Online banking has steadily evolved to represent an ever-richer, more highly concentrated, and more easily penetrated target for attackers. A recent Aberdeen (mainly USA-based) report looks at how banks must be more proactive on the front-end, consumer side of fighting fraud.
Fighting Fraud in Online Banking
Business Context: Online Banking Has Evolved to be an Ever Richer, More Highly Concentrated Target for Crime and Fraud
From the attacker’s perspective, online banking has steadily evolved to represent an ever-richer and more highly concentrated target – which means that the corresponding increases in cybercrime and financial fraud in this area can hardly come as a surprise, particularly to the line of business leaders responsible for managing these risks.
As online banking has emerged and matured:
• The targets have consolidated – i.e., the total number of financial institutions has been reduced by roughly half
• The targets have gotten richer – i.e., the total value of insured deposits has increased by roughly 2.5 times
Between 1994 and the beginning of 2015, the average value of Federal Deposit Insurance Corporation (FDIC)-insured deposits per institution has increased by a factor of about 5 times (Figure 1). Meanwhile, the number of people banking online has now grown to more than half of all US adults.
Technical Context: Online Banking Has Also Evolved to Become a More Easily Penetrated Target for Cybercrime and Online Fraud
Simultaneously with the growth and concentration of the potential payoff for criminals and fraudsters over the last 20 years, disruptive changes in information technology over the same time period have resulted in online banking also becoming a more easily penetrated target for cybercrime and online fraud.
Rapid adoption of mobile devices in recent years has only exacerbated these technology issues. In April 2015 study on smartphone use in the US, for example, Pew Research found that nearly two-thirds (64%) of US adults now own a smartphone – up from just 35% in 2011. Of these, about 3 out of 5 (57%) have used their phone to do online banking in the last 12 months.
By any measure, cybercriminals and fraudsters are certainly taking advantage of these ripe conditions, and at a significantly large scale. Entering 2015, for example, the Anti-Phishing Working Group (APWG) was observing roughly 50,000 phishing attacks per month – the precise number varies from month to month, depending on the nature of current attacker campaigns, nearly two thirds (64%) of which were in the United States. Among phishing campaigns against US banks, fraudsters were non-discriminatory in the sense that they attacked not only the large national banks (58% of the total volume), but also regional banks (25%) and the credit unions (17%). No institution is immune (see Figure 2).
The pace at which new information technologies are being introduced – as well as the correspondingly rich and complex array of information security technologies that are available to choose from – has become faster than many organizations can keep up with. On the one hand, the result of such technical innovation has directly enabled the positive, rewarded risks of online banking. On the other hand, it can be painfully difficult for any given organization to sort through all of the unrewarded risks related to online banking, and to make the necessary choices for the mix of security controls that represent the best fit for their specific context, both business and technical.
What Are Banks to Do? The Facts Suggest Four Places to Focus
In Aberdeen’s view, the facts and trends suggest that there are four places where financial institutions should give some additional focus, and work to disrupt the attacker lifecycle:
• Users – banks should authenticate users and their patterns of behaviour to distinguish between normal and abnormal, protect users against phishing, and sustain ongoing education for users about safer online behaviours.
• Devices – user PC’s, web browsers and mobile devices may or may not be properly patched and updated, and may or may not have foundational security protections in place. Banks can proactively help to remove existing crimeware, and to identify and prevent attacker attempts to install new crimeware
• Data – banks can be proactively help to protect account details, user credentials and contact details on user devices, and monitor patterns of behaviour to detect attacker attempts at impersonation and account takeovers.
• Applications – banks can monitor patterns of behaviour to help detect attacker attempts at impersonation and account takeovers, and should take additional steps to secure their portfolio of consumer-facing applications by managing not only what might be (i.e. vulnerabilities and threats), but also what actually is (i.e. active attacks)
These four areas provide a simple framework for establishing basic solution selection criteria. See Table 1.
Summary and Key Takeaways
• From the attacker’s perspective, online banking has steadily evolved to represent an ever-richer and more highly concentrated target for cybercrime and financial fraud.
• In the 20 years since the launch of the first commercial web browser, the total number of financial institutions has been reduced by roughly half, the total value of insured deposits has increased by roughly 2.5 times, and more than half of adults now bank online.
• These trends in online banking have worked in favour of the fraudsters, in the sense that they have been provided with the opportunity to develop even more focused campaigns, with the potential for an exponentially higher return on exploit.
• Disruptive changes in information technology over the same time period have resulted in online banking also becoming a more easily penetrated target for cybercrime and online fraud. Rapid adoption of mobile devices in recent years has only exacerbated these technology issues.
• Such technical innovation has directly enabled the positive rewarded risks of online banking – but it has also made it more difficult for financial institutions to manage the unrewarded risks of security, privacy and regulatory compliance.
• In Aberdeen’s view, the facts and trends suggest that there are four places where financial institutions should give some additional focus and work to disrupt the attacker lifecycle: users, devices, data and applications.
• For financial institutions that are considering proactive investments in fighting online fraud, these four areas – along with the high-level technical capabilities that correspond to the risks that need to be addressed – provide a simple framework for establishing basic solution selection criteria.
• Perhaps the biggest change in recent years is that the rapid growth in cybercrime and online fraud has made it impossible to manage the risks of security, privacy and regulatory compliance in the traditional, “ business as usual” manner – i.e., as predictable costs that can simply be incorporated into annual business plans. From the institutional perspective, the risks of fraud in online banking are becoming unaffordable – while from the societal perspective, the risks of fraud in online banking are becoming unacceptable.
The time has therefore come to take action.
Aberdeen Group has been an international research partner of Nebula since 2010. With thousands of research documents, growing daily, Aberdeen’s research library helps enterprises and service providers discover the priorities and strategies of best-in-class enterprises.
Besides Nebula’s insight and research services, we also provide services to help large enterprises assess, optimise and manage their enterprise ICT environments.
Should you be interested in finding out more about Nebula’s services or discussing this research, please send us an email indicating your requirements to ContactUs@nebula.co.za.