this space continues to heat up.
Meet us at CyberTech Tel-Aviv in Jan 2020!

We Are Hiring!

We are looking for a new PPC manager to join the team. Click for details.

Subscribe to our Newsletter for Hub updates, events and industry news!

To learn more on HUB Security solutions for digital assets and key management or submit details below.





Request a Demo









Digital Asset Alert: HK SFC Issues New Regulations

The Hong Kong Securities and Futures Commission (SFC) issued a position paper Nov. 6th defining a new regulatory framework for virtual asset trading platforms. In it, they outlined the parameters under which VSTs would be eligible to apply for a license from the SFC. Virtual asset trading platforms are platforms that offering trading of security tokens.

A virtual asset is a digital representation of value. Also known as a cryptocurrency, a crypto-asset or a digital token, the estimated total market value of virtual assets is now between $200-300 billion. As of November 2019, there are over 3,000 digital tokens and 200 virtual asset trading platforms.

Now the SFC adopted a new set of regulatory standards for virtual asset trading platforms similar to those applicable to licensed securities brokers and automated trading venues. The standards were passed in order to address key regulatory concerns surrounding the tokenization of digital assets. Of primary concern to regulators are the safe protection of assets, KYC requirements, anti-money laundering, and terrorism counter-financing.

Photo – Rikki Chan

According to the position paper released this month, the SFC will only grant licenses to platforms that are capable of meeting the standards outlined by their committee. While enthusiasm for ICOs waned throughout 2019, other forms of virtual asset fundraising hold continued buzz. Securities such as STOs are typically structured to provide the same features as traditional securities, but also involve digital proof of asset ownership using blockchain technology.

“Regulators need to be open to the benefits of innovation, but they should also be ready to tackle the risks to investors which some financial technologies give rise to,” said Mr. Ashley Alder, the SFC’s Chief Executive Officer.

As part of the newly announced regulations, the SFC also made it clear that virtual assets traded on licensed platforms will not require compliance with the same set of financial regulations as traditional security offerings.

Additionally, the SFC issued a warning to investors regarding the high risks associated with purchasing virtual asset futures contracts, citing their unregulated nature and security vulnerabilities. While this warning served largely as a side note to the excitement surrounding the announcement, investors and digital asset owners alike likely still have a long way to go before these concerns can be fully addressed and their digital assets safeguarded.

To learn more on HUB Security solutions for digital assets and key management or submit details below.

Request a Demo





The Rise of Blockchain Banking

As the financial industry begins its long-awaited move to adaptive blockchain technology, many banks are becoming increasingly open to the use of crypto-based solutions for digitizing assets. It’s no secret the future of banking is digital for many financial institutions looking to modernize their product offerings. It even appears likely we’re headed toward an era of national digital currencies backed by central banks. Hats off to Mike Orcutt.

But HSBC’s decision to be the first financial institution to move $20 billion worth of assets to a blockchain platform is possibly enormously rewarding––– or risky. While the future of blockchain-based platforms such as HSBC’s Digital Vault looks promising, security experts voice growing concerns over the management of such large amounts of digital assets.

While the rise in usage of blockchain technology has made financial asset management more transparent and accessible, the crypto world has seen its fair share of threats over the past decade. From Binance to Bitpoint to Quadriga’s wild story, the industry’s shift in reliance on the blockchain has its own perils.

Blockchains are particularly attractive to hackers since once they gain access to the private keys it’s game over and fraudulent transactions are very difficult to reverse(if at all). While blockchains have unique security features, they also have their unique vulnerabilities. As banks expand their digital solution, they will continue to face continuous ongoing threats to their blockchain infrastructure. As long as vulnerabilities as these exist, banks must learn to embrace innovative solutions that can keep their most sensitive assets secure.

 

Today we know that marketing tactics which branded blockchain technology as unhackable were simply misleading ––– and wrong. In total, since the beginning of 2017, hackers have stolen nearly $2 billion worth of cryptocurrency, mostly from exchanges, and that’s just what’s revealed publicly. Contrary to popular belief, these attackers aren’t just lone opportunists either, they’re sophisticated cybercrime organizations. According to Chainalysis, just two of these groups, both of which are still active today, have stolen a combined $1 billion from exchanges.

Whether the future of banking relies on the blockchain or paper-tracking is still up for debate. But if history teaches us anything, it’s that we’re still not out of the woods when it comes to protecting our most sensitive piece of data. Even if we’re HSBC. 

 

To learn more and schedule a live demo with Hub Security, submit your details below.

 

Request a Demo





We’re Hiring: PPC Manager

Hub’s marketing is growing! We are looking for a B2B PPC/marketer to join our team!

The right candidate will be joining the growing marketing team, based in Tel-Aviv and marketing a unique and exciting cyber security product!

The right candidate should be:

  • B2B and technical oriented
  • experienced in PPC, Campaign management, linkedin marketing
  • CRM, email marketing, marketing automation – advantage
  • Tech/Startup experience – advantage
  • 2-3 years experience

For more details fill the form bellow.


Do One-size-fits-all Key Management Solutions Really Work?

We wrote earlier this week about key management, and how today’s solutions fail the little guy. On top of their high price points, inaccessible installation and overly complex management –– today’s cyber solutions from giants like Amazon, Microsoft and Google often fall short for mid-tier companies. Which doesn’t really make them solutions at all. As Biggie would say, just mo’ problems. For many 2nd and 3rd tier players, what they really need is pretty straightforward: a simple, affordable way to protect their most valuable digital assets.

In the (really) tiny corner of the world that is key management, most products out there are designed as one-size-fits-all solutions. Like those pants you bought on Alibaba, there’s just no guarantee they will fit. Maybe your hips are a bit wider, your legs a bit longer –– whatever it is, they were obviously not designed for you. So why wear them?

Without coming down too hard on the big retail, my point is: you still need pants. That’s kind of what it’s like for most mid-tired companies. Except in this scenario, many of these businesses also losing out on a ton of money on lost profitability. With products they can’t protect without losing an arm and a department, they sit unused –– a lost revenue stream that won’t ever see the light of day.

It’s almost revolutionary to think that a solution should be simpler. Like when Steve Jobs packed over 10,000 mp3 filed into a handheld iPod Mini. It killed the walkman. And that’s what our team at Hub Security has set out to do: be revolutionary. We’ve built a solution that is accessible, affordable and adaptable to any-sized business.

                                       

With the HUB platform, administrators can define customer policies and permissions and custom build an internal key management system that works for them. Like Lego pieces, HUB’s platform is built to grow at scale –– developing with you, as you develop your business. See? Like I said, revolutionary. With a low-barrier of entry, a relatively low price-point and 24/7 support, first-tier cloud providers have nothing on us.

Want to learn more? Check out the HSM device for yourself? Reach out to us at sales@hubsecurity.io or leave your details below        





Request a Demo






Scroll to top