Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Attacking the Organism: Financial Services

When it comes to high-value assets, few industries can come close to financial services. It’s not just the obvious fact that banks are giant warehouses of money—banks represent critical pieces of infrastructure that entire economies rely upon. 

When it comes to high-value assets, few industries can come close to financial services. It’s not just the obvious fact that banks are giant warehouses of money—banks represent critical pieces of infrastructure that entire economies rely upon. 

And while the likes of George (don’t call him Baby Face) Nelson may have made a decent living robbing physical cash from small banks back in the day, digital transformation has opened the door for thieves to pull off some dramatic heists in the modern era.

Some of today’s largest financial institutions have more app developers than bankers. The way these companies interact with customers is by providing application experiences, since fewer and fewer customers want to actually venture into brick and mortar branches. The issue is complicated further by the fact that most banks are decades-old institutions, meaning they may be working with a range of technologies developed over the past 30 years.

This explosion of apps is a critical factor in such a security-dependent industry, creating a wealth of new insertion points for attacks. When customers use a banking app on their phone, there’s the app on the device, interacting with systems in the cloud, transmitted over networks, passing through all the traditional soft spots along the way. Recent reports indicate that half of banks say they’ve experienced data breaches or system downtime. As advanced as security is in the financial industry, clearly there’s still some catching up to do.

Another big problem is simply the range of motivations for attacking large financial services companies. Attacks like Operation Ababil illustrate that the CHEW involved in financial services goes well beyond simple theft. In that case, a hacktivist group most likely sponsored by Iran was seeking to cripple the U.S. financial system and hit the country in its pocketbooks. The attack was in response to a politically charged film released on YouTube by someone who had no affiliation with any financial institution. 

In other attacks the motivation is less clear. In July 2019, a 33-year-old Seattle resident was arrested for compromising millions of accounts belonging to Capital One. The suspect had worked for Amazon Web Services, where the data was held, so may have had some insider knowledge to facilitate the attack. But the attack itself was due to a misconfigured service outside AWS. 

Though millions of records were compromised, including account and Social Security numbers, none of them appears to have been used for financial gain. In a press release, the company said damages could top $100 million, even though the motive for the attack remains unclear. 

And then of course there’s pure theft. The lure of a big haul has always tempted would-be bank robbers, and tales of pulling off such a heist have inspired Hollywood movies. Back in 2016, a hacker group might have gotten away with upward of $1 billion if it weren’t for a few mistakes along the way—and even so, they ultimately pulled $81 million out of the worldwide SWIFT system for funds transfers.

In that case the hackers used legitimate SWIFT credentials of Bangladesh Central Bank employees to initiate a series of large transfers. $81 million was sent to accounts at Rizal Commercial Bank in the Philippines, where it was then credited to several accounts at casinos. 

By the time investigators tracked it down, all but $68,000 had been withdrawn, disappearing without a trace. Questions remain about how the SWIFT credentials were obtained by the hackers, and whether it may have been an inside job.  

In another case in 2017, hackers used a DNS hijacking scheme to attack a major Brazilian institution. The group changed the DNS registrations for all 36 of the bank’s properties, rerouting all traffic to a counterfeit site that exactly replicated the bank’s online services. For five to six hours, the hackers controlled all of the bank’s operations, including ATM machines. The shutdown was so complete that the bank couldn’t even email its customers to alert them of the breach. 

All this goes to show how crazy the security picture is for financial services companies. For a bank, many of its app security insertion points have direct access to online banking. Thus, their online banking becomes only as secure as the devices used by all the people accessing it. And when it comes down to an inside job or a nation state, things get much trickier. 

Ultimately for financial services, the potential rewards for attackers are so great, and the attack surface so large, the industry will need advanced machine learning and artificial intelligence techniques to take the next step against today’s would-be cybergangsters. The industry must raise the bar for attackers so high that they don’t even try to jump over it, focusing on lower-value targets instead. 

AI systems should be able to examine the entire chain of custody of sensitive data across the landscape, looking at individual behaviors such as signing into an account from a specific device, all the way up to a macro view of the entire infrastructure. 

The ability to look deeply into user and system behavior and identify the smallest anomaly—and then correlate, make inferences, and challenge suspicious activity—will become the essential toolkit to stem the tide of fraud and theft in this highly targeted industry.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...