Banking on Threat Intelligence: The Impact of Credential Theft on Financial Services

A couple of years ago cyber-thieves managed to compromise the accounts of thousands of Tesco Bank customers in the UK, stealing £2.5m in the process. The attack was labelled “unprecedented” at the time. But while major incidents like this are few and far between, attackers are certainly turning the heat up on financial services firms and their customers. In fact, cybercrime now costs the sector more than any other, according to Accenture.

As more systems and services go digital, credentials have become the frontline in the escalating cyber conflict between banking IT teams and black hat hackers.

Those financial services players best equipped to mitigate these growing risks will leverage the power of threat intelligence to predict, respond and protect their customers.

The hunt for credentials

Like every organization, financial services firms have a major weakness: the passwords which secure many of their internal accounts and those of their customers. Banking trojans are an obvious threat, although these are targeted at customers directly rather than the bank itself. They typically leverage Man-in-the-Browser (MitB) techniques to make it appear as if the user is logging on to their bank account as normal. These include seamlessly redirecting users to phishing pages where even the browser security looks legitimate, or injecting code to modify browser content before the user can see it (‘web injects’). So-called “form-grabbing” tools complete the picture, allowing for capture of the all-important log-in data. The same techniques can be used in a variety of industries.

Other popular techniques to obtain credentials include phishing attacks targeted at customers and employees. In March, for example, Europol arrested 20 suspects alleged to have made €1m by impersonating tax authorities to trick victims into handing over their bank log-ins. Once inside the customer accounts, they would transfer sums to their own accounts. Attackers are also adept at using various strains of malware, as well as Man in the Middle (MitM) and DNS hijacking attacks. Some prefer to use automated tools to “brute force” their way into accounts.

But the end goal is always the same: corporate or customer credentials. In fact, Blueliv data earlier this year revealed a 39% increase in the number of compromised credentials detected from Europe and Russia, compared to the same period in 2017 (January-May). Europe and Russia are now home to half (49%) of the world’s credential theft victims.

Remember: it could take just one compromised credential for attackers to infiltrate your organization.

If it’s a password to a CMS, then that could result in defacement of your website. Email log-ins for the CEO or CFO could enable BEC fraud which the FBI claims has cost businesses in excess of $12bn over the past five years. But perhaps the most damaging impact of credential theft is network access, allowing attackers to escalate privileges until they reach databases of sensitive customer data or IP.

The fraud economy

If customer passwords are compromised en masse it could create a huge fraud risk for the organization. There’s a large and thriving underground trade in bank account credentials, with prices dependent on the balance of the victim’s account. Access to accounts can cost as little as $10 if the balance is under $1000 but goes as high as $25,000 for accounts with over $500,000. Even empty accounts are priced at around $4.

Accounts could be drained of funds, or else the attacker could request new credit cards to buy goods, withdraw money from ATMs and so on.

The account could even be used to help launder funds obtained illegally elsewhere. Beyond the high street lenders, hijacked trading and brokerage accounts could be used to buy up shares in specific companies to artificially inflate the price, in so-called “pump and dump” schemes.

It’s a fraud epidemic that has already generated some radical solutions. Behavioral biometrics tools are now being touted by over a dozen vendors. They work in the background to record a user’s typical browsing or app usage behavior. This means if a fraudster logs-on or tries to apply for a new account, an alarm will be raised with the financial services provider.

Costs and compliance

All of this criminal activity has an end cost to the financial services company — whether that’s a direct financial impact or a potentially even more severe longer term hit to reputation and brand. There’s an initial remediation and clean-up cost associated with any major cyber-heist, along with possible legal costs. But a major incident may also lead to tumbling share prices and customer attrition, especially if they’re exposed to identity theft in the aftermath.

Accenture estimated the average cost of cybercrime for financial services companies globally has increased by over 40% over the past three years, from nearly $13m million per firm in 2014 to over $18m million in 2017. Phishing and social engineering was among the most expensive type of attack, costing over $196,000 per incident.

Losses from resulting fraud may exceed even these estimates. The industry could experience over $31bn in global card losses in 2018, according to The Nilson Report.

That’s not factoring in the potential impact of regulatory fines. The Financial Services sector is a highly regulated industry which now also has to meet strict new compliance rules around data protection under GDPR. The law could levy maximum fines of 4% of global annual turnover or €20m, whichever is higher, in serious cases. This is highlighted in our Data Breach under GDPR whitepaper, available to download here.

The smart approach

Financial services firms best prepared for the inevitable assault on credentials will be those that take multi-layered precautions built around a central pillar of threat intelligence. The best platforms offer highly automated, customizable services which integrate seamlessly into existing security infrastructure to enhance threat awareness and detection capabilities. They gather data from social networks, forums, deep and dark web sites and C&C infrastructure to uncover hacktivism activity and phishing campaigns, as well as malicious traffic.

This intelligence can be used by organizations to enhance staff education and awareness campaigns, and even to configure cyber-defenses to more effectively manage threats. For example, some threat intelligence tools can be trained to proactively hunt down those MitB attacks typical of banking trojans.

Look for tools which also proactively hunt for signs of compromised corporate or customer credentials on the dark web. If the data is fresh enough, there’s a great opportunity to mitigate the fallout of a possible breach before the bad guys have had a chance to monetize their booty.

Threat intelligence isn’t the only thing financial services firms should be doing to resist credential theft. Multi-factor authentication, good password etiquette, restricted account privileges and pen testing of systems are also important. But to get back on the front foot and maximize your cyber resilience, proactive threat monitoring is the best place to start.

Related Articles
  • To find out more on this topic, read our in-depth Credential Theft article on credential compromise and identity theft.
  • The Credential Theft Ecosystem report embodies this approach – it is designed to help organizations understand the lifecycle of a compromised credential and keep their organizations’ data safe.

The Credential Theft Ecosystem

Read free report
Demo Free Trial MSSP