This week, an important UK bank suspended its online payments after 40,000 customers reported a spate of fraudulent transactions.
The bank’s chief executive told the BBC it was hit by “a systematic, sophisticated attack”, yet has provided little details regarding how this happened. He said the bank knew “exactly” what the attack was, but could not disclose more information because it was part of a criminal investigation.
“Tesco Bank can confirm that, over the weekend, some of its customers’ current accounts have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently,” an official statement read.
Banks are under constant attacks, but few of them publicly admit being breached. Tesco also avoided using the word “hacking” in its public statements and has been careful in its choice of language.
Amid speculations, here are the most common cyber-threats aimed at banking clients and the banks themselves.
Fortunately, most banks implemented extra security measures such as two-factor authentication using e-tokens, one-time passwords and unique codes sent to Android phones. Yet cybercriminals were quick to come up with solutions, developing tools and malware that can bypass these measures.
And it may be even easier than before, now that payments with selfies have become a reality. Mastercard recently introduced this technology in its new biometric app for online shopping. The app allows the cardholder to authenticate using the fingerprint scanner on their smartphone or via facial recognition by taking a “selfie” photo. Yet, security researchers have shown how hackers can steal fingerprint data from mobile devices before it gets encrypted in the device.
Facial recognition also has its technological limits as its accuracy still depends on lighting conditions and facial features. Overall, six in 10 US users prefer using passwords to log on to online services from their devices.
Dridex, Dyre, TrickBot and Lurk are some of the most common Trojans used to steal login credentials for online accounts.
Dyre, one of the most aggressive Trojans to target the financial market, manipulated websites to interfere with the communication between more than 400 financial institutions and their customers, causing hundreds of millions of dollars in damage. The Royal Bank of Scotland, Bank of America and JP Morgan Chase were among its victims.
The malware works by installing itself on the user’s computer and becomes active only when the user enters credentials on a specific site, usually the login page of a banking institution or financial service. Through a man-in-the-browser attack, hackers can steal credentials and further manipulate accounts – all completely covertly.
A few months ago, Lurk targeted several Russian banks using phishing emails and stole $25 million from clients’ accounts.
TrickBot, the newest strain of malware hitting Australian banks, looks a lot like Dyre, however, it has the “most advanced browser manipulation techniques observed in banking malware in the past few years,” according to IBM.
DDoS attacks flood online systems, such as internet banking sites or online trading platforms, with huge amounts of data as to overload them and knock down their services.
Studies show that DDoS attacks are one of the most severe security risks acknowledged by the banking industry. They account for 32% of all attacks on banks, according to a 2015 Verizon report. And it’s no surprise, since these tools are broadly available online.
We’ve seen Mirai took advantage of unprotected IoT devices all over the world to target domain name provider Dyn. This attack goes to show any business can become a target, regardless of its size, reputation or clients and regardless of the attackers’ reasons.
Online banking needs to be done with security in mind and customers should:
To remain safe, banks should strengthen security by:
Also, educating employees on the risks of phishing emails and other cyber-threats targeting them is, as we’ve seen countless of times, equally, if not, more important than anything.