This is a guest post contributed by Dr. Shane Shook, Chair of the Technical Advisory Board at Cylance, Inc.
Financial services institutions are a natural target for cyberattackers given that they manage the resource many hackers value most — money. That is why it is surprising to some that securing financial services’ complex infrastructure comes down to an essential concept — know your customer.
“Know Your Customer” is a regulatory and legal requirement that helps banks, insurers and other financial institutions establish the identity of the client with whom they are dealing. It is important to clarify what “customer” means in this case: there are individuals (regular consumers like you and I that have bank accounts) and entities (e.g., commercial clients, or other entities connected with high-risk financial transactions). Verifying the credentials of both types of customers presents different challenges, but the risks associated with not accurately identifying the customer — financial fraud in the form of money laundering or outright theft — are the same.
Banks and other financial services institutions employ risk management technology and processes to authenticate the identities and corresponding credentials of counterparties in transactions; however identities can be stolen or impersonated. Sometimes hacking facilitates social engineering techniques to assist with impersonation. Hacker tools such as malware support coordinated theft and fraud.
In financial services, there are two types of prominent malware employed:
1. Business interruption – DDOS, or distributed denial of service, is a coordinated attack where many compromised systems target a single system (e.g., using a network of computers to crash a website). When authentication services are targeted, banks revert to call centers that are susceptible to social engineering.
2. Credential manipulation – Relying on man-in-the-middle (MITM) attacks to impersonate the customer and gain fraudulent access to trading and bank accounts via stolen bank login data and other authenticating credentials. These may be phishing emails that direct users to fake bank (trading, insurance, etc.) websites where credentials are stolen; or may involve “information stealer” banker Trojans that infect end-user computers and mobile devices.
Practically all financial services institutions employ identity integrity policies (e.g. two-party integrity checks for institutional transactions, as well as challenge questions for individual transactions). Translating those techniques to transactions on a consumer level (e.g., an ATM withdrawal, making an online transfer from savings to checking or automated bill payment to an insurance provider) presents several obstacles though, including timeliness of the transaction to meet customer demands while also ensuring identity integrity. This is compounded by the vast number of venues in which cyber attackers could utilize stolen credentials, from international wire transfers to equity trades, or FX conversions. Even with trust mechanisms in place, such as SSL certificates, two-factor authentication tokens, CAPTCHA content and challenge questions, banks and securities exchanges can only possess a certain amount of confidence that they are indeed transacting with the intended, authorized party. An unfortunate fact is that many people use the same credentials for different financial institutions’ web services — invalidating some of the institutional protections. Ultimately it comes down to users’ own ability to protect their identity.
The infamous GameOver Zeus (GOZ) botnet (recently taken down in a joint industry and law enforcement effort) is a prime example of financial services institutions’ inability to know their customer with 100 percent certainty. This sophisticated malware tool, which records keystrokes to capture exactly what login credentials users entered in bank/insurance/trading accounts, was programmed with one nefarious intent — to steal authentication information, and in turn facilitate identity and financial fraud. Having infected more than 1 million computers globally — 25 percent of which were located in the U.S. — GOZ is estimated to be responsible for more than $100 million in financial theft worldwide. Other types of financial fraud such as money laundering or FX and trading impacts are yet to be determined.
It is largely in the Western world, however, that PCs are the main access point to bank and trading systems. Much of the theft and fraud being committed in the global financial services market is on mobile devices, particularly in the Middle and Far East regions, where smartphones are a more affordable option than computers. Banking Trojans, which are deployed via social media platforms and other means, have quickly grown as a mobile malware threat for Android-based devices (which are currently the primary target due to their widespread adoption and relative vulnerabilities in the Android Operating System and applications). Cybercriminals have adapted techniques developed in PC compromises (DDOS and MITM), such as the deployment of mobile malware to swap out official online banking apps with near-identical but malicious copies.
Beyond the security risks that accompany computing devices, bitcoin and other cryptocurrencies are introducing a whole new facet to challenges in the financial services industry. Many of these challenges stem from a lack of regulation in alternative currencies and exchanges. Because of its emphasis on transparency, bitcoin offers a public record of every transaction (i.e., the blockchain). This transparency does not extend to those making the transactions, however, as the blockchain does not publish any personal identifying information about the senders or recipients. Consequently, criminal syndicates have adopted online cryptocurrency exchanges in order to steal identities, money and conduct arbitrage (or commodity trading with stolen goods, such as using the stolen cryptocurrencies to purchase equities for trading, or fiat currencies for money laundering).
Across all of these instances, the root problem is the same — a failure to know the customer. Of course, customers are often their own worst enemy in this process, compromising their identities with one wrong click or tap (phishing emails), or re-using passwords and challenge responses. Financial institutions need to balance increasing awareness of these threats among consumers with investments in technology that prevent mass credential manipulation. In the end, Know Your Customer is a security strategy worth banking on.
Dr. Shane Shook is the chair of the Technical Advisory Board at Cylance, Inc., the first math-based threat detection and prevention company.
