As the Attack Economy Grows in the Financial Services Industry, Automation of Access Management Tightens Security While Streamlining Operations
By: Damla Cessur
Jesse James was once asked why he robbed banks, and infamously answered “Because that’s where the money is.” When it comes to incentives for internal actors to steal sensitive information and data, the big money is still in financial services organizations which is part of the reason banks, credit card issuers, credit unions, lenders, brokerages and other companies in one of the world’s largest industries are increasingly budgeting for security solutions.
“The attacks and tools being used against financial services organizations are part of a complex ecosystem,” wrote the editor of Akamai Research’s “Attack Economy” report, adding “Rarely does a week go by without news of a data breach, and, inevitably, compromised accounts. Many of the usernames and passwords gained from these attacks end up in large “dumps” that are bought, sold, and traded to fuel new attempts to compromise sites.”
In this annual study, Akamai starts with passwords a point of the spear, then follows the data through a complex web of what they call the “criminal economy” where the ultimate goal is “transferring money from the target to the pocket of criminals.”
The financial services industry is based on trust and security, and successful attacks equal access to highly valuable information criminals can use for their own gains (directly stealing money) or can sell to other criminal organizations. “Criminals targeting the financial services industry do so by leveraging various attack surfaces, such as people, processes, applications, or systems,” the report says, and very often it is the lack of management of passwords that make companies most vulnerable.
“Passwords are both a single point of failure and the key method of identification on networks around the globe, and have been for centuries,” Akamai says, citing the “watchwords” Roman soldiers used to secure physical areas, and noting the breakthrough of computer passwords as part of the Compatible Time-Sharing System (CTSS) developed at MIT in the 1960s .
Fast forward fifty years and Akamai, which tracks and analyzes breaches, says “passwords are still at the root of many problems faced by enterprises today, including those in the finance sector.”
Over the years, organizations have relied on password policies that are too complex, such as requiring long strings of characters, numbers, and letters that are forcibly changed every so often.
This leads to instances where credentials are easily guessed, or worse, easily obtained thanks to poor storage and management, because passwords were either written down or recycled across a number of domains and services. End users don’t fare any better for nearly the same reasons.
Passwords are a double-edged sword, and managing identity is getting more difficult every day. There are gaps in identity policy that criminals seek to exploit, and it’s in these gaps where the criminal economy thrives.
Globally, when it comes to malicious logins against financial service organizations, the United States took the top spot. The United States was then followed by China, Malaysia, Brazil, and Germany, to round out the top five.
And the top five categories within the broad financial industry landscape associated with breaches were:
- Banking Cards & Payments
- Insurance Exchanges
- Asset Management Information Services
- Forex FinTech Lending
- Brokers & Traders
While the Akamai report is extensive and covers many aspects of threats, they call out credential abuse as a major challenge, including when APIs are in place as part of login applications. “Financial institutions use the Open Financial Exchange (OFX) protocol to handle data, either among themselves or to deliver the data to a third-party application,” the report calls out, saying “OFX has been around since 1997. While the standard has moved up to version 2.2, many organizations are still processing data on the older, less secure, 1.x version. In 2006, OFX version 1.0.3 added basic multi-factor authentication, such as follow-up questions like a customer’s mother’s maiden name, birthplace, first job, etc. While it was a step in the right direction, it wasn’t a foolproof protection scheme.”
How Do Criminals Benefit?
The Security Economy is much more robust and institutionalized in its own way, especially in the financial sectors. “Bank drops” are packages of data and services that can be used to open accounts at a given financial institution, for example. Some “sellers” in this darknet criminal marketplace, will create and develop the bank drop for the buyer with required details or services, while others will simply provide the information needed, leaving the buyer to “add value.”
“Bank drops” include a person’s stolen identity (sometimes called “fullz”), including full name, address, date of birth, Social Security number, driver’s license data, credit score details, and access to a secure Remote Desktop Protocol (RDP) connection for one month.
This year, Akamai says, drops at two major banks were selling for $150, $200, and $250 per account.
“A criminal with a series of drops can use them to launder money,” the report explains. “However, because of strict reporting and security rules at many financial institutions, this aspect of a drop isn’t as common as it once was. Instead, criminals will funnel their money into digital currency and use web-based cleaning services before slowly cashing out into a drop account.”
Ironically, the same banks criminals target are of the same banks they use to handle their financial gains, but with more focus throwing light on the problem and putting safeguards into place, the world’s financial leaders are spending billions on security each year in the aggregate, which is having an impact. They realize they cannot stand by and hope the latest criminal ring’s luck runs out.
Internal Threat Countermeasures: Privileged Access Management and Automation
Ironsphere offers layers of security solutions for financial institutions, protecting some of the largest global banks in the world.
In addition to our Privileged Access Management platform – which is the easiest to implement and least costly to maintain, with flexibility and cloud-native features built in – we are helping firms with several advanced innovations including:
- Dynamic Password Controller, a password vault which stores and rotates ssh keys and passwords of privileged accounts (admin, system, root, etc.) centrally and securely. Users log in with their personal accounts, check-out the credential of a privileged account and then use it to connect to target endpoints. Dynamic Password Controller generates searchable log records and audit trails to meet security and compliance requirements.
- MFA Manager, which adds layers of authentication integrating mobile device, geolocation, and time. Even if an employee account is stolen, it is still not possible to access the enterprise’s critical assets/resources unless employee’s account and mobile phone are stolen, simultaneously. Even if the password is weak or non-expired, it is exponentially more secure with MFA token verification, which eliminates password sharing and auto-locks user accounts when an employee is terminated.
- Privileged Task Automation Manager, which simplifies and automates daily routine tasks and provides a smart programmable interface that supports pre-check, execute, post-check and roll-back steps. This popular visual, flexible, agile platform for troubleshooting automation combines automated scripts and IT tasks with human interaction, improves the incident management process and reduces down-time, reducing operational costs and improving operational efficiency.
Our customers appreciate security solutions that scale to meet new demands as the incentives for internal threats as well as external attacks made possible when credentials are weak. A growing attack surface is driving a growing awareness of the need for software and cloud solutions, and adoption of Ironsphere’s modern, real-time, software-defined approach.
We have all found ourselves in a different world of work given the events that have defined 2020, and few professionals are feeling the pressure more than IT and OT teams.
Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”
Two-factor authentication has been around for decades – requiring an additional step between entering a username and password, for example, then entering a one-time security code sent to a mobile device – to access applications, systems and data.