Due to the quick rise of digital technologies, each industry is evolving, including banking security. In the early 2000s, it was difficult to imagine that we will rely on apps in work, entertainment, and, particularly, banking. Today, people all over the world actively use web interfaces. Simultaneously, banks integrate mobile applications for even higher convenience. Physical branches and telephony slowly give way to more innovative interaction options.
Despite numerous benefits that come with digital apps, the financial sector suffers from new challenges. Mostly, they emerge in the field of cyber banking security. Aria with reference to Gartner, notes that the worldwide spending on enterprise software protection will grow to $124 billion by the end of 2019. Simultaneously, users prioritize cybersecurity measures. In 2017, 80% of American respondents considered this defense very important.
DICEUS experts often work with different banks: from the USA, Middle East, Ukraine, and other regions. We design custom solutions for them so have to conduct proper risk management with the highest level of safety. To help clients, we provide comprehensive consultations. In this article, we’ve gathered the most important information related to online bank risk & threat modeling. Based on the following models, you can build a better protection system.
Online banking security in a nutshell
To understand threats & risks, we should begin with basic points. There are two ways to access online banking services: via desktop-based apps or browsers and mobile applications. Both options come with different pros and cons, as well as vulnerabilities. This guide reveals general issues that modern banks with their customers face.
Generally, malicious actors who attack digital systems today have three things in common: they want to earn money by focusing on transactions and/or sensitive info, they attack financial businesses that hold enough of this data, and they belong to one of three major groups. It’s difficult to say which one dominates but we definitely know their features:
- Hacktivists. Self-organized groups and individuals that often use social media. They aim for personal enrichment but also may attract attention to global problems. The most preferred tactics include DDoS and SQL injection.
- Organized criminals. Professional hackers and fraudsters who make a living by stealing data and/or money. They use various types of attacks combining social engineering, advanced tech approaches, and influence.
- Digital privateers. These individuals and entities are hired by states to attack other governments, large institutions, private businesses, etc. Mostly, they focus on secret information and international scandals. They often use phishing.
With knowledge about persons and companies that carry out attacks, let’s move to the banking security issues. In the next two sections, we will focus on the main risks plus prevention measures that help to eliminate the problems.
Guaranteed software project success with a free 30-minute strategy session!
Key threats to know
In the most general understanding, bank risks refer to the business, market, and regulatory aspects. More precisely, there are industry- and entity-specific risks, e.g. technical or reputational as these categories are different for different businesses. Talking about banks and their digital security, we can define three major directions where issues appear:
- Access disruption. For this, hackers use DoS/DDoS and ransomware attacks. The first option provides for constant overloading of a target system to prevent it from working. The second one just blocks functions until a fee requested is paid. This threat leads to huge financial and reputational losses as banks fail to provide their services.
- Data modification/deletion/stealing. Cybercriminals can access the banks’ systems exploding various vulnerabilities. They can infiltrate through bugs in the software, use hardware weaknesses or get credentials from employees. Once a hacker is inside, he/she can modify data, delete it, copy, forward to other companies, etc.
- Fraud-focused data harvest. This risk is similar to the previous one. Nevertheless, it relates to large-scale attacks ordered by big firms, governments or illegal organizations. Here, crimes turn into on-demand services because numerous solo hackers and groups are ready to attack the targeted banks.
As for examples, there are dozens of fail stories. In March 2014, thieves obtained info about 145 million eBay accounts because of reused credentials. Often, hackers compromise banking mobile apps or breach main databases due to bugs and other holes. That’s why proper risk management strategies are required.
These threats are closely related to user activity. As Deloitte reports, users prefer online banking over mobile apps when they pay bills, update accounts, send international transactions, and make product inquiries. For balance requests, and personal/account transfers, customers utilize mobile interfaces.
Ways to mitigate risks
Basically, there are a few suggestions on effective protection. They work always but both bank employees and end-users often forget about them. If you want to build a reliable banking security system, start with these tips:
- Build knowledge bases with info about breaches, risks, and protection.
- Maintain basic online hygiene, don’t click odd links, check sites, use secure networks.
- Never leave your working devices while you’re logged in bank systems.
- Opt for safe browsing with unique credentials and disabled automatic logins.
- Set mobile protection, e.g. 2FA, biometrics, and antivirus apps.
- Update gadgets and apps regularly to fix bugs and remove holes.
However, the most comprehensive approach to risk mitigation relies on threat modeling. Using systems like STRIDE or tools provided by OWASP, banks can build perfect defenses to prevent breaches and leaks. Let’s talk about these options in more detail.
Think about mobile banking and its security? Read our guide where Diceus cybersecurity engineers explain the ways to overcome risks.
Using models for analysis
Risk identification & elimination may be difficult. Regularly, new risk cases arise because of the constantly changing landscape, innovative attack types, new operations, etc. Simultaneously, the importance of bank information remains the same. Customers expect financial companies to protect their data perfectly.
