IBM's X-Force Research team reported that 200 million banking records were exposed in 2016.
IBM's X-Force Research team reported that 200 million banking records were exposed in 2016.

IBM's X-Force Research Team has found that cybercriminals follow Willie Sutton's old-school, analog advice on why to rob banks because “that is where the money is.”

X-Force's just released report Security Trends in the Financial Services Sector found this industry is attacked 65 percent more often than any other resulting in more than 200 million records being breached in 2016, a 937 percent increase year over year. This is a major shift in focus, said Nick Bradley, X-Force's practice lead, noting the previous year saw cybercriminals focusing on healthcare and retail.

Possibly the saddest data point uncovered in the report is the source of 58 percent of the attacks were due to insiders with only five percent of those being done maliciously. That means 53 percent of the breaches took place due to employee errors, such as falling for a phishing attack or Business Email Compromise (BEC) scams. This is the highest level among the top five most targeted industries, retail, health care, manufacturing, financial services and information and communications.

The remaining 42 percent of the attacks were attributed to outsiders.

Since defeating BEC attacks is firmly in the hands of the front line worker, recommendations on how to limit damage center on training.

“Foster awareness regarding BEC scams and other phishing scams through education. A variety of approaches—video, webinars, in-person instruction—can be used to educate employees. Programs that simulate phishing attacks could test employees at regular intervals. Encourage employees to report suspicious emails for further investigation,” the report suggested.

Robert Capps, VP of business development at NuData Security, noted the shear size of the financial sector makes it almost impossible that more than the traditional security methods need to be applied. 


"Through a combination of behavioral biometrics identification and analytics, device location, and entity linking, the organization can continuously authenticate a user's online identity with unprecedented accuracy, speed, and frictionless user experience. A consumer's natural interactions can be continuously analyzed to confirm identity, and such behaviors form a unique pattern that can't be stolen, replayed or reused," he told SC Media.

Overall for 2016 there were 1,684 attacks on financial services firms, an attack being defined by IBM as a security event identified as “malicious activity that is attempting to collect, disrupt, deny, degrade or destroy information system resources of the information itself.” This is up from the 1,019 attacks that took place in 2015.

However, there was some good news. The number of what IBM calls “incidents” - an event the company believes requires further investigation - was down with only 94 being reported last year compared to 192 in 2015.

Cyber bank robbers also played no favorites using Distributed Denial of Service (DDoS), BEC and ransomware. Although IBM did not name the victimized institutions it did list some of the bigger publicly acknowledged hacks that took place last year. Including a UK institution that was hit with what is believed to be the Retefe banking trojan leading to 9,000 customers having their accounts emptied, in the Ukraine and Bangladesh two banks lost $10 million and $81 million, respectively, in Qatar a 1.4GB data breach took place and DDoS attacks were used against finance companies in Canada, Russia and Greece.

The attackers were also not shy about what type of malware they were willing to use with Dyre, Dridex, GozNym and TrickBot all being spotted.


IBM's Executive Security Advisor Limor Kessem took a longer look at TrickBot and discovered that not only is it now being used to target more business banks having added 20 new private banking brands to its roster, but the malware is being used at a faster pace than earlier.

“The malware has grown from one to three major campaigns per month to five campaigns already in April. It is possible that TrickBot's operators are increasing their spam runs in the target geographies and attempting to infect more endpoints before going into an attack phase next,” Kessem said, adding she believes TrickBot usage will likely grow in 2017 becoming one of the top vectors possibly being behind even more attacks than Dridex.