As cyber-criminals compromise two of Canada’s largest banks, is it time to redefine what a good security stack should look like?
The Bank of Montreal and Canadian Imperial Bank of Commerce (CIBC) both announced last Monday that they had been compromised, resulting in the loss of tens of thousands of personal records.
A spokesperson from the Bank of Montreal, the country’s fourth-largest lender, said they believe fewer than 50,000 customers were affected by the incident, although they declined to say whether any customers were impacted financially as a result of the attack.
Meanwhile, CIBC, believed to be the nation’s fifth-largest lender, said it had not yet confirmed the scale of the breach, but said it was taking the claim seriously that more than 40,000 customers from the bank’s Simplii direct banking brand may have been affected.
Both banks are contacting those who have been affected and are providing instructions on how to monitor their accounts for suspicious activity. Further details on the attack method have not been disclosed at this point.
It is interesting to note that criminal motivations appear to be changing when it comes to attacking banks. In the case of the Bank of Montreal, the criminal group reportedly threatened to make the data public. This has long been the method of Anonymous and other politically-motivated groups, but hasn’t historically been a motivation for those targeting financial services (they’ve more often than not looked at ways of either harvesting those details for other attacks, or simply sold the records on the dark web).
These attacks suggest that bank extortion, as crazy as it may seem, could be a viable way forward for cyber-criminals looking to maximize the financial opportunity.
After all, with it well-known that breached companies often suffer reputational damage, plummeting shares and lost confidence from customers, criminals may place their bets on the belief that some banks would rather pay the money to make the problem go away (even though this is not recommended in any cyber-attack situation, from a personal or organizational level).
In the aftermath of these attacks, the banks said they took steps to enhance security measures after being contacted by the attackers, but it is arguably a case of too little too late. Dr. Ann Cavoukian, the former privacy commissioner of Ontario, poignantly asked in a piece with the Financial Post, “The question that begs is why weren’t you engaging in those measures all along?”
The biggest problem is that organizations are reliant on outdated security tools while cyber-criminal techniques evolve on an almost daily basis.
Just last week, a Carbon Black study of 40 CISOs at major organizations found that criminals are now taking to use useful tools like PowerShell for non-malware or fileless attacks – which are increasingly difficult to detect and thwart. In the same study, 90% of organizations surveyed reported ransomware attacks in 2017.
This of course adds pressure, especially in an industry that is already a top target for cyber-criminals; World Bank data released this year found that customers of financial services already suffered 65% more attacks than any other industry, representing a 29% annual increase.
These figures could also increase given that banks are digitizing their businesses to make services more accessible and easier to use. For example, almost all banks want to provide the opportunity to make transfers via web browsers and mobile applications. But with sensitive personal data residing in these environments – and this attracting cybercriminals – there is little margin for error.
A New Defensive Posture and Approach
Traditionally, organizations relied on web application protection and endpoint tools to protect their customers online, but these can be difficult to manage and intrusive for users. Some fraud detection tools either don’t integrate well, or don’t work at all.
As we have previously discussed, banks have largely given up on protecting endpoints, and have changed how they use fraud detection tools, just relying on them to help them identify when fraud has already happened. What they need to be focusing on now is the transaction itself – where they have the advantage of owning the battleground, and therefore have the ability to render malware useless.
Using this approach, Trusted Knight’s Protected Air prevents both fraud and cyber-attacks, from man-in-the-browser attacks, rootkits and session hijacking to account takeovers, more. This full transaction stack protection intercepts customer-side malware, prevents web app exploitation and stops transactional fraud. To learn more, click one of the buttons below.