The Biggest Concerns within the US Financial Sector in 2022

October 13, 2022 The value of digital payment transactions is growing as the world’s payment environment moves more and more away from cash. Over the past few years, BFSI (Banking, Financial Service, and Insurance) firms have continued to be a top target for hackers. In fact, the Sixth Annual Bank Survey found that more than 70% of fintech companies named information security as their top issue.According to VMware’s Modern Bank Heists study, since the COVID-19 epidemic, there have been 238% more cyberattacks on companies in the financial sector. Artificial intelligence (AI) and self-learning malware are making cyberattacks more sophisticated. While ransomware assaults are the most profitable for cybercriminals, phishing attacks prey on unsuspecting and defenseless consumers. Thus, it should come as no surprise that 39% of financial industry executives think that the overall network security threat to BFSI sector companies has increased significantly.

Financial and banking firms in the US must put cybersecurity first above all else given the volume of sensitive data that the BFSI sector must manage. Leading analytics company GlobalData predicts that rising demand for cybersecurity would cause worldwide security revenues in the retail banking industry to climb from $7.9 billion in 2019 to $9.8 billion in 2024.

What are the biggest concerns facing the financial sector in the United States for 2022?

Reimbursing cyber scams

As banks are under pressure to compensate their scammed consumers, rising cybercrime rates translate to rising costs for the industry. More than half (58%) of those who conduct their banking online encounter scams via email or SMS at least once per week, and 23% report having fallen victim to a cyberattack.

Banks currently reimburse authorized push payment (APP) fraud at an average rate of 46%. Although many banking institutions are refusing reimbursements for online fraud, this is due to change soon, or else the situation will backfire. For example, measures supported by the UK government will require banks to reimburse everyone. This is only one illustration of the fact that if banks are to secure their consumers and their business line in 2022, they must prioritize cybersecurity more highly.

To exchange efficient strategies, banks will need to collaborate with governments and industry organizations. The public must continue to get education on preventative measures, but ultimately it is the banks’ responsibility to establish security models that will give them and their clients the greatest level of safety.

Maintain compliance with strict privacy regulations

The use of social engineering and account takeover fraud will increase over the next years. Financial institutions must not only conduct comprehensive data checks beyond document verification at account opening to fight this but also keep track of customer identities throughout the customer lifecycle.

Banks must decide how to manage sensitive personal data like biometrics as GDPR and other privacy regulations are being established throughout the world. As a result, many institutions believe that finding a partner that can protect this sensitive personal information is more practical than modernizing internal systems and processes.

Finally, the public is becoming more concerned about how technology corporations utilize personal data. More difficult questions will be raised as a result, and any responses must pass a strict ethical standard. The application of AI to compliance and fraud will need to be explained by banks. Ascertaining whether their partners and vendors have complete control over the technology they provide will also have an impact on vendor onboarding. Every bank will need to be able to justify decisions made to regulators and the broader public.

Leveraging AI to combat cyber fraud

Instead of being a subset of financial crime, banking fraud now coexists with ransomware, phishing, and other types of cybercrime. Fraudsters are functioning methodically, getting more skilled at spotting loopholes in the automated systems that financial institutions are putting in place, and getting better at learning through repetition.

For example, banks and mortgage lenders have started to link more of their fraud charges to the fact that their clients are doing more transactions using mobile banking apps. According to a LexisNexis survey, more than half of the respondents who worked for US banks and credit lenders say that mobile channel fraud has increased by 10% or more this year.

Today’s fraudsters collaborate with criminal gangs that provide crime as a service. As a result, frauds and forgeries become increasingly sophisticated, making them impossible for humans to detect without artificial intelligence (AI) to support their decision-making.

Decentralized currencies are at the center of attacks

Meanwhile, cryptocurrency has become a primary target of cyberattacks. Huge sums of money are frequently present on cryptocurrency exchanges and wallets, making them a powerful attraction for attackers trying to make money from their attacks.

These are sometimes straightforward social engineering attacks, and other times they are far more sophisticated technically. We expect to see more cyberattacks on decentralized currencies given the amount of money that can be stolen in a single successful attack (possibly reaching millions of dollars). For example, in December 2021 criminals stole nearly $200 million from the crypto trading platform Bitmart.

However, we should anticipate law enforcement and governments to become more actively involved in both the investigation of cryptocurrency assaults and the use of cryptocurrency vulnerabilities. For example, government agencies like the Securities Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) may try to regulate cryptocurrencies more strictly as they regulate traditional currencies.

Attacks bypassing MFA

Although multi-factor authentication is a prerequisite for enabling strong customer authentication, the latest attacks against Cisco and Uber have profoundly demonstrated that fraudsters can bypass MFA. Using sophisticated tactics and tools like auto-diallers, criminals have managed to intercept one-time passwords (OTP) and compromise banking accounts. Automating the process and creating what is known as MFA fatigue they force customers to give up OTPs to malicious bots.

