To meet the all-round banking and financial needs of the new age consumers, the BFSI industry has deployed a range of Internet and mobile solutions. However, the rising reliance on such systems is opening new windows of opportunity for cyber criminals
There is a rise in the complexity of the attacks being launched against the BFSI industry. While the financial institutions are taking a number of steps to safeguard their IT infrastructure, they continue to be challenged by the pace of innovation and rising sophistication of the attacks. Traditionally the phishing type of attacks have been more common, but now the attackers are launching new attacks using complex APT, DDoS, and other sophisticated strategies.
The 2015 Internet Security Threat Report from Symantec shows that there is a significant rise in the targeted attacks aimed at the BFSI sector. The volume of targeted attacks against BFSI went up from 11.1 percent in 2013 to 17.1 percent in 2014. The report indicates that the cyber criminals are now breaching the defences of BFSI institutions by using innovative technologies, which enables them to avoid detection. Ransomware attacks have also soared 113% in 2014. The Symantec report also reveals that fake versions of the mobile phone apps owned by the financial institutions are being used to make people give up their account details.
P Sitaram, executive director, IDBI Bank, considers DDoS attacks to be the most dangerous threat for the BFSI sector. “DDoS attacks have grown in complexity, volume and sophistication. In such attacks spurious or fake packets are sent to the victim in abnormally large numbers. DDoS attempts to block important services running on victim’s server by flooding the victim’s server with packets. A DDoS attack does not originate from a single host or network, but from multiple hosts or networks which might have already been compromised,” says Sitaram.
He informs that the IDBI Bank has tied up with internet service provider for the DDoS/DoS mitigant. The bank is closely working with regulators and government agencies like CERTIn and IDRBT to identify such attacks and thwart them in time. According to Sitaram, the security of IDBI’s online banking is achieved through prudent security practices i.e., security access codes (user-ID & password), privacy of data transfer through encryption (SSL-128bit encryption protocol from Entrust), firewalls (allows customers access to particular services, while at the same time deny access to systems and databases with classified bank data and information), security of personal information, session time-out, etc.
IDBI Bank uses two-factor authentication mechanism, via OTP, to ensure that the transactions are fully secured. Privacy of customers’ information is secured from internal and external accesses. The bank has implemented Data Loss Prevention (DLP) tool to send alerts in case of any leakage of information. It regularly conducts awareness sessions for educating the employees about safeguarding customer’s privacy and data. IDBI Bank has also deployed a Data Leakage Prevention tool to check and prevent any data leakages from the bank’s environment.
Arbor Networks has a major focus on DDoS and advanced security threats. “Today’s networks need integrated multi-layered DDoS protection solution, i.e., at the data centres – inline, real-time, always on, DDoS Mitigation for protecting against low and slow attacks, state-exhaustion, application layer DDoS attacks including encrypted services like SSL & TLS. This on-premise DDoS protection integration communication to upstream service provider In-Cloud or Overlay cloud DDoS protection would ensure protection against all types of DDoS attacks,” says Samuel Sathyajith, country manager – India & SAARC, Arbor Networks.
On the issue of advanced threats, Samuel is of the view that they are the opposite of a DDoS attack, as they are not high profile. These attacks target an organisation, study their defences and their people and look for a quiet way inside, either due to a weakness in defence, or through an employee. Once the attacker gets inside the network, their goal is to stay undetected for as long as possible. Research shows that sophisticated attackers can stay hidden inside a network for an average of 200 days. Once inside, they move around, escalating their access to ultimately finding the information that they are looking for, and then they steal it. These attackers are patient, deceptive and difficult to stop.
Safeguarding Customers Data
According to the data release by Reserve Bank of India the total number of bank accounts in India is around 58 crore, from this about 2.2 crore bank account holders use mobile banking applications. While mobile banking transactions have jumped from Rs 1,819 crore in 2011/12 to Rs 10,000 crore in 2014/15. There has been a corresponding rise in mobile fraud cases, which have jumped from less than Rs 10 crore in 2011/12 to around Rs 70 crore in 2014/15.
“Security needs to be embedded in the mobile and online payment services with careful design which includes all the intermediaries, their respective processes and technologies. Financial, payment and network service providers need to follow appropriate safeguards and privacy and security governance programs. Industry standards such as PCI-DSS, data privacy controls and Cyber Security controls will not only prevent frauds, but also help in enhancing customer confidence,” Kunal Pande, Partner – IT Advisory Services, KPMG in India.
Pande of KPMG elaborates on the importance of transaction based security, “In mobile payments solutions it is crucial to keep in mind that a number of customers may be using ‘rooted’ devices, which if not considered in the design of security solution can render the same as under-effective. The use of two-factor authentication, end-to-end encryption of the channel, leads to effective identity authentication for the consumer and higher identity assurance to the merchant and the bank.”