Analytical models can be a great help. They offer traditional algorithms that can be used to spot, understand, and mitigate threats regardless of their type. Model-based approaches are universal so managers can implement them to solve different cases. Further, we’re going to reveal two comprehensive models and one useful resource.
To be honest, the first name we’re starting with isn’t the model. Instead, OWASP is a project that unites enthusiasts and professionals in the field of application security. This community delivers free software tools along with guides to the world.
OWASP runs several projects that are free for everyone. Developers, security managers, and just enthusiasts can get access to materials through the official site. Here are the most interesting flagship projects:
- DefectDojo. A management tool with reports, templates, and metrics.
- Juice Shop. An app with significant security flaws for practical training.
- OWTF. A tool for effective penetration testing.
- Security Shepherd. A training system to boost security skills.
- WTE. A collection of several apps and docs in one environment.
- ZAP. An automated tool that spots vulnerabilities during testing.
With these things, you can easily educate yourself about app security, find the required tools to boost your defense, and even train practical threat elimination skills using intentionally insecure applications. Moreover, OWASP delivers frameworks and apps that help to understand, design, and implement security strategies.
The next topic is a real model focused on threat analysis with attack simulations. PASTA treats software apps as business assets and helps to minimize corresponding business risks by considering all strategic processes during the simulation. PASTA is useful for managers, system architects, devs, testers, and C-grade information officers.
Generally, the model includes seven key stages:
- Objective definition.
- Scope definition.
- App decomposition.
- Threat analysis.
- Vulnerability analysis.
- Attack simulation.
- Risk analysis.
For banks, PASTA is useful, too. It starts with the identification of risks for businesses and customers, then moves to scope analysis that also includes attack targets, and then moves to exact threat modeling. During the implementation of the model, don’t forget to build a data flow scheme. It will help to identify weak links, see which risk types are the most dangerous and how to deal with them, finally.
As solutions, PASTA offers four ways: accept risks, mitigate risks, share risks, and avoid risks. They depend on potential losses, costs, and the bank’s readiness. Also, the model focuses on two major countermeasures: preventive and detective. The first one may include web form controls with high protection, information for customers, reliable transaction verification, etc. The second one is for fraud monitoring, malware detection, and customer alerts.
Another banking security model we want to cover here is called STRIDE. The system is based on six threat categories that are encrypted in the model’s name. For each type, security officers can find different risks and issues. It’s important to note that the number of threats may be really huge so you will need enough resources to build and analyze the model.
Look at some examples with a breakdown by six categories of STRIDE:
- Spoofing identity: counterfeits, insufficient protection, fraud/fake sites.
- Tampering with data: embedded malware, sites controlled by hackers.
- Repudiation: denied transactions and operations.
- Information disclosure: malware that steals data, insecure handling, fishing.
- Denial of service: overload, damage to software/hardware, unstable services.
- Privilege escalation: client vulnerabilities, server vulnerabilities.
STRIDE works nicely with threat tree modeling. Initially, you should define core risks and targets using six categories above. Then, each aspect is classified in a single branch using AND/OR operators. The secret is to decompose threats as detailed as possible but not to overload your tree with redundant information about risks. For instance, a problem of counterfeited identity may go down to cracked passwords with reasons like insecure default pass or insecure storage.
Guaranteed software project success with a free 30-minute strategy session!
General lessons from risk management
In conclusion, we want to share a few crucial risk management lessons that will be valuable for all businesses. Of course, banks can also benefit from them. The catch is that these points are widely-known but only a tiny fraction of enterprises care about them. Rules are so common that managers often forget about them:
- Don’t ignore the problem. Often, hackers and frauds are extremely useful. They show your site’s/app’s vulnerabilities which you can fix. Moreover, it’s suggested to hire hackers officially so they can find weaknesses without harming your company.
- Grow a collaborative culture. The security department should work closely with developers, managers, and other branches. This approach helps to spot problems quicker and solve them easier as info from different points is gathered.
- Know FUD. The acronym refers to fear, uncertainty, and doubt. Don’t panic but always know how bad consequences can be. Non-compliance leads to fines, data leaks – to reputational losses, and so on.
- Utilize three resources. Generally, you will need only three types of resources: people who know how to deal with threats, processes that identify/mitigate risks, and tools that help to reach the final goal.
In times of pervasive digital interactions, it becomes more difficult to track all the possible risks. Smart minds have designed a few modeling approaches that deliver convenient algorithms focused on analysis, risk management, and cost optimization. By using them, companies can deal with modern challenges better.
DICEUS experts also help customers to identify and eliminate threats. Whether you want to develop a brand new custom banking app or upgrade existing in-house infrastructure, we’re ready to help. A wide range of consulting, engineering, and support services can boost your banking security and make sure that all the core data is protected.
If you want to learn more about security risks & threats, check out the guide with top examples for 2020.