With the rapid diffusion of online banking services — and the growing number of cyberattacks against them — financial institutions are finding it necessary now more than ever to enhance their online banking security. But who are the hackers responsible for these threats, and what's their motivation? Here's a closer look at the principal categories of attackers who pose threats to online banking security, and the tactics, techniques, and procedures they're adopting.
Who's Responsible?
Most hackers can be classified into one of three categories:
- Cybercriminals. These are financially motivated attackers who threaten banks with the primary intention of stealing money from targeted accounts.
- State-sponsored hackers. These attackers are motivated by their governments. They go after banking systems — which are part of a critical national infrastructure — with the intention of interfering with the vital operation of a targeted state.
- Hacktivists. These criminals express political dissent with a hacking campaign. A hacktivist may, for example, use an attack to protest support a financial institution offers a government or private company.
Unfortunately, these attackers have numerous weapons in their arsenal, with malware-based attacks and phishing included among their most common schemes.
What Are They Doing?
During the last five years, the number of attacks that stem from the diffusion of a malicious agent (such as the popular Zeus Trojan) has grown at a fast pace. A number of factors have contributed to this troubling growth, including the availability of malware program source code in the underground, hackers' refined abilities to evade obstacles, and the increased popularity of Crime-as-a-Service in the criminal ecosystem.
In analyzing malware-based attacks, security experts consider the "man in the browser" attack to be the greatest threat to online banking security. This method merges social engineering tactics with the use of proxy malware that infects a browser, exploiting vulnerabilities on a targeted PC. Once the code in the browser has been compromised, attackers can modify the content of a banking transaction or use victims' information and identities to secretly complete transactions without their knowledge.
Other attackers will turn to watering hole and distributed denial-of-service (DDoS) attacks. In watering hole attacks, hackers inject malicious code into the pages of a bank's client-facing website. In these situations, hackers use server-hosted exploit kits to compromise the visitor's computer and gain control over it. In DDoS attacks, hackers use several compromised machines to flood a system, making it unavailable to its intended clients.
Growing Concerns for Cloud and Mobile
The security industry is observing a growing number of attacks against banking services that rely on cloud infrastructure and mobile platforms. Mobile platforms are fast becoming privileged targets for cybercriminals, who are drawn by apps' lack of security: A study the United States Computer Emergency Readiness Team (US-CERT) conducted on popular Android applications found that the majority of assessed apps were affected by security flaws. Many mobile applications do fail to properly validate SSL certificates — one of the principal mechanisms banks use to protect their customers.
Unfortunately, the use of secure socket layer (SSL) certificates cannot protect users from being tricked into visiting bogus websites. Security firms have uncovered numerous attacks based on fake SSL certificates that were used to impersonate online banking websites. These fake certificates could be delivered to run man-in-the-middle attacks against the affected companies and their customers — a technique that allows hackers to decrypt legitimate traffic before re-encrypting it and forwarding it to the banking website.
Some mobile apps implement the technique known as certificate pinning to automatically refuse connections from sites that propose fake SSL certificates; however, a recent study evaluated the security of 1,000 of the most popular free apps offered on Google Play and revealed that 68 percent don't check server certificates. In addition, 77 percent ignore SSL errors.
According to experts at the US-CERT, the reuse of flawed code and vulnerable libraries are two major causes of app vulnerabilities, but customers' bad habits pose the greatest threat to online banking security across platforms. Today, tricking users into opening an unsolicited email is still the most effective way to threaten their security. It's the responsibility of banks and their customers to adopt secure mindsets, update their software, and protect themselves from the next hacker's trap.