OTP interception is now trivial compared to what it has been historically, and that innovation fundamentally shifts the economics in the favor of the attackers. The LexisNexis report highlighted this concern saying that balancing fraud detection with customer friction is a top challenge for banks. Banks need to embrace phishing-resistant MFA methods that eliminate the risk of being defrauded while offering a superb customer experience for all possible use cases and authentication journeys.

A bigger attack surface and higher attack sophistication levels are a result of the rising use of complicated technologies and interaction with third-party systems. Today, maintaining a strong cybersecurity posture entails more than merely defending sensitive systems and data from damaging external attacks. Additionally, it entails better data privacy, identity protection, and vulnerability management. Banks and financial institutions can outsource part of the burden of staying compliant with regulations and securing customer financial data by partnering with a trusted managed services provider. These companies aggregate experience and expertise to help banking institutions stay one step ahead of their adversaries.

Courtesy of  Anastasios Arampatzis This blog was written by an independent guest blogger, featured on ATT.com

Courtesy of Matthew Gracey-McMinn, Payments Journal

“We would like to text or call you with a code.” That familiar phrase usually means multi-factor authentication (MFA) is in play. It’s an added layer of protection that businesses are using to protect accounts, and it’s become commonplace at financial institutions to secure personal data. From banks to brokers to crypto wallets, there is an expectation that it is implemented by institutions. However, MFA is far from foolproof. Criminals can still find their way around it to carry out attacks.

The holy grail for hackers is to successfully takeover an account utilizing techniques such as credential stuffing. This requires the attacker to acquire a list of username and password pairs and then thrust the credentials onto login pages using bots. The speed and volume at which bots can fill in login forms helps the hacker find a winning credential combo quickly. The data used often comes from leaks, stolen device fingerprints, or session cookies sold on the dark web or marketplaces like Genesis Market.

So, suppose a criminal launches an attack that could be attempting millions of logins within a few hours. In that case, the success rate can yield hundreds or thousands of accounts. Credentials can be validated and used to reset a password, completely control an account, and even transfer funds elsewhere.

MFA can stop an account takeover following a successful credential stuffing attack by requiring more than just a password to validate a legitimate login and prevent automated attempts. But it’s not airtight. Some sites use 2FA (two-factor authentication), a type of MFA that uses two factors for login, such as credentials and a device.

The secret ingredient for hackers to bypass MFA security is using a combination of bots and human intervention. The goal is to either sidestep the need to use MFA for access or use tricks to fool account owners into handing over MFA codes.

Here are the five most common techniques financial services organizations need to know about:

  1. Targeting financial aggregator sites. APIs are easily exploitable via financial aggregator sites. Customers of services such as Mint or Plaid use these apps to manage their finances, aggregating accounts into a single view. These apps can access account information and even make changes using the bank’s API or a web app, sometimes without requiring MFA. A threat actor can perform credential stuffing using a financial aggregator app to bypass MFA controls or can target the aggregator app itself taking over a customer’s account there and thereby getting some degree of access to their banking information.
  2. Stealing security questions with social engineering. The most common method of verifying a user’s identity is through security questions. Security questions are often in place to bypass MFA if users lose or don’t have access to their device. Attackers use social engineering, which can be as simple as looking at social media profiles, to answer common security questions and access accounts without MFA. Bots can then use credential stuffing techniques to bypass MFA and input answers to security questions using brute force or publicly available data.
  3. Generating phishing scams. Phishing is one of the most popular means of acquiring sensitive information such as passwords or answers to security questions. Attackerstry to convince individuals to visit a fake login page and input the MFA code. The threat actor might also email or phone an individual and impersonate their bank to ask for the MFA code. In this way, attackers gain access to MFA codes maliciously rather than bypass MFA.
  4. Exploiting Man-in-the-middle (MITM) tactics. The threat actor positions themselves between the bank and the customer (often using malware) and intercepts messages between them. This tactic is used to acquire an MFA code by linking to a fake page asking for the code.
  5. Using SIM swapping techniques. Bad actorsintercept text messages sent to a user’s phone number and send them to another handset. This is accomplished by calling the user’s SIM provider, impersonating the customer, and passing on security questions. The criminal convinces the provider to swap the phone number to the attacker’s SIM card. Once set up, they use the phone number as authentication to access the account.

MFA might present a more vigorous defense than using a password, but it’s not a fool-proof guarantee against successful attacks. Bypassing MFAs may require human intervention, but it can still happen. When you factor in bots attacking at scale, the risk increases, and the success rate becomes much higher. Banks need to be on the lookout for malicious activity and educate customers about deceptive behavior such as phishing and social engineering. Adding extra layers of security to stop the bot attacks that are the precursor to the phishing and social engineering attacks will also help to protect systems. Don’t forget, security requires greater depth to successfully deal with more sophisticated criminals. Financial institutions must stay one step ahead.

Disclaimer: This article represents the views of the author only. They are not themselves a statement of any official government policy and does not represent the views or policy of the National Association of State Credit Union Supervisors (NASCUS),