Surveys and studies indicate money management apps are some of the most popular forms of pocketable software these days. About 63% of U.S. smartphone users have at least one financial app installed as we speak.
The easy accessibility of our bank accounts and banking products doesn’t just increase the convenience factor, though—it also substantially enlarges the threat surface for institutions and customers alike. Cybercriminals have a wide variety of tools at their disposal these days to capture customer information. Thankfully, customers and their banks have tools of their own to fight them off.
How Do Hackers Breach Financial Institutions?
According to research, financial institutions like banks are infiltrated by cybercriminals 300 times as often as companies in other industries. So, how do they pull it off?
Ransomware is one of the most enduringly popular ways tech-savvy thieves can make off with ill-gotten funds. Ransomware is typically delivered by phishing emails designed to look like legitimate correspondence from companies or acquaintances. When the would-be victim downloads the ransomware—included in an attachment—it locks them out at the admin level and demands payment in exchange for restored access to their files and operating system.
Some malware variants, including the now-famous NotPetya attacks, don’t even require this level of subterfuge. They simply take advantage of unpatched security exploits left open by out-of-date software. Malware is a big worry for individual consumers, obviously, but it’s also a plague on financial services companies directly. It’s estimated that 90% of financial institutions were targeted by malware-wielding cybercriminals in 2017.
The digital age has given us unprecedented convenience, but a few of those conveniences have arrived with big red “targets” already painted on them. This seems to be the case with some kinds of internet-connected equipment used by consumers and companies—or the internet of things (IoT).
A few years ago, a massive breach at Target stores left personal and financial information for thousands of customers up for grabs. After investigating, cybercrime experts determined that the attack was made possible thanks to security exploits in 55,000 HVAC systems.
This is a textbook definition of “convenience at a cost.” IoT allows users to network their physical infrastructure together in a way that allows the flow of data between multiple locations and convenient remote operation, but Target provided a necessary reminder that many of these devices aren’t designed from the ground up with security in mind.
The same thing is all too possible on a much smaller scale, as well. Internet-connected webcams are now well-documented as a potential portal for malware-wielding thieves. The same goes for internet-connected doorbells, baby monitors, garage door openers and more. Users of devices such as these are encouraged to subdivide their home network, with one network devoted to IoT traffic and nothing else, and to auto-update immediately when patches become available. Access to your home network means, potentially, access to banking information and account credentials.
How Businesses and Customers Can Combat Financial Fraud
If technology is the tool of the enemy, technology can also be used against them. This is probably why more than 70% of banking executives have chosen to single out cybersecurity technology investments as company priorities.
As the saying goes, an ounce of prevention is worth a pound of cure. Given that the average cost of a stolen identity stands at $1,343 per person in lost assets, this is especially true in the financial sector. That means proactivity is the front line of defense against financial fraud and identity theft.
Most banks help their customers accomplish this by offering card and account monitoring functionality. It’s up to the end user to take advantage, but it’s usually easy to set up. Card monitoring involves sending banking customers an email or SMS alert whenever a new charge appears on their card. Sometimes there’s an option to fine-tune the dollar amount, so alerts don’t get triggered by the daily morning coffee purchase.
Depending on your bank of choice, supplementary services are often available—or sometimes included free of charge—to provide a more robust front against identity theft and financial fraud. Checking account users increasingly have the option to partner with their banks—which in turn partner with services such as Econocheck—to engage in year-round real-time credit monitoring, secure reimbursement services for fraudulent purchases, and to proactively monitor hundreds or thousands of criminal or dark web databases for appearances of your personal information, social security number and bank account numbers.
That covers the basics. So, what are some of the more high-tech ways banking customers may end up protecting their assets and customers against fraud?
Technology lets us “fight fire with fire,” but there are limits. In the United States, it’s illegal for private companies to engage in counter-hacking (“hacking back”) against the entities targeting them. One promising alternative? Some experts are calling for major financial institutions to develop closer relationships with state-run cybersecurity and law enforcement groups.
Such a program already exists to protect defense contractors in the United States. It’s called DIBnet, and it falls under the purview of the U.S. Cyber Command and the Department of Homeland Security. It would take funding and political will to extend this program to financial institutions, but it’s extremely doable. The goal of DIBnet is to facilitate the sharing of classified threat information about private companies doing defense work for the government.
Given the noise the current administration is making about foreign actors engaging in hacking against American assets, this could be a good time to expand our efforts to include other essential institutions and infrastructure.
There are other proposals, too, which would see the government engage in greater levels of talent sharing with the private sector. Some call this approach a “National Guard for cybersecurity,” and it would involve private cybersecurity experts doing temporary work for the government, and the institutions under its protection, for a few weeks per year.
Government is stepping into the fray at the state level, too. Every tax season sees millions of citizens flocking to websites to submit their tax returns online. In New York State, the 2016 tax year was the first to see a new state-level bureaucratic requirement for e-filers: the inclusion of information from their driver licenses. It’s a seemingly small change, but it should be useful in stamping out yet another avenue for financial fraud to take place.
The Threat Continues
The Equifax security breach of 2017 was our collective reminder that even institutions that are “too big” or “too essential” to fail often do anyway—and sometimes, in hugely damaging ways. In that event, 143 million U.S. citizens found their Social Security numbers and other extremely personal financial details up for grabs.
Equifax and the other credit-monitoring companies are required by law to provide a free credit report for all users once per year. Users can also freeze their credit for free, or for a small fee, to make sure fraudsters can’t take out loans or apply for credit cards in their names. Again, proactivity is key.
Financial fraud seems like it’s here to stay, but the good news is that companies and individual customers have lots of tools at their disposal for preventing it—or at least for fixing the damage after the fact, should the worst come to pass.