A row of ATMs at a Bank of America branch in New York City. (Photo by Spencer Platt/Getty Images)

When it comes to the financial services sector, one might think that the world of digital currency and P2P payments must be driving most of the cyber innovation, due to the risk of cryptotheft that’s plaguing these nascent services.

And yet, on closer inspection, you’ll find that good old-fashioned banks, credit services, insurance companies and other traditional financial institutions are in many cases leading the pack in terms of developing and adopting infosec solutions and policies, especially those designed to curb fraud, identity theft and account hijackings.

Of course, they don’t have much choice but to keep up with evolving threats — from the 2012 Operation Ababil DDoS attacks that disrupted banking operations, to the 2015-16 SWIFT messaging network attacks against the Bank of Bangladesh and other institutions, to modern-day malware and phishing operations. After all, financial service providers continue to be alluring targets. As notorious criminal Willie Sutton said when asked why he robbed banks, “that’s where the money is.”

SC Media spoke with multiple experts to learn what constitutes the latest in anti-fraud and anti-malware innovation in the traditional finance vertical, how better processes and technologies can curb today’s biggest threats, and what banking giants and newfangled crypto and P2P platforms can learn from each other to improve their security efforts.

Assessing the latest risk landscape

Before we can remark on what security looks like in the finance space, first we need to understand where the greatest risks lie. After all, while many industries face similar threats, each vector has its own unique challenges when confronting them.

Ironically, one of the biggest impediments to keeping banking clients’ data and money safe is the refusal of some customers to accept the implementation of security measures in the first place if it means sacrificing convenience or efficiency.

"In the U.S., user experience is often still favored over cybersecurity as it relates to customer satisfaction,” said Mark Nicholson, financial services industry leader for cyber and strategic risk at Deloitte Risk & Financial Advisory. “Banks and financial services institutions are challenged to provide a frictionless customer experience while still maintaining stringent access and authorization controls.”

But perhaps at least some consumers are seeing the benefits of security as a differentiator. In a recent Nuix survey of U.K. banking customers, 25% of respondents who filed a customer service complaint said they wouldn't use the same bank in the future as a result of dissatisfaction over how their issue was handled. Of the customers who issued a complaint, 21% said fraud was the chief reason for doing so, while another 18% said it was because of an email scam. 

“Security certainly factors into a customer’s banking choice,” said Travis Hoyt, CTO at NetSPI, formerly a tech and cyber executive with both Bank of America and insurance company TIAA. “Specifically, they are paying attention to the user interaction processes. For example, they will look at whether a bank requires a certain password strength [or] multi-factor authentication, [or] perhaps most importantly, how fast they respond when you experience an issue.”

Still, competition among financial service providers to provide cutting-edge digital services and mobile transactions has resulted in the rapid expansion of their IT ecosystems. As a direct result of digital disruption, app innovation, shifts in IT architecture, and multiplying vendor collaborations, banks and financial companies’ now have larger attack surfaces to inspect and protect.

“What poses the greatest risk to resiliency is the increasing complexity of the financial services ecosystem,” said Hoyt. “Trying to defend a large and complex ecosystem, like many traditional banks and financial institutions have, is no easy challenge. It is a challenge that creates a lack of understanding of aggregate risk for business processes. Because of the complex nature of banking systems, it is increasingly important to perform assessments of the entire ecosystem, to understand your risk in totality.”

Moreover, in an effort to “create value through data assets … organizations have embraced microservices architectures that sometimes use hundreds of different APIs that each can represent points of vulnerability,” said Nicholson. “While this architecture enables a more rapid development of software and services, it also dramatically expands the susceptibility to attack.”

And although banks aren’t moving to the cloud as quickly as other businesses “due primarily to the complexity of migrating controls effectively,” there’s still a desire to capitalize on this trend, Nicholson continued. But “as workloads are moved to cloud environments, development becomes faster and more agile and cybersecurity can sometimes be challenged to keep pace."

Teresa Walsh

Partnerships with third parties only further complicate the landscape. After all, “We are seeing a clear trend of attacks on third-party suppliers, especially software vendors, to the financial sector as well as other industries,” said Teresa Walsh, global head of intelligence at the Financial Services Information Sharing and Analysis Center, or FS-ISAC. "While financial services firms tend to have robust cybersecurity controls and defenses, third and fourth parties performing critical services for multiple valuable clients will continue to be lucrative targets for threat actors with a variety of motivations."

