Cybersecurity has been one of the most prominent topics in 2021 and will be increasingly so in the coming months when we expect to see major developments and … alarming. Hackers are looking for profits and the fintech sector naturally attracts them, so if you want to operate in this industry you need to have a thorough understanding of cyber crime mechanisms and security best practices.
To support those who want to stay up-to-date and ready to minimise risk, we have chosen the experts at Swascan to create a course dedicated to cyber security in the era of open innovation: 4 dedicated, online, interactive lessons, starting in February.
To find out more click here and read the following interview with Swascan CEO Pierguido Iezzi
What are the most common threats in the fintech sector? Are there particular trends that stand out from the general trends in the world of cyber crime?
Fintech has always been, for obvious reasons, the most targeted sector by Cyber Crime. Obliviously, cybersecurity in banking is enforced through legal regulations, which require banks to provide reliable and secure services and to implement robust cybersecurity procedures and operational processes aimed at optimizing those services. But this doesn’t’ mean that Criminal Hackers are discouraged from attacking.
The modus operandi manly revolves around phishing and banking trojan, which are a type of malware specifically targeted at fintech companies. After compromising the financial institution’s data, using these methods, the attackers use the sensitive information gathered to launch a more sophisticated attack on their consumers.
Another method used by attackers is to target the financial firms by identifying the loopholes in the services provided by these institutions, such as e-commerce, net banking, payment transactions online, and cryptocurrency services.
How has the pandemic affected the number of cyber attacks targeted at fintech companies?
The migration to online services, particularly in the fintech district was already underway, the pandemic was just a boost: with COVID-19, however, came a surge not only in activity using services – for example – like home banking services, but also in cyber-attacks targeting these organisations and their customers’ accounts (+238% compared to 2019). Out of these attacks, nearly 75% of the victims were banks and insurance companies.
Attackers have been widely targeting financial institutions such as banks and insurance companies, which we observed more frequently since the onset of the pandemic. Attackers benefit monetarily by misusing and selling sensitive Personally Identifiable Information (PII) such as customer details, Social Security Numbers (SSN), driver’s licenses, bank account details, and transactional records. Attackers gain access to the system by exploiting any security vulnerabilities that they can identify. This is more than a wake-up call, as banks and fintech companies cannot turn a blind eye to such numbers.
Cyber resilience must be at the top of the priority list for everyone in the industry, without exception, as must the ability to respond quickly and contextually to any type of attack.
In the era of open innovation, can third parties be a vulnerability?
No company can now be said to be monolithic. Adopting cutting-edge security policies and solutions and securing ‘only’ the perimeter of the company, without taking into account the business ecosystem, could make these efforts futile. When we talk about Cyber Security, we must never forget that the battle is fought on two fronts, internal and external.
The first is obviously the direct attacks against the organisation and is the one that usually captures most of the attention. The second front, on the other hand, indirect attacks through third parties – including our entire supply chain – often falls by the wayside. There is no difference in terms of economic damage, brand reputation and business continuity when the attack occurs ‘from the front’ or ‘from the sides’.
To summarize: in the era of open innovation, the risks arising from the ecosystem in which all companies operate have increased dramatically.
What opportunities does threat intelligence offer the fintech world in particular?
Cyber security, especially applied to the world of fintech cannot afford to play a “reaction” game.
You cannot wait for a breach or an attack and respond accordingly: this is an outdated method and mentality.
Here Threat Intelligence comes onto play, together with the other pillars of cyber security.
More generally, in order to feel safe, one must make one’s perimeter ‘unattractive’ to criminal hackers. In other words, by reducing the exposed surfaces on the Internet, by making one’s own perimeter safe and well protected, attackers will have no incentive in terms of effort to attack us compared to another, less protected or more exposed target.
To do this you need a clear action plan. What is it?
By forming and adopting an effective and responsive Cyber Security strategy.
Defence must be based on the three pillars of Cyber Security: Predictive, Preventive and Proactive Security. Predictive Security works through OSINT and CLOSINT sources to understand what threats exist and whether there is any information about our company that could put us at risk. Services such as Domain Threat Intelligence and Cyber Threat Intelligence become the starting point for properly setting up both preventive and proactive security.
Preventive Security corresponds to the whole world of technological, human and process risk analysis. We are talking about activities such as penetration tests, phishing simulation attacks, ransomware attack simulation up to specific cyber risk analyses based on international security frameworks such as NIST, CIS or ISO27001.
Proactive Security brings into play the whole world of the SOC (a centralised structure made up of people, technologies and processes dedicated to meeting the information security needs of a company; it represents a critical asset for any organisation at risk of cyber-attack) where systems, processes and technologies allow to manage, monitor and bring to light any anomaly that may affect my infrastructure, closing the circle with the ability to react, that is: incident response, business continuity and disaster recovery. It is important to clarify one aspect: all these systems and frameworks are useless if they are not tested and put to the test.
Which social engineering techniques are best suited to the fintech world and how do they work?
On to the subject of the most common techniques used to attack banks and fintech institutions, we cannot fail to mention account takeover.
Thanks to this technique, criminal hackers are able to access the account of their chosen victim and ‘lock them out’ by changing the access credentials. ATO (short for Account TakeOver) is in turn the result of credential stuffing, the often-automated attack in which the criminal hacker uses various combinations of e-mails and passwords, retrieved from data leak and data breach databases, to try to breach the targeted account.
As well as using this technique to take control of on-line banking accounts, criminal hackers use it for identity theft – often aided by the fact that once the ‘magic’ combination of e-mail and password has been guessed, more accounts can be accessed by the victim (given the nasty habit of recycling these credentials).
This method can be used both to breach customer accounts and to take control of employee accounts and initiate more devastating cyber-attacks (such as ransomware). Another way to hack online banking accounts is the evergreen of phishing.
“Your account has been compromised” or “Update your password”, classic phishing e-mails where the victim is tricked into clicking on a link that has been specially designed by the attackers to harvest the credentials that are entered.
Here again, however, the weapon can be aimed directly at bank employees and officials – obviously with different objects – always with the aim of obtaining a foothold for more ‘substantial’ breaches.
What are you waiting for to enrol in our course? Read the programme and participate