“It is crucial to understand the security features available in new mechanisms. For example, in case of NFC transactions, protection from transactions originating from unauthorised users or bogus mobile phones can be accomplished by use of dynamic card verification values (CVVs). NFC chip-enabled mobile phones support dynamic CVVs as compared to the static CVVs used on chip and magnetic stripe cards. The transactions from bogus mobile phone will be rejected as it will not have the CVV,“ adds Pande.
Arnab Kumar Chattopadhyay, Senior Technical Director, MetricStream, says, “Critical security risks facing customers using online and mobile banking include identity theft and malware related losses via clone sites in which users reveal sensitive information to websites created by cyber criminals in order to gain access to user accounts.”
“The best practices for customers is to become more vigilant and aware. Multi factor authentication systems, systematic bank account monitoring, deployment of a personal firewall and using verified and secure sites can reduce the chances of falling prey to cyber-attacks.” adds Chattopadhyay.
Dr Sriharsha A Achar, CISO, Apollo Munich Health Insurance, says, “It is important to develop a security culture in the organisation by sensitising the employees of the security risks. Many people don’t realise that the root cause of cyber security breaches is the user himself. We need to relook at the organisation wide information security programs, which provides a framework for ensuring that the risks are understood and that effective controls are selected and implemented.”
Beyond Detection And Prevention
The competition in the BFSI sector is ensuring that the traditional industry players have to innovate constantly to meet the emerging demands of the market. There is a constant quest for low cost, secure and reliable financial services. But when the pace of change is high, and there is acceleration in the processes for new product developments, the issues related to security can lag behind.
According to Anmol Singh, principal research analyst, Gartner, “The rise of mobile banking, mobile payments and cloud computing has magnified the threats. The main problem is that there is a continues lack of customer awareness on information security issues. Visibility of the critical infrastructure and operations outsourced to external third-party service providers and management of third-party risks are other major security challenges for the banking industry.”
Vic Mankotia, vice president, Security and API Management, Asia Pacific & Japan, CA Technologies, asserts that Reactive Security is a big market for providers of the protection systems. “The best solution for detecting insider threats includes identity and access management (IAM) coupled with information protection which enable CISOs in drawing up a comprehensive program to reduce insider threats. The way people communicate, collaborate and do their business in the digital world is changing. It is highly imperative today to ensure that the ‘Security of No’ has to become the ‘Security of Know’.” says Mankotia.
In a world where data breaches have become a major risk for companies, the general insurance companies must offer cover against the financial losses that arise from cyber threats. In India, there are at least three general insurers that are already providing insurance against data breeches. Indian banks are seeking insurance against online transactions, including those involving credit cards, as there is a rise in the use of plastic money. Insurance policies in previous years did not cover computer related frauds, but since there has been a rise in mobile banking, most banks are willing to complement these insurance schemes.
Combating New Age Vector Threats
According to the “State of Financial Trojans Report” by Symantec, India ranked fifth highest amongst countries with most financial Trojan Infections in 2014, up from rank seven in 2013. The same report highlighted that around 1467 financial institutions in 86 countries were targeted with financial Trojans and that the stolen bank accounts were sold for 5-10 percent of the balance value on underground cybercrime forums.
Symantec has recently detected a new financial malware, the ‘Dyre’ Trojan, which is now regarded as one of the most dangerous financial Trojans. This Trojan had been configured to defraud customers of more than 1,000 banks and other companies worldwide. While financial institutions in the USA and UK are most targeted, India ranks 6th globally and 2nd in Asia for Dyre infections. The danger lies in the fact that the financial malware have evolved to bypass newer security measures, such as two-factor authentication (2FA) and mobile banking.
As threats continue to rise, the financial institutions are forced to opt for a vendor who can serve beyond just providing an array of products for fighting cyber criminals. Shrikant Shitole, managing director, India, Symantec, says, “Cyber criminals are using Trojans to commit large scale financial fraud. They are targeting institutions and high profile targets across the globe. Platforms like bitcoin and mobile payment systems are the new targets for these cyber criminals.”
Chandra Sekhar Pulamarasetti, Co-founder & CEO, Sanovi Technologies, believes that Business Continuity and IT Disaster Recovery constitute the most important components of the security framework for banks and financial institutions. While security solutions are deployed for threat detection and prevention, these solutions are never foolproof and organisations have to deploy effective business continuity solutions to deal with the threat impacts and IT outages.
Sajan Paul, Director Systems Engineering – India & SAARC at Juniper Networks, says, “The average age of the Indian population will be 29 by 2020—this young generation will need internet banking as a primary banking option. But internet banking and consumer security awareness must go hand in hand. From the technical standpoint, multi-factor authentication should be mandatory to deter standard attack vectors.”
Every year, several organisations fall victim to some kind of cyber attack and many even struggle to detect, assess and respond to these threats. All it takes is just a click on a malicious link by the employee to let the cyber crimnal enter the network. And once the security of an organisation is compromised, it may take months to eradicate the threat completely. In such scenario organisations should always make sure that their cyber defense system is well equipped to keep pace with the ever-evolving threats.