Mobile banking cyber attacks are significantly growing. According to the Kaspersky Security Network, the online bank accounts of 249,748 unique users faced attempted malware infections in the first quarter of 2020. This malware is designed to steal money via online access to bank accounts. In addition to the malware, the company’s mobile products detected 42,115 installation packages for mobile banking trojans and 4339 installation packages for mobile ransomware trojans.
Steve Wyers, Cyber Security Associate Consultant at ThreeTwoFour says, while referring to the report, that mobile application threats increased threefold in mobile banking trojans in Q1 2020 compared to the previous quarter. Fraudulent mobile transactions from mobile apps doubled in Q1 2020 too.
More recently, a Kaspersky press release of 2nd September 2021 reveals: “The number of users attacked with QakBot – a powerful banking Trojan, in the first seven months of 2021 grew by 65% in comparison to the same period in 2020 and reached 17,316 users worldwide, demonstrating that this threat is increasingly affecting internet users.”
Worryingly, ransomware attacks have become the fastest growing cybercrime – significantly growing during the Covid-19 pandemic. Charlie Osborne writes in her article for ZDnet, ‘The state of ransomware: national emergencies and million-dollar blackmail’, that the banking sector experienced the highest volume of ransomware attacks – declaring that they have been disproportionately affected with a “1,318% increase year-on-year in 2021.”
So, the threat to challenger banks, and even to traditional banks as well as to other financial services organisations requires vigilance and preventative action to forestall any potential attack on the companies and their customers. Not even large banks such as Bank of America are immune to them, and the European Banking Authority (EBA) was hit by a cyber-attack in March 2021, which targeted its Microsoft Exchange Servers.
“Bank of America’s chief operations and technology officer, Cathy Bessant, says the bank has boosted spending on cyber-defences in recent years to about $1 billion annually”, writes Ruby Hinchcliffe in her article of 5th May 2021 for Fintech Futures, ‘Bank of America CTO: Cyberattacks on banks “surged” during pandemic.’
Regarding the attack on the EBA, Finextra reports that Microsoft commented: “In the attacks observed, the threat actor used vulnerabilities to access on-premises Exchange servers which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments.” It also attributed the attack to Hafnium, a state-sponsored hacking group operating out of China.
Mobile app dependency
Speaking about challenger banks, Wyers comments: “Challenger banks are highly reliant on their mobile apps as the main way for the customer to interface with their services. These mobile banking trojans can facilitate attacks on online banking credentials by intercepting SMS messages, or even collecting two factor authentication codes from authentication apps.”
Referring to Hinchcliffe’s Fintech Futures article, Wyers says 74% of banks and insurers globally experienced a rise in cyber attacks since the beginning of the pandemic. Despite the increased threat, he reveals that cyber budgets were cut by almost a third in the last 12 months. Yet some banks such as Bank of America responded by sizeably increasing their cyber security expenditure.
So, are the challenger retail banks any more vulnerable than the traditional retail banks, and what are the key cyber security challenges they face? Interestingly, cyber attacks have impacted both traditional banks and challenger banks equally. The targets are whatever is deemed as being the simplest hit, using whatever tools or vulnerabilities are available.
Challenger banks are deploying innovative technology for their services. They are often mobile-first and also heavily reliant on cloud services. While these technologies bring significant benefits, Wyers says they introduce potentially new risks too. These include a lack of DevSecOps awareness, and unfamiliarity with cutting edge technology.
He adds: “Where traditional banks are still using mainframe infrastructure that is decades old, the technology is well understood and supply of cyber professionals to manage them, as well as larger cyber budgets, reduces technology risk somewhat.”
Innovation and cyber security
With challenger banks being widely considered as sources of innovation – particularly as many of them begin life as start-ups, you might expect them to have a grip on their cyber security. Yet that isn’t always the case. This means that a cloud based secure development lifecycle has become increasingly integral to challenger banks. It requires the integration of static and dynamic application testing into software pipelines, developer secrets management and privileged access management for cloud accounts.
Wyers believes these are an absolute priority. He adds that challenger banks “must also be able to deliver innovative products and services that are highly user-friendly and secure, but the security must not stifle the innovation.”
Like all financial service organisations, challenger banks need to consider regulatory compliance. One of the requirements of the European Union’s revised Payment Service Directive is the obligation for banks to share data with each other. There are nevertheless situations when data sharing is not mandated by law, and so he warns that financial institutions may end up sharing data anyway to participate in high-speed payment processing networks.
He explains: “This means the level of compliance may increase for challenger banks, as the single highly secure institution that may have been protecting data may now be sharing it with other organisations in the sector. Whilst the regulatory compliance creates a new challenge for the challenger banks, there are new opportunities to hold and process this data that may come indirectly from the revised Payment Services Directive.”
Any failure to achieve compliance with stringent cyber security can be a disaster for challenger banks. Unlike their larger and more traditional banking counterparts, they won’t have the capital to stomach any financial losses from a cyber attack, or the potentially huge fines from non-compliance to regulations. To prevent any such issues they can, however, put security measures in place – such as 3-D secure, two factor authentication, and strong password requirements for the access of services to greatly increase the security of banking applications.
They nevertheless must also consider what’s happening at the backend. This requires challenger banks to treat their customer data with care. Wyers explains: “Insecure remote access and other attack vectors could lead to breaches outside of the bank application ecosystem, and with the trend to be adopting new technologies, there must be a degree of diligence to safeguard all data.”
Immediate steps advised
He concludes with the opinion that challenger banks need to ensure that “their mobile applications are watertight, and their backend services, remote working capabilities and office and datacentre infrastructure are secure”. Over the next 5 years – in particular – they will need rock solid secure development lifecycle capabilities.