8 minute read
Banking security Trends and technology in Covid-19 times and beyond
The Covid-19 pandemic has brought with it new challenges for the global banking industry, not least of all an uptick in virus-related cybercrime.
"Covid-19 scams have become a huge global problem almost overnight,” says Susan Potgieter, acting CEO of SABRIC (South African Banking Risk Information Centre). “Cybercriminals are exploiting the spread of coronavirus for their own gain using “coronamania” panic to spread scams. Coronavirus scams leverage off people’s concerns for their health and safety using social engineering. Spoofed emails offer products such as masks, or fake offerings of vaccines, with links to phishing websites. Because the emails appear to come from reputable companies, people are manipulated into clicking on links or providing personal information, which then ends up in the hands of cybercriminals.”
Advertisement
Cybercriminals are also using SMS phishing, more commonly known as Smishing, to trick victims into clicking on links offering information about coronavirus outbreaks in their areas, she continues. The end goal of the criminal is to steal people’s credentials and details of their bank accounts so that they can impersonate the victim and steal their money. Some of these spoofed emails look incredibly realistic, which makes it difficult to identify them as fakes.”
There is also “phishing”, where they send emails to victims purporting to be from the bank or a legitimate service provider. The email requests the victim to click on a link that then asks them for their PINs or passwords. Potgieter says further that prior to lockdown, the theft of mobile phones, while not a new phenomenon, was also escalating. “People’s personal and confidential information is a valuable commodity for criminals and it’s often to be found on their phones. Phones are, in many instances, equal to a bank card and can act as gateways to people’s bank accounts hence the growth of this particular crime trend.”
She adds: “There are many ways that criminals gain access to the information stored on mobile phones. One is to open all applications; another is by using social engineering to obtain usernames and passwords stored in the cloud. Tactics range from “vishing” where criminals call the victim, manipulate them into believing that they are from the bank and then coerce them into revealing confidential information such as PINs or passwords. Once the password has been compromised on the stolen phone, all other information is available for exploitation.”
Another crime trend is shoulder surfing, which Wikipedia defines as a social engineering technique used to obtain information such as personal ID numbers, passwords and other confidential data by looking over the victim’s shoulder in a restaurant or other public space.
“When a bank client’s mobile phone is stolen, they tend to focus on protecting their photos and social media profiles rather than protecting their money, which plays further into the criminal’s hands. We urge bank clients to also report the theft of their phones to their bank so that their records can be updated accordingly,” says Potgieter.
Banking fraud expected to rise on the back of the pandemic Kevin Hogan, fraud risk manager at Investec Private Bank, is also expecting an upsurge in fraudulent activity on the back of the Covid-19 pandemic and the resultant increase in employees working from home.
“An unsolicited investment opportunity can often be a scam,” he warns. “During the Covid-19 crisis, some of the ways that we’re seeing fraudsters trying to reach their targets, is through cold-calls or unsolicited emails or even a message on social media. Fraudsters may also pretend to represent an established wealth manager, but will ask that you only contact them on a personal email address or number.”
“Secondly,” he adds, “individuals searching for new product offerings online can land on fake websites that are often hard to distinguish from genuine ones. They will often display only one type of product promising a high return, and ask you to leave your contact details to receive an investment brochure.”
“In either case, consumers may be told that because it’s so good, the offer is only be available for a short period of time. Individuals may be sent legitimate-looking documentation, and even asked for a passport and proof of address to verify your identity. These may look very genuine, but they are simply elaborate efforts by the fraudsters to gain their victims’ trust. Once a victim transfers funds over, your money and the fraudsters will disappear.”
More than a third of banking malware attacks in 2019 targeted corporate users According to cybersecurity giant Kaspersky, banking Trojans are among the world’s most widespread criminal tools, accounting for attacks on more than 770 000 Kaspersky users alone in 2019. Further, a third of these attacks targeted corporate users with the intention of gaining access to banking or payment system accounts, or through employee exposure, to compromise companies’ financial resources.
Of the African countries targeted, Kaspersky says Ethiopia’s corporate users accounted for 71 per cent of attacks in 2019, followed by South Africa at 30 per cent. And the numbers are expected to rise on the back of remote working during the coronavirus pandemic, with Oleg Kupreev, security expert at Kaspersky, warning companies not to underestimate “criminals’ desire for stealing money”.
Of particular concern to business security are phishing and malware attacks, continues Kupreev, with detections of the former increasing from 44,7 per cent to 51,4 per cent during 2019.
Amongst the reasons for the growth in banking infections, says Maher Yamout, senior security researcher for the Global Research and Analysis Team at Kaspersky, is outdated software. Malicious programmes that target users’ bank accounts have become more frequent in 2020, he says, with an estimated 34 per cent of South African computers at risk of infection because they are using outdated or unsupported versions of Microsoft Windows operating system (OS). “Considering that this OS is the most popular software in the world and has a 21.15 per cent market share in the country as at March this year, this reality is a cause for concern.”
He adds: “There is no code without bugs and no program is perfect (which) is why there are security updates – they are meant to find and close potential gaps before threat actors find and exploit them. They are especially important when it comes to the OS (which) is the heart of devices such as laptops, smartphones and tablets. This software ensures that the system performs well and provides the means for people to live in a connected way in this digital era.
“If this ‘heart’ is outdated or unsupported, it is not only the user experience that will suffer, but there is significant risk that sensitive information could become compromised.”
House of cards Inevitably, an unsupported or outdated OS will contain vulnerabilities that have not been patched, Yamout continues. “As such, malicious users can target these weak points to gain access to the system and all its data. Even worse, if this computer is on a network (as most systems are today), the entire environment risks compromise.”
“It does not matter if an organisation has the best cybersecurity solutions available – if there is even one device running an outdated OS, then the whole company is compromised. This is as much an educational issue as it is a practical one. People are creatures of habit and many are resistant to change, especially when it comes to their OS. Our research shows that in South Africa, five per cent of the unsupported OS market consists of people still using Windows XP (which) frighteningly had its end of life in 2014. Even Windows 7, which was another popular choice for consumers and businesses alike, has seen its extended support come to an end in January this year.”
The rise of the Trojan The potential damage is not limited to network and data compromise, Yamout says. “With malicious threats growing and becoming more sophisticated, unsupported or outdated operating systems are an easy target for such threats to be a success.”
Mobile banking Trojans, he continues, are the most rapidly developing, flexible and dangerous types of malware. “Imagine having such sophisticated attacks targeting an outdated or unsupported OS. This virtually guarantees that the person will lose a significant amount (if not all) of the funds in their banking accounts. Furthermore, it could compromise others as well, with hackers gaining complete access to their list of beneficiaries.”
With fines for money laundering around the world totalling a hefty $5,7 billion in 2019, financial institutions need to employ advanced analytics to deter crime, says John Edison, vice president of Financial Crime & Compliance Products at Oracle Financial Services. Financial crimes are increasingly more sophisticated as technology becomes more advanced, he warns.
Trends to watch out for As competitive pressure and customer expectations rise, more and more organisations are turning to technologybased solutions to provide enhanced security and added convenience, says The Brink’s Company, a global leader in cash management services.
Strong consumer demand for cash is driving banks and financial institutions to invest in technologies such as upgraded ATMs which contain features such as smart technology, interactivity and artificial intelligence, Brink’s says. “More banks are transitioning to cash machines that allow customers to access their personal accounts with a mobile phone rather than an ATM card. Cardless machines add convenience for their customers as they never have to worry about losing their cards or forgetting their PINs.”
Additionally, Brinks continues, cardless ATMs are more secure than traditional ATMs which are vulnerable to card skimming. Biometric authentication in cardless technologies – fingerprint and facial recognition included – means customers won’t have to use cards or mobile devices to access their accounts, which translates to a higher degree of customer convenience and security.
Brinks is also anticipating growth in demand for Interactive Teller Machines (ITMs), which though similar to traditional ATMs, use video conferencing to connect consumers directly to “live” tellers. This “personalised ‘face-to-face’ service, which is available out of standard business hours, comes with the added convenience and security that today’s consumers want.
Cash tracking and reporting “In today’s mobile environment,” says Brinks, “businesses and financial institutions have a greater need to manage their cash from anywhere, on any device.”
Accordingly, innovations such as cloudbased reporting and storage platforms that allow for real-time visibility and transacting anywhere in the world, and smart safes with data-driven analytic capabilities that provide greater cash visibility and improved cloud-based portals, are on track for strong consumer take-up going forward.
