The Importance of Cybersecurity in FinTech and Banking

IT and cybersecurity are gaining in importance for many industries, especially for banks and FinTechs. The reasons are increasing requirements for protecting sensitive customer and company data, as well as the heightened risk of becoming the victim of a cyberattack. Effective security management to protect IT infrastructure and important data is therefore indispensable.

Summary

Comprehensive protection is a demanding task and costs the financial sector several hundred million euros every year, with the trend rising. The complexity of IT security continues to increase as a result of digital transformation and is associated with enormous operational risks. Germany must be a pioneer in digitalization if it wants to remain a leader in business and innovation. This digitalization must consider the protection of IT products and corporate networks from the outset and internalize the principles of security-by-default and security-by-design.

Security-by-Default

means that IT products and devices must be delivered to customers in a secure state by default. All security settings must be preset so that the user does not need to make any further adjustments.

Security-by-Design

means that (cyber) security is already a central requirement in the development model. Holistic security measures are considered, implemented, and approved from the initialization stage onward.

Current threat landscape in the financial sector

Cyberattacks in the financial sector can be divided into three overarching categories. For banks, the first two are especially important.

Targeted attacks

Here, for example, a financial institution is attacked directly via vulnerabilities in the corporate network. This type of attack is the most dangerous for banks on an individual level, but it is also the easiest to protect against.

Industry-specific attacks

Banks and FinTechs make a major contribution to the functioning of the economic cycle. A collapse of banking processes or payment transactions would cause massive damage not only to the financial institutions themselves, but also to industrial and service companies, the state, and private individuals.

Broad-based attacks

These have been common for years, for example in the form of fake phishing emails. If banks protect themselves against both industry-specific and individual attacks at the same time, they are usually also protected against broad-based attacks in general.

Types of threats in the financial sector

There is almost no limit to the creativity of cyberattacks. In its 2020 situation report, which was partly written together with the German Federal Office for Information Security (BSI), the Federal Financial Supervisory Authority (BaFin) names different types of threats.

Ransomware

Ransomware are malicious programs that lock the victim’s computer or encrypt the data stored on it, making it unusable. Even independently of Emotet, ransomware still ranks among the biggest threats according to BaFin, both for companies and for public authorities and private users. Complete outages of computers, networks, and even production facilities caused by such attacks create damage worth millions of euros every year in Germany. According to BaFin, there is a trend toward attacks increasingly targeting central service providers, through which their customers or connected networks could then be infected with ransomware.

Emotet

Emotet is a family of malware for Windows systems. Recipients become infected with trojans through attachments in fake emails that pretend to come from a trusted, known sender. As soon as the recipient opens the attachment, modules with malicious functions are downloaded and executed. The BSI further explains that through so-called “Outlook harvesting,” Emotet can send spam emails that look authentic. To do this, the malware reads contact relationships and email content from the mailboxes of already infected systems. It uses this information automatically to spread further. This means recipients receive fake emails from senders they were only recently in contact with. The goal of the attacks is to shut down the victim’s entire IT or even extort ransom payments.

Botnets

BaFin also continues to see a high threat level from botnets. Attackers are taking advantage of digitalization and are increasingly focusing on mobile devices and Internet of Things (IoT) systems. In 2019, up to 110,000 bot infections of German systems were recorded every day and reported by the BSI to the respective network operators for cleanup.

In addition, server-based botnets offer even greater attack potential, especially in light of the increasingly used cloud infrastructures. In fact, every second attack is carried out through compromised or fraudulently rented cloud servers.

Malware

BaFin also sees high momentum in the development of malware. Around 114 million new variants were identified from June 2018 to May 2019. In fact, the volume of spam emails has decreased, but the impact of malware is increasing. In addition to attacks on classic office communications, attacks are also spreading into the productive areas of the economy.

The already tense cybersecurity situation is made worse by the helplessness often observed among users when it comes to digital topics, according to BaFin. Attackers deliberately exploit weaknesses in the individual behavior of providers while also benefiting from structurally insufficiently secured products and systems.

Who are we fighting?

When looking at attackers and analyzing them, we need to move away from the image of a cybercriminal as a young man in a bedroom. The “dark side” works professionally and in a division of labor - not for nothing do they cause damage worth millions every year. Especially in relation to the financial sector, the greatest dangers are no longer “traditional crime” but highly professional networks. Today, no physical break-in at a bank is needed. The potential gain for cybercriminals no longer fits into a shopping bag or a van.

