Best Security Practices for Digital Banking

Online banking is nearly universal in 2023. No more long lines at the credit union, late-night ATM trips, or waiting for a check to be cashed. Digital banking has revolutionized the financial industry and the way we do business as a whole. 

However, it has also indelibly increased the risk of cyberattacks, social engineering scams, and online compromise to the financial community. 

Here are some of the top risks facing the industry today, along with current best practices for keeping financial transactions secure. 

Top Threats Facing Financial Institutions

The Verizon 2023 DBIR notes that this year, 95% of attacks are financially motivated. It’s true; all organizations have money to steal. But that doesn’t keep banks, credit unions and other financial institutions from being a particularly tantalizing and lucrative target.

Here are some of the top cyber threats financial services organizations need to watch out for in 2023:

1. Exploited Vulnerabilities | From websites to banking apps, vulnerabilities can leave the financial sector at risk when a CVE goes unpatched or an undiscovered weakness gets discovered by the wrong side. Once the vulnerability is found, a typical exploit kit will often download a malware payload designed to give threat actors remote access to the system. In fact, the National Credit Union Association noticed a recent rise in cyberattacks as a result of a number of critical vulnerabilities being exploited. 
2. Stolen/Compromised Credentials | The Verizon 2023 DBIR notes that stolen or compromised credentials are to blame for no less than 50% of all breaches, including those involving financial services. However, the impact of a breach is much higher for finance firms; it costs them approximately $5.9 million per data breach, 28% higher than the global average. 
3. BEC Attacks | By its very nature, high-target industries like finance and insurance are particularly susceptible to instances of Business Email Compromise (BEC), or “CEO Fraud.” BEC scams typically involve a request from a seemingly known source requesting a financial transaction, like a wire transfer. According to the Financial Services Sharing and Analysis Center (FS-ISAC), BEC crimes saw a 300% increase in 2022. Per recent FBI Internet Crime (IC3) Reports, BEC is the most lucrative online scheme several years running. The FBI 2022 Internet Crime Report notes that total losses originating from BEC equaled $2.7 billion dollars last year, dwarfing ransomware’s $34.3 million by a magnitude of 78 times.
4. Ransomware | Ransomware payouts are getting higher, and financial institutions are feeling the pinch. According to the 2023 DBIR, the median cost to victims has more than doubled in the past two years. Threat actors consistently pursue the industries with the highest payouts and, consequently, the most to lose. This is why finance firms consistently make the list as one of this year’s hardest-hit industries, as the 2023 DBIR states. According to research by Comparitech, financial services has lost over $32 billion in just the last five years.
5. Third Party Vendor Breach | According to a recent survey by fintech provider CSI, third-party vendor breach (or supply chain compromise) was among the top five cybersecurity concerns of bankers this year, with 15% ranking it as the top. A 2023 World Economic Forum report stated that a full third of organizations have been “collateral damage” in a third-party cybersecurity incident, and KPMG research shows that 76% of CISOs now value the security of their partner ecosystem as much as their own. 
6. Basic Web Application Attacks | This year, basic web application attacks, miscellaneous errors and system intrusion accounted for 77% of all breaches in the finance and insurance sector. “Basic web application attacks” means non-sophisticated, lower-level ploys that could easily have been prevented by better basic controls. These include fuzzing, cross-site scripting, injection attacks, brute force credentialing, and other low-hanging cybercriminal fruit. 

Unique Challenges of Online-Only Banks

Given the hybrid models in use by banking institutions these days, all banks are facing similar issues as they scramble to offer app-based banking and digital service models. However, this convenience comes with a price. 

