The financial services industry in Asia is one of the most heavily regulated sectors, and compliance is often touted as a form of security assurance. However, compliance is just a single aspect of security. Various regulations cover a wide range of issues, but simply implementing solutions or devices to deal with compliance is not enough.
The rising pervasiveness of mobile devices in Asia Pacific and the subsequent rise of Internet banking has resulted in increasingly sophisticated cybersecurity threats. However, according to Telstra’s Mobile Identity Study, 62 percent of financial services executives noted they have not invested enough in identity and security. Less than half of consumers were also satisfied with their financial institution’s security performance since more than a third have experienced identity theft.
With identity theft cases such as the JP Morgan breach and South Korean banks hit by massive credit card breaches last year, and identity fraud resulting in US $16 billion being stolen from victims in 2014, identity theft is quickly becoming a stronger, yet still underestimated threat for the financial services sector.
Rise of attack surface and sophistication
Identity theft has become common among cybercriminals due to an increasing attack surface and the sophistication of attack tools. Today, cyber attacks come through a wider range of vectors. For instance, as many financial services organisations are allowing employees’ personal devices access to corporate networks, Bring Your Own Device (BYOD) enables mobile devices to become a channel for cybercriminals to hide, spread, and steal information by leveraging the credentials of an organisation’s employee.
Another vector can be insecure public-facing web applications that lead to identities being quickly stolen. These include zero-day vulnerabilities that grabbed headlines last year such as Shellshock and Heartbleed. All that's needed is for an organisation to be slow in patching a vulnerability or to lack the right technology to protect its web applications. Once the cybercriminals gain control, they can do whatever they want – from stealing data to using the servers to launch botnet attacks.
This expanded ‘playground’ means cybercriminals have more options when it comes to how they can steal login credentials, and no longer need to depend on keylogging software or database breaches but simply using web injects.
For example, when a user logs into your Internet banking account, they can insert an additional field which appears to be legitimate on the web page with your ATM PIN (automated teller machine personal identification number) to fool both tech-savvy and non-tech-savvy internet banking users. While this happens, a malware can execute a ‘man-in-the-browser’ attack in the background, which is invisible to the host web application.
Other than increasing attack vectors, malware and Trojans today have the capability to steal login credentials via mobile banking applications to access funds in banks and other financial services institutions. Cybercriminals can simply create a mobile application that looks similar to a banking application, and use spear-phishing to steal login credentials. Some malware, like Dyre or Dyreza, directly target corporate banking accounts and have successfully stolen upwards of a million dollars from unsuspecting companies.
Address threats with layered defense, proactivity and strong mobile policies
With insider threat accounting for majority of breaches in the first half of 2015, it is more pertinent than ever that organisation keep pace with today’s fast-moving cybercriminals, companies should implement necessary measures to secure their Internet-facing applications. This should be at the top of their priority list, as that is a natural channel for cybercriminals, who are always looking for opportunities to infiltrate a network. Importantly, jail-breaking devices should also be discouraged, as this typically presents another means for cybercriminals to access networks.
First, an in-depth defence strategy with the use of the right technologies is an imperative. A common misconception held by many is that using technology like a firewall is sufficient to protect an organisation’s networks but this no longer holds true today. Organisations must look at other technologies, such as web application firewalls. Web application attacks are often tuned and created for a particular application, and are missed by traditional security measures.
Even though remediation – fixing things after a breach – plays its role, it pays even more to be proactive in securing your networks. A remediation scenario is reactive in nature and the forensic team traces back the cause of the breach, provides a report, and remediates after the incident. On the other hand, proactively securing your organisation may not catch 100 percent of all attacks, but being able to reduce this from 100 percent to a smaller percentage should still be considered a win.
Lastly, there is also a need to fight against complacency and shed the “it won’t happen to me” attitude, where they see their neighbours getting attacked yet expect to remain fortunate themselves.
Organisations should establish mobile device security policies that define guidelines, principles, and practices for how mobile devices are treated, regardless of whether they are issued by the company or owned by individuals. These policies should cover areas such as roles and responsibilities, infrastructure security, device security, and security assessments.
By establishing security policies, organisations can create a framework for applying practices, tools, and training to help support the security of wireless networks. Training employees on its mobile security policies can also help organisations ensure that mobile devices are configured, operated, and used securely and appropriately.
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...