The trade in hacking tools and service offerings, also known as CaaS (Crimeware-as-a-Service), has also been booming for many years. From botnets and browser exploit packs to DDoS toolkits, everything cybercriminals need for their trade is now advertised, developed, sold, and purchased in the crimeware-as-a-service market. Ransomware can be bought with one-time license codes, support, and a guarantee. These markets contain major problems because, apart from the attacks themselves, it is often not possible to answer who is behind them or why they were carried out. In addition, the market has huge potential, which cybercriminals do not want to miss out on. The (further) development of new types of threats is therefore in full swing.

DDoS attack

Denial of Service (DoS) refers to the unavailability of internet services that should actually be reachable. This can be caused by servers being overloaded by a concentrated attack. In practice, there is usually not just a single attack of this kind. If a service blockage is caused by a large number of targeted requests, this is called a Denial-of-Service attack. If the requests are carried out from a large number of computers, it is a Distributed Denial-of-Service attack (DDoS).

Exploit packs

Exploit kits were developed to automatically and unnoticedly exploit vulnerabilities on victims’ computers while they are surfing the Internet. Because they are highly automated, exploit kits have become one of the most popular methods for criminal groups to spread malware or remote access tools (RATs) on a mass scale and lower the barrier to entry for attackers.

Exploit kits are also very effective when it comes to generating profit for malicious actors. The creators of exploit kits offer these campaigns on criminal underground markets in the form of exploit kits as a service for rent, with the price for leading kits reaching thousands of dollars per month.

Protective measures by European banks

For the global banking industry, cyber risks have become the biggest risk of all. Global networking and digitalization have enormously increased the requirements for protecting customers and banks themselves. In exceptional situations such as the COVID-19 pandemic, these requirements increase even further. Against this backdrop, the rating agency D-Rating conducted a study in 15 European countries. It examined the measures taken by banks and neobanks during the pandemic. The vulnerabilities of both the Android applications and the websites of the 60 banks and neobanks included in the study were analyzed. These included DNS integrity, network security, and disclosed information. The study is a 100% outside-in analysis based on SecurityScorecard diagnostics for website security and Quixxi for Android application security.

In summary, the study highlights shortcomings and inequalities and provides, among other things, the following findings on bank cybersecurity:

• The security standards used differ greatly from country to country.
• Swiss banks achieve top scores, Germany and Austria are in the upper middle range, and banks in southern Europe reach the lowest average scores.
• Neobanks perform better on average on the web than established banks, but they are weaker when it comes to apps.

Solution: prevention, detection, and response

When it comes to cybersecurity, targeted prevention, precise detection, and effective response to cyberattacks are the biggest tasks. The basis for every financial institution should be its own cybersecurity system, which must also be equipped with further protection mechanisms. This guarantees a standardized, high level of security and at the same time allows for targeted responses to system- and group-specific protection requirements.

Numerous authorities also aim, in addition to the individual protection systems of banks, for secure networking of the systems already in place in the financial sector. Only this can create transparency and allow cyberattacks to be met in a targeted, agile, and appropriate way.

BaFin itself explicitly speaks of the need for Europe-wide harmonization. As Germany’s national financial supervisory authority, BaFin considers harmonization and convergence of supervisory requirements for information security at national and European level to be very important. The European Commission and European supervisory authorities are also increasingly committed to harmonizing and converging supervisory standards. This is intended to make a major contribution to strengthening operational digital resilience in the European Union.

By the way: A central element in prevention and protection against cyberattacks is the use of penetration tests. If you want to learn more about the benefits of these tests, find our blog article here. The article also includes an outlook for the cybersecurity field for 2021.

Future development in Europe

In a very tense IT security landscape, both the quality of security systems and the number of cyberattacks are increasing at the same time. A major risk for the state, the economy, and society still comes from the malware Emotet, which the BSI described as the world’s most dangerous malware back in December 2018. This assessment was confirmed by a large number of attacks on universities, hospitals, municipalities, companies, and private users in 2019. Financial service providers were also among the targets, but according to the BSI they were able to fend off the attacks.

In summary, cyber risks are a serious challenge for the entire credit industry, both today and especially in the future. One advantage is the existing expertise of credit institutions in protecting their IT infrastructure. Nevertheless, as BaFin writes, stronger international cooperation is needed to win the technical race against professional cybercriminals in the future as well. Banks, the security industry, and national and supranational authorities must work together.

Could our blog article help you, or do you have questions about cybersecurity for companies in the financial sector and beyond? Feel free to get in touch. We can advise you in detail and connect you with selected experts.