1. Online-only banks are seen as less secure. Though reputable online banks are insured just like their brick-and-mortar counterparts, there is still distrust around banks that don’t have a physical Main Street component. Recently this came up with Silicon Valley Bank, one of the biggest, most trusted financial institutions among tech entrepreneurs and an online-only bank. The fact that 85% of their deposits were not insured cast a pall over the online banking community as a self-fulfilled bank run caused the FDIC to take control of assets.
2. Larger technology stack, larger attack surface. An additional challenge is that the more assets you have in cyberspace, the more at-risk you are of a cyberattack. In one instance, a virtual bank attracted a higher-than-anticipated amount of traffic as the result of a promotional campaign. While this would typically be good news, in this case it backfired, causing system capacity issues at a time when the bank needed the business the most. It’s a numbers game, and the reliance on sprawling technology stacks could lead to higher chances of DDoS attacks, latency, and supply chain attacks. Whether you lose money by paying a ransom sum or by losing business, the bottom line is still the same.
3. Cryptocurrency is online and uninsured. Typically, the FDIC insures up to $250k of all money deposited into a federally insured bank account. However, this protection does not extend to crypto assets (or, for that matter, stocks, bonds, commodities, money market mutual funds, and other types of securities). This lowers trust and participation in online-only financial institutions that deal in cryptocurrency and makes investing in the decentralized currency all the more risky. However, banks that are crypto friendly have been warned of this risk and it is up to investors to stay aware. 

The distinct challenges of online banking and the institutions that support it essentially equate to a pseudo-Wild West environment for a lot of the industry. If your money is lost, stolen or pilfered, there’s no guarantee that you’ll get all of it back. That’s never a good line for banks to give their customers, but risks are risks and rules are rules. So how do you protect what the laws and human nature can’t?

How Financial Institutions Can Protect Themselves

The answer lies in being prepared. While financial institutions might be tempted to place the bulk of their focus on next-generation security models that combat advanced security threats, solid security protocols in basic places could go miles in preventing financial service cyberthreats.

As financial service firms are left to take matters into their own hands, a bullet-proof offensive security strategy (and some sort of outside cybersecurity insurance) can help close the gaps and secure business. 

Follow Compliance Regulations

Proactive security can also aid adherence to compliance regulations like SOX, PCI DSS, GDPR, and more. 

• For example, SOX compliance requires an annual audit to ensure sensitive financial data is properly secured. Proactive techniques like penetration testing and red teaming, performed throughout the year, can help organizations comply with the SOX policies of tracking and resolving attempted data breaches and securing data against possible tampering. 
• They can also aid PCI DSS compliance by testing the efficacy of the 12 primary requirements, and actively enabling one in particular; number eleven, to regularly test security systems and processes.
• Any financial firm doing business internationally in Europe must comply with GDPR, and proactive security measures like penetration testing help to ensure that all necessary security controls are in place to secure GDPR-protected data. They also provide additional in-depth insights into customer and organizational data and offer continuous auditing of incoming technologies, systems, and applications for GDPR compliance.

Implement Effective Offensive Security Strategies 

• Vulnerability Management| Vulnerability management lays the foundation for the rest of your offensive security program, helping you assess risks with intelligent scanning from BeSECURE. Additionally, most financial institutions have their own web apps, which can be a source of exposure that should not go overlooked. They may warrant a tool like BeSTORM, Dynamic Application Security Testing solution, which can test applications using the same techniques as a cybercriminal, without access to the source code.
• Penetration Testing | With Core Security’s Core Impact, security teams of varying experience levels can conduct advanced penetration tests. Guided automation and certified exploits ensure your systems are being tested with the same tactics used by attackers today. Need an outsider’s perspective? Core Security’s penetration testing services can assess your environment, testing your access controls and exploiting vulnerabilities to give you a clear path to remediation.
• Red Teaming |Core Security’s Cobalt Strike employs the same advanced tactics used by sophisticated real-world adversaries today. A powerful threat emulation tool, it mimics the actions of a long-embedded threat actor and puts defenses to the test with a dynamic post-exploitation agent and adaptable C2 framework. Additional red team readiness can be provided with Outflank Security Tooling (OST), a red teaming toolset that focuses on stealth and evasion for every step of the attack kill chain. Involved with the creation of the Threat Intelligence-based Ethical Red Teaming (TIBER) framework from its inception, the Outflank team not only tests the capabilities of your financial technologies, but the mettle of your team under pressure.

Online banking is a feature of the modern era, and unfortunately, so are persistent cyberattacks. Financial institutions don’t want to face these ongoing threats unprepared. With a proactive security strategy and the right tools in place, they won’t need to.