As for the cybercriminal threats wreaking havoc on financial institutions today, not surprisingly experts identified ransomware as one of the biggest. “The prospect of having clearing, settlement, trading, or payment systems disrupted has institutions and regulators concerned,” said Nicholson. This is in addition to the obvious concern of loss of trust with clients whose data has been compromised. This poses institutional and sometimes systemic risk.”

Fraud and phishing campaigns also abound, as malicious actors attempt to trick consumers and business employees into giving away their banking credentials or sending a money transfer to an attacker-controlled account.

“Social engineering, a relatively low-tech tactic, unfortunately still works quite well to trick customers out of their money,” said Walsh. “Many criminals find that business email compromise, where the scammer simply uses an email that resembles a company or company user, still pays dividends.”

How cyber innovation is saving your savings

Banks and other financial institutions are leading the way in a number of key best practices for curbing fraud and digital crime.

To help solve the complex ecosystem issue, Nicholson said one of the more foundational strategies for financial firms is to “establish an integrated data architecture across various information sources,” using tools like SIEM (security information and event management) solutions and UEBA (user and entity behavior analytics) to capture and scrutinize data corresponding to cybersecurity logs, transactions, and customer and employee activity. (For an example of a cutting-edge UEBA application, see this article about a solution from BioCatch that flags anomalous digital activity that deviates from the typical norms of a bank account-holder’s age bracket.)

Advanced analytics leveraging AI and supervised machine learning will play a particularly important role in helping these institutions identify and prioritize threats. “High-speed structured and unstructured analytic technologies that can establish baselines and deviations and understand anomalies are important,” Nicholson stated. “It’s no longer acceptable to run batch processes at the end of the day for remediating fraud and [money laundering] issues the following day. Having near real-time detection in cyber is imperative.”

Still, this can be a challenge to implement and integrate, due to the sheer speed and volume of transactions and source logs that must be ingested at any given time; thus the comprehensive use of advanced analytics remains “a bit aspirational,” Nicholson acknowledged. So for now banks may need to be “judicious about the specific use cases an organization wants to implement, as well as the data sources it intends to leverage.”

In the meantime, there are other technology solutions are more attainable — like authentication for account access to prevent criminal tactics such as password phishing or credentials stuffing.

“People will continue to use the same passwords across multiple sites, so it is up to financial institutions to think critically about their authentication practices,” said Hoyt. “Banks should … continue to encourage people to use password vaults to generate and maintain complex passwords for various sites. One way to drive adoption of better authentication hygiene is for banks to offer discounts to password vaults — just as many banks today offer free software security products.”

Or they could encourage adoption of passwordless technology, such as biometrics, one-time codes or hardware-based keys or tokens. “Passwordless authentication technologies are integral to curbing fraud and other cybercrime,”’ said Hoyt. “The challenge here will be to facilitate adoption across the broad spectrum of banking customers with varying levels of technical acumen — all while adhering to ADA requirements.”

Indeed, this is one of those areas where certain users favor ease of access over security, and it will be up to the bank to get them accustomed to the idea.

"Many customers bemoan the need for multi-factor authentication when accessing the services from various modalities (e.g., mobile, tablets, work computers) while expecting that their safety and security are protected,” said Nicholson. “This poses a significant technological challenge — Customer Identity Access Management is a rapidly growing area of cyber for this reason.”

The government could also have a say in how widely the industry adopts next-generation authentication solutions. “Financial policies are heavily influenced by the regulators,” Hoyt noted. “If regulators start to pressure banks to move towards passwordless technologies, it will drive the adoption of new policies.”

Just as important as technology is having a strong set of cyber policies that maximizing one’s ability to resiliently recover from an attack. This starts with top-notch data protection that goes beyond basic backups.

“For example, savvy ransomware attackers will go into the firm’s system and delete the backup before sending ransom notes and encrypting data,” said Walsh. Therefore, “firms should ensure critical data is archived in an offline vault that is detached from the rest of the systems." The FS-ISAC’s subsidiary Sheltered Harbor provides an industry standard for achieving this, she noted.

Developing incident response playbooks, conducting regular pentesting and threat hunting, and preparing for incidents through tabletop exercises are other strategies experts said banks use to stay on top of the latest threat scenarios and respond quickly and decisively when one occurs.

