Financial institutions are well aware of the risks posed by malicious cyber activity. However, because most of the activity takes place on underground forums and the dark web, few institutions recognize how rapidly the threat environment is evolving.
One of the most attractive opportunities for cybercriminals targeting financial institutions is gaining control of bank and credit union customer and member accounts. From 2016 to 2017, account takeovers tripled, according to a 2017 Javelin report, and losses from those incidents topped $5 billion, up 120 percent from the previous year.
Based on that trend and independent cybersecurity analyses from Fiserv partners, including BlueVoyant, we expect continued growth in account takeover attempts.
Here are three reasons for that prediction:
1. Cybercriminals have a mature and specialized ecosystem
Cybercriminals today are part of a highly organized global network. There are coders who develop malware, data miners who make sense of the stolen data for ease of sale, money specialists who identify ways to profit from the data and network administrators who manage compromised systems that spread malicious payloads. The ecosystem model means threat actors no longer need to manage the whole takeover on their own.
Some specialists even offer "as-a-service" bundles. There are marketplaces to sell tools and teach techniques, "libraries" and chat rooms to share information, digital wallets to store stolen funds, and even unofficial mediators to referee and adjudicate disputes.
2. Threat actors often opt for basic, low-cost tools
While sophisticated tools are readily available, many threat actors choose simple, inexpensive and effective methods.
For example, a fraudster may use a basic SIM-card swap – associating the attacker's mobile number with the compromised account – to fool a two-factor authentication scheme rather than using more technical methods such as SMS-grabbing malware.
Likewise, automated tools now make it easier and faster for hackers to crunch through thousands of password combinations in basic brute force attacks. They often relay requests through open proxy servers that make each request appear to be coming from different IP addresses to avoid being flagged or locked out by financial institution controls.
Stage 1: Obtaining consumer login credentials
Methods include phishing, banking malware, brute force tools that target online banking platforms, and social engineering such as hoax phone calls when hackers pretend to be financial institution representatives. Most of those attacks rely on human error – sloppy password practices, failure to notice subtle changes in a financial institution's URL and other social engineering practices that lure victims into opening an innocent-seeming email or downloading malware.
Stage 2: Accessing a compromised account and moving funds to a drop account
This requires circumventing financial institution security controls such as two-factor authentication and anomaly detection tools that block suspicious login attempts. Methods include SIM swaps (taking control of the legitimate client's phone number), associating rogue phone numbers with the bank account, social engineering, SMS-grabbing malware and cloning phone identifiers.
Stage 3: Cashing out
Methods include ATM withdrawals, purchasing digital currencies, transferring funds to online payment platforms, or buying goods or gift cards. Often, money is sent using mules, some witting and others not, to cover tracks and funnel the funds to the final drop account. After taking a cut, the threat actors in charge of the cash-out then dispense the funds to their clients.
3. Insiders may be working with threat actors
A growing number of threat actors claim to be working with insiders at financial institutions to facilitate the cash-out phase of an account takeover.
Typically, threat actors work with insiders to obtain customer logins that will make illegal withdrawals appear legitimate.
What You Can Do in Response
Beefing up basic security practices will help financial institutions thwart takeover activity.
In addition to training employees on smart password practices, financial institutions can mandate strict password-complexity requirements while using tools that make it easier for employees and consumers to manage and update passwords. It's also important to understand it goes well beyond passwords and requires ongoing employee training and compliance testing across the organization.
A strong defense includes constant access to threat-intelligence services that can track criminal actors and their activity across the cyber underground and the dark web.
In-app and in-platform security controls can help financial institutions reduce the risk of credential theft. Deploying anti-bot, such as CAPTCHA, and anomaly-detection security controls in all public-facing services also can limit risks. Those controls include anti-session hijacking, anti-caching, secure key generation and management, and end-to-end encryption.
Financial institutions are facing a growing number of cybercriminals with a greater range of tools and organized activity. A strong defense includes constant access to threat-intelligence services that can track criminal actors and their activity across the cyber underground and the dark web.
Two-factor authentication on login for all public-facing services is also crucial. Financial institutions can consider out-of-band, two-factor authentication, which sends the authentication request through a separate communication channel, rather than relying solely on SMS. A software token sent to an authenticator application on a consumer's smartphone, for instance, would render an attempted SIM swap useless. Biometric solutions and key fobs that generate random two-factor authentication codes are other effective methods.
Finally, financial institutions can regularly employ anti-money laundering monitoring activities and strictly enforce document authenticity verifications to prevent forged documents from being used to open drop accounts.
From our ongoing intelligence-gathering, it is clear financial institutions and others are becoming increasingly vulnerable to account takeovers. It's crucial to understand the evolving threat landscape and move quickly and concertedly to take appropriate protections.