In the first quarter of 2019 alone, there were 1,900 reported breaches exposing 1.9 billion records. It is an epidemic that is hitting all types of companies, but banks, credit unions, and financial institutions have been the bullseye for many cybercriminals. One in four malware attacks were targeted towards financial institutions according to a report from Insights. Insights researchers also found that more than 25% of all malware attacks hit banks and other financial services organizations, more than any other industry, and there were huge year-on-year increases in the numbers of compromised credit cards (212%), in credential leaks (129%) and in malicious apps (102%). Research from Carbon Black shows that 67% of surveyed financial institutions reported an increase in cyber-attacks over the past 12 months that have become much more sophisticated. These reports reflect the tidal wave of today’s new digital bank robbery.
After the Breach
These attacks also have a direct impact on those customers who have seen their bank accounts drained through account takeovers, identity theft and stolen credit card information. To add insult to injury, many customers who have been notified that their personal data has been stolen in a data breach have unclear notifications that are difficult or fairly difficult to read, causing consumers to be confused as to whether they need to take action or not according to researchers at the University of Michigan.
For financial institutions that have suffered a breach, all communications should be understandable for customers as it is the first step towards repairing the trust and allows banks to become a reliable resource for customers. However, due to the sensitivity of the matter, companies are careful not to expose any unconfirmed information in an attempt to avoid confusion or unnecessary worry. However, this sometimes leads to communications that tiptoe around the topic of a potential breach and leave the customer unsure of what actually happened and what their next steps should be. For consumers, any notice of a potential breach should warrant immediate action. They can start by changing their passwords or checking accounts right away for any suspicious activity. If the communication from the company wasn’t clear, rather than deleting the email and moving on with their day, they should contact the company to find out more; what was exposed? What are the risks? How can customers mitigate them?
Almost 15 billion records, credentials, passwords and security questions have been stolen since 2013 according to the Breach Level Index. That means that almost everyone in the U.S. has had some pieces of information compromised whether they know it or not. For financial institutions, it means that all the traditional forms of identification are now obsolete.
For banks, credit unions and financial institutions, this means they have to use tools that don’t rely on stolen data. If all traditional identifications have been stolen or compromised, organizations will have to turn to leading edge technologies to identify customers.
90% of attacks start with automation, like brute force or credential stuffing attacks. So, it is critical that organizations have technologies that can determine what activity is anomalous automation or any kind of fraudulent activity regardless of their credentials. For example, a bad actor may be using the correct credentials, but she is showing IP and country values that don’t match, exposing high-risk activity.
Recognizing the customer
With new technologies like passive biometrics and behavioral analytics, customers can be positively identified by their online behavior. It is a matter of building layers of security that can also monitor the passive biometrics of the user – like how fast a person types, how quickly they tend to flip from web page to web page, how they hold a device and more. These traits are inherent to a user across device changes.
Beyond behavioral considerations, connection information, IP addresses, internet service providers and how the device connects into an environment along device IDs and device fingerprints can also help add context to an online identity. A device ID is a token-based ID which is a unique string of numbers that is assigned to the device and device fingerprints. Device fingerprints evaluate device attributes such as model, operating system, browser plug-ins. Deep analysis of the user agent strings, looking at individual data points and how they compare against users’ history along with how the device links back to the user are all ways to make much better decisions.
With a new authentication framework in place, financial institutions can significantly cut down on fraud and solidify the digital handshake with customers. The communication with customers is crucial to maintain trust through hard times but it’s important to also provide better multi-layer security measures that can protect the customer assets after a data breach.
About the Author
Don Duncan is a security engineer at NuData Security, a MasterCard Company. He is a veteran
technologist with many years’ experience working with B2C customer’s technical security needs
in the areas of fraud and risk management for industries such as finance, healthcare and
telecom. He has previously worked at such companies as MobileIron, VMWare and HP
specializing in the areas of mobility, cloud and end user computing.