Under the Lens Financial Services: Challenger Banks Cyber Threat Operations Q1 2020 Contents Introduction 2 Timeline of attacks 4 Incident themes 5 Case studies 9 Conclusion 11 Appendix 1: Analysis methodology 12 Appendