READ detailS

Biggest risks of online banking and how to avoid them

This week, an important UK bank suspended its online payments after 40,000 customers reported a spate of fraudulent transactions.

The bank’s chief executive told the BBC it was hit by “a systematic, sophisticated attack”, yet has provided little details regarding how this happened. He said the bank knew “exactly” what the attack was, but could not disclose more information because it was part of a criminal investigation.

“Tesco Bank can confirm that, over the weekend, some of its customers’ current accounts have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently,” an official statement read.

Banks are under constant attacks, but few of them publicly admit being breached. Tesco also avoided using the word “hacking” in its public statements and has been careful in its choice of language.

Amid speculations, here are the most common cyber-threats aimed at banking clients and the banks themselves.

Vulnerable mobile banking apps

In 2015, as many as 70 percent of the top 100 mobile banking apps on Android were vulnerable to security attacks and data leaks. Vulnerabilities ranged from exploits such as intent spoofing, unintended data leakage, SQL injection, JavaScript injection and XML injection among others.

Fortunately, most banks implemented extra security measures such as two-factor authentication using e-tokens, one-time passwords and unique codes sent to Android phones. Yet cybercriminals were quick to come up with solutions, developing tools and malware that can bypass these measures.

And it may be even easier than before, now that payments with selfies have become a reality. Mastercard recently introduced this technology in its new biometric app for online shopping. The app allows the cardholder to authenticate using the fingerprint scanner on their smartphone or via facial recognition by taking a “selfie” photo. Yet, security researchers have shown how hackers can steal fingerprint data from mobile devices before it gets encrypted in the device.

Facial recognition also has its technological limits as  its accuracy still depends on lighting conditions and facial features. Overall, six in 10 US users prefer using passwords to log on to online services from their devices.

Aggressive banking malware

Dridex, Dyre, TrickBot and Lurk are some of the most common Trojans used to steal login credentials for online accounts.

Dyre, one of the most aggressive Trojans to target the financial market, manipulated websites to interfere with the communication between more than 400 financial institutions and their customers, causing hundreds of millions of dollars in damage. The Royal Bank of Scotland, Bank of America and JP Morgan Chase were among its victims.

The malware works by installing itself on the user’s computer and becomes active only when the user enters credentials on a specific site, usually the login page of a banking institution or financial service. Through a man-in-the-browser attack, hackers can steal credentials and further manipulate accounts – all completely covertly.

A few months ago, Lurk targeted several Russian banks using phishing emails and stole $25 million from clients’ accounts.

TrickBot, the newest strain of malware hitting Australian banks, looks a lot like Dyre, however, it has the “most advanced browser manipulation techniques observed in banking malware in the past few years,” according to IBM.

Unstoppable DDoS attacks

DDoS attacks flood online systems, such as internet banking sites or online trading platforms, with huge amounts of data as to overload them and knock down their services.

Studies show that DDoS attacks are one of the most severe security risks acknowledged by  the banking industry. They account for 32% of all attacks on banks, according to a 2015 Verizon report. And it’s no surprise, since these tools are broadly available online.

We’ve seen Mirai took advantage of unprotected IoT devices all over the world to target domain name provider Dyn. This attack goes to show any business can become a target, regardless of its size, reputation or clients and regardless of the attackers’ reasons.

Tips for customers

Online banking needs to be done with security in mind and customers should:

  • avoid checking accounts when navigating on public Wi-Fi and use only HTTPS secured sites,
  • sign out of an online banking session,
  • pay attention to phishing emails or webpages,
  • avoid disclosing credit card numbers, or passwords, to a third party or website other than the bank,
  • use a mobile security solution for banking on the go.

Tips for banks

To remain safe, banks should strengthen security by:

  • safeguarding their network with an advanced firewall and intrusion detection system,
  • testing their infrastructures for security issues and vulnerabilities,
  • encrypting all sensitive data,
  • performing regular backups of both physical and virtual drives,
  • keeping their antimalware solution updated to detect and block the newest type of threats.

Also, educating employees on the risks of phishing emails and other cyber-threats targeting them is, as we’ve seen countless of times, equally, if not, more important than anything.