Security education and awareness is another important, if low-tech, strategy for banks to keep their customer base informed of current fraud and cybercriminal threats. Sounil Yu, CISO at JupiterOne and former chief security scientist at Bank of America, thinks this is especially important to contend with the barrage of BEC threats that corporate banking customers face.

“Because the losses from BEC attacks are directly the fault of the customer, there are limited options for recourse … After a few days, it becomes very difficult to reverse any transactions,” said Yu. “As such, it is important for banks to be proactive in communicating with its customers about the threat of BEC, warning signs of a BEC attack, and procedural steps that customers can follow to avoid becoming a victim.”

Finally, experts emphasized the critical role that cyber intelligence sharing plays in the finance industry.

“Sharing industry-specific threat intelligence in a secure and trusted environment such as FS-ISAC has become an invaluable resource in helping firms understand the cybercriminals involved in each ransomware attack,” said Walsh. “What are the signatures of the malware? Which systems are targeted? This type of information can help firms determine the best course of action. Early on, this sharing can help raise red flags on suspicious activity and help firms build pre-emptive defenses to protect against specific ransomware tactics.”

Traditional banking vs. digital transactions

There’s no question that crypto platforms, digital wallets and P2P apps have changed the game of personal and corporate finance, giving users more ways than ever to move their funds around. However, as evidenced by a spate of attacks this past year against decentralized finance e-payment services, these newer forms of banking have also introduced their own unique set of risks, as well as security innovations to address them. (In fact, a newly announced three-year research partnership between the Federal Reserve Bank of Atlanta and Georgia State University’s Evidence-Based Cybersecurity Research Group will be examining the tactics and techniques that fraudsters are leveraging to abuse e-payments.)

As it turns out, traditional banks and e-payment services both have a lot they can learn from each other on the security front. The latter group, for instance, has “accelerated cybersecurity innovation” in the area of applied cryptography as it relates to blockchain and digital currencies, said Nicholson, citing the usage of multi-party computation and zero-knowledge proofs as examples.

Multi-party computation is a form of cryptography that protects two or more parties’ privacy from each other while still allowing them to jointly compute a function, while zero-knowledge proof is a protocol that offers a way to verify an authentication attempt without parties ever having to exchange secrets such as a password.

Meanwhile, Hoyt said digital finance companies also serve as a model for how traditional banks must modernize their IT architectures to help stay secure.

“Traditional financial institutions often have to navigate legacy technologies and processes,” he explained. “Younger fintechs typically are a step ahead of established, traditional organizations from a security perspective because they are not dealing with the baggage of outdated systems.” 

“Adoption of distributed ledger technology — crypto and P2P — as a next-generation architecture is gaining a lot of ground — not only in banking, but across industry sectors,” Hoyt continued, referring essentially to blockchain technology. “Traditional banks can learn a lot from distributed ledger technology, specifically around the architectural decisions it enables.” 

With that said, however, digital finance platforms also have room for improvement, and can look to their more traditional counterparts for guidance.

As Walsh noted, currently “a host of mainly young and unregulated firms enable the custody, trading, tracing, and interoperability of cryptocurrencies and their blockchain infrastructure,” and “this nascent ecosystem is … filled with opportunities for cybercriminals to exploit.”

“As emergent business models and technologies are integrated into the larger financial system, there is plenty for new players to learn from the principles and practices that have enabled financial services’ strong cyber defense capabilities to date,” she continued.

Indeed, “the decades of learnings from traditional approaches to cybersecurity within [the financial services industry] has tremendous relevance for cryptocurrencies and P2P services,” agreed Nicholson.

For instance, “monitoring that detects lateral movement of data and applying behavioral analytics to systems, functions and people” are important tactics for both traditional institutions and emerging fintechs alike, he said. “When we know the normal pattern behavior of a specific function, app, business system, business unit, etc., we can predict and anticipate changes in behavior based on looking at that lateral movement of data.”

“It’s powerful to be able to adjust security controls dynamically based on changes in threats in near-real time,” Nicholson continued, and “this is a discipline that traditional banks have been working on for some time.”

This is part of SC Media's special October coverage, in honor of Cybersecurity Awareness Month, spotlighting “security by design”: How different organizations within various verticals recognize their own security practices not only as a necessity, but also as a differentiator. Click here to access all of our security awareness coverage, which will filter out throughout the month.