Insurance requirements, business and reputation loss, and solution viability are among the key factors that finance-sector companies must consider when analyzing the cost of potentially implementing anti-phishing solutions and practices, according to a trio of guest panelists speaking Tuesday at SC Media’s 2021 Finance eConference.
And as financial institutions assess the cost of security initiatives such as consumer education, DMARC/DKIM, and passwordless or hardware-based authentication, it will be important that no one solution is viewed as a panacea. Rather, these companies must pursue a defense-in-depth approach that encompasses multiple layers of security, the experts agreed.
From a defender’s perspective, the goal is to impact the bad guys’ bottom line so that they go elsewhere, said panelist Penny Lane, a veteran security leader who most recently served as Visa’s vice president of payment fraud disruption in global risk. “And typically, in my experience, it's a multi-pronged approach.”
“A defense-in depth strategy or multi-layered approach generally will have a much greater payback than the potential downside if you have [a] data breach,” agreed fellow panelist Michael Bruemmer, vice president of data breach resolution and consumer protection at Experian. Bruemmer cited the latest statistics from the Ponemon Institute, which found that average cost of a data breach rose to about $4.24 million in the U.S. due to impact on “stock price, brand reputation or revenue.”
There are plenty of reasons why financial services customers make great cybercrime targets. For starters, by gaining access to a user’s bank account credentials, an adversary can withdraw funds from that account or create a fraudulent account at a later time. “People don't realize that just [a] simple compromise from a username and password or credentials can lead to much greater things,” said Bruemmer.
Sometimes when an attacker targets a bank customer, they’re not even interested in that particular bank account. “Many times, it's just taking advantage of the wealth of information that's typically exchanged in a banking transaction,” said Lane. There are “all sorts of personal account information. It could be your social security number. And so there's a lot of different ways that fraudsters could leverage that information and make money off of it.”
Among the trending adversarial tactics that the panelists have observed in recent phishing campaigns is the use of QR codes that, when scanned, lead to malicious sites.
“The QR code phishing is… going to be more prevalent coming soon,” Lane predicted. “It's already hit some banks in Europe, where they embed QR codes into the email lures because… they'll more easily bypass and the detection mechanisms. They even are physically mailing malicious QR codes to people and having them scan them. And then it leads to them giving up credentials.”
Additionally, the panelists cited a growing use of voice and text phishing (vishing and smishing) to circumvent traditional email filters that are designed to block malicious links and attachments. For instance, an attacker might send an email communication requesting that banking customers call a fake customer support number to resolve a nonexistent account problem.
“Especially as many financial institutions rely heavily on call center or support center-based authentication to help administer users’ accounts, this can be a really interesting vector for compromise by these malicious actors,” said panelist Chris Streeks, senior solutions engineer at hardware authentication device provider Yubico. “Not just specifically in the financial vertical but across the industry as well. There's a lot of potential for risk there.”
I think the reason smishing- or text-based messages is popular is because [the message is] opened all the time,” said Lane. “98% of text messages are opened, so the likelihood of success of getting a financial return for the phisher is higher.”
Sometimes the phishers target the actual customer service center, posing as customers. This can also yield returns for the attackers. “Most of the time the most upset people… calling call centers over and over actually ended up being the phishers themselves,” said Bruemmer. “They have pieces of information from potentially other breaches and they leveraged that to impersonate real citizens and get their EIP [economic impact payment] benefits.”
Financial services providers must counter these online assaults that threaten their brand and their customers — but there isn’t an endless supply of money. With that in mind, the panelists shared their thoughts on how cost analysis factors into the decision of which steps a financial institution should prioritize.
To begin with: “If there is an insurance aspect to the dialogue that needs to be had, that needs to be the heart of your cost analysis,” said Streeks. For instance, “If you don't have a form of 2FA today and your insurer says, ‘Thou shalt have a form of 2FA; otherwise we are going to no longer insure you,’” then that is a clear motivation to invest in 2FA.
Additionally, businesses should think about how a lack of certain security measures might result in a potential loss of business.
“We have seen, coming from the vendor perspective, high-net-worth clients leave financial institutions for another institution because institution B provides better [security],” said Streeks.
“And that needs to be considered” when deciding what brand protections you want to offer your client base. Moreover, once you offer these protections to your top customers, they can easily be rolled out to the rest of your client base as well, he added.
“It’s also important to look at the cost to your company as far as being used as a lure for these phishing campaigns,” said Lane. “You can't stop anyone from using your brand name as a phishing lure, but unfortunately, your consumers will think that it's your fault… People are less likely to use your brand if they see it coming up a lot in phishing emails… so how do you judge a loss of trust and monetize that? And then how do you decide how much to invest” to stop it?
“I actually recommend keeping aware of the campaigns that are using your brands as lures. Watch for [them] trending, watch for [them] rising,” Lane continued. Have pre-decision thresholds for when you're going to implement additional protections and defenses.”
Another factor to consider is how effectively a particular solution will serve its purpose within your organization, and what kind of investment it will take to actually do it right. For instance, DKIM and DMARC can be effective email authentication solutions to protect against brand and domain spoofing. But “if you're thinking about doing this… then I'd recommend a third party to help you with implementation,” said Lane. It’s not horribly complicated, but it is a bit complex. And I think it also behooves you to have an expert assist you with it.”
Businesses must also weigh the value of security over the value of an intuitive and pain-free customer experience. Some banks may not want their customers feeling like they are being inconvenienced by intrusive security measures. Streeks believes that there are innovations out there like Yubico’s hardware-based authentication keys that introduce both security and ease of use — “but having that discussion on whether or not this is more viable for my environment is definitely something that needs to happen sooner rather than later,” he said.