Bank employees, not customers, are now the main target of financial cyber attacks, according to the FBI.
In a warning issued earlier this week, it said the latest trend by cybercriminals is to get employee login credentials, using spam and phishing emails, keystroke loggers, and Remote Access Trojans (RAT).
And the best way to fight it? That leads to the ongoing debate over training vs. technology. While most security experts say both are necessary, and the FBI provides a list of training recommendations and policy protocols to keep employees from giving up the keys to the financial kingdom, some experts like George Tubin, senior security strategist for Trusteer, say improved technology is the only effective solution.
“Part of the solution is training,” he said. “But we’ve been talking about this for so long, trying to educate customers and employees. It has become one of those battles I don’t think we’re going to win.”
“Some of the ploys are so good they could fool almost anyone — very sophisticated schemes like web injections and email from friends that lead you to open an attachment. The real answer comes in automated technology, to make sure people don’t respond to those things,” Tubin said.
He also noted that the trend toward employees working at remote branch or at home, the BYOD (bring your own device) trend and being allowed to surf the web off the corporate network “makes them extremely vulnerable.”
Brian Berger, vice president at Wave Systems, agrees. “Users are going to be users no matter how strong the security awareness education is, so it is critical that organisations have a counter measure in place to help mitigate threats like these,” he said. “Specifically, hardware authentication through the Trusted Platform Module (TPM) makes it so the criminals couldn’t penetrate even if the employee had a misstep.”
Kevin Flynn, a senior product manager at Fortinet, compares training to driver education for teens. “Drivers Ed may help reduce accidents but it doesn’t necessarily make teenagers safe drivers,” he said. “Security belongs in the network.”
However, Scott Greaux, vice president product management and services at PhishMe, said, “Education is an organisation’s best defence against these threats but those efforts need to break away from the traditional security awareness model and employ creative and immersive education techniques such as mock phishing exercises that both improve awareness and increase retention.”
Greaux doesn’t rule out better technology as a factor. But he said the human element can heighten security in protocols. “Financial institutions should implement a mix of random and threshold based reviews for all wire transfers,” he said. “This will add an extra layer of human interaction with transactions making it more challenging to fraudulent transfers to go unnoticed.”
The potential damage from stolen credentials is obvious. With that information – especially if they have the credentials of more than one employee — criminals can access the accounts of any customer. The FBI did not name any specific banks, but said that “small-to-medium sized banks or credit unions have been targeted in most of the reported incidents.”
However, the agency did say a few large banks have also been affected. In those cases, the criminals were able to conduct unauthorized wire transfers overseas. The FBI said the amounts have ranged between $400,000 and $900,000. And in at least one case, “the actor(s) raised the wire transfer limit on the customer’s account to allow for a larger transfer.”
But the damage goes beyond monetary. It is one thing for a customer to be hacked or fall for a malware scam, but Tubin said it was “totally different” for a financial institution itself to be compromised. “The damage to the reputation of a large institution could be devastating. That’s the last thing a bank needs is to be compromised.”
No matter how good the technology, the FBI recommends a number of basic precautions that financial enterprises should take. Among them: Remind employees not to open attachments or click on links in unsolicited emails; do not allow employees to access the Internet freely, or personal or work emails on the same computers used to initiate payments; do not allow employees to access administrative accounts from home computers or laptops connected to home networks; and ensure employees do not leave USB tokens in computers used to connect to payment systems.
Financial institutions should also monitor employee logins that occur outside of normal business hours; implement time-of-day login restrictions for the employee accounts with (access to payment systems; and restrict access to wire transfer limit settings, the FBI said.
Roger Thompson, chief emerging threats researcher at ICSA Labs, doesn’t debate training vs. technology. He says both are critical: “The best way to do security is think Swiss cheese. Any given layer has lots of holes in it, but if you arrange your cheese slices in layers, they cover up each other’s holes. In other words, no one layer has to be anywhere near perfect, provided there are enough layers.”