Funding for cybercriminals in financial services

In 2017, financial fraud losses across payment cards, remote banking and cheques totalled £731.8 million, with losses due to unauthorised remote banking fraud reaching £156.1 million, a 14 per cent rise on 2016. It is well known that banks and financial service providers are some of the biggest targets for cybercrime, which subsequently means they carry the biggest bill to reimburse those losses. Unwittingly, banks have become involved in providing a cash cow for cybercriminals, which has spiralled to such a degree that any solution will have to be potent to have an effect.

Instances of fraud suffered by financial services are still growing incrementally year on year, and so does the offering of security products all claiming to be the solution, with no reduction in loss. In fact, banks spend on average three times more than non-financial institutions on cyber security, with no real effect; this points towards a serious problem. The reality is that security and anti-fraud software aren’t working together, leaving a vulnerability open to be exploited, and financial loss to be faced. This situation has been escalating for years, with the security industry doing little to combat this futility in their offering.

>See also: Quality over quantity: Women in cyber security

As banks have been trying to defend their systems with very little success, this has led to a malaise within the financial sector. It is now expected by financial institutions that fraud will occur, and they therefore suppose that the only solution is to insure against this inevitable vulnerability and claim when a loss is made. Banks currently take the hit, they simply settle the stolen money with the customer who has lost their cash, instead of being able to stop the criminal activity. This cycle means criminal activities ultimately go rewarded, and consumers end up paying incrementally through insurers. This forms a tacit acceptance by banks and financial institutions, which effectively encourages criminality through inaction.

However, it is not only the banks themselves that tolerate, and even expect, this kind of activity, consumers demand no better. This expectation has also filtrated to the consumer, and so relative security of each of the different banks is not a factor for the average consumer when choosing which bank to hold an account with, as total protection is viewed as an unreasonable expectation.  There is no focus on the relative security of different banks and how they compare to each other on security measures; competition is not affected by the security of where your money rests. We expect to be hacked, and then we expect to be reimbursed, so the cycle continues.

This is not the case for other industries. Research from this week shows that, whilst an individual DDoS attack can cost an enterprise up to $50,000, the vast majority of security professionals viewed loss of customer trust and confidence as the most damaging consequence of a DDoS attack. If a company’s systems are compromised, their reputation will suffer which will in turn impact their bottom line. Banks, however, have no such incentive, as consumers will not go elsewhere when they learn of hack, it is just too common, where would they go? Hacking and loss is supposedly inevitable, but it doesn’t have to be tolerated to this extent.

>See also: Security lockdown: cloud and physical worlds

Ironically, banks have become less secure due to improving the experience for the customer. As banks become more dynamic in how they interact with customers, including different apps and platforms to access support and services, the points at which the systems are vulnerable also increase. More than four in ten banks predict the overwhelming majority of their customers will be using mobile banking in three years. More endpoints mean more weaknesses, and trying to protect each customer’s multitude of devices individually is most certainly a losing game.

The UK’s Cyber Security landscape is broken, allowing criminals to profit whilst consumers pay. Security companies are well aware that the products they are selling to banks are snake oil. Multiple different products to solve the same problem, none of which will be totally effective.  This is a damaging cycle of activity that requires action to beat; only when we start to expect different behaviours as standard practice will change occur.


Sourced by Trevor Reschke, head of threat intelligence, Trusted Knight.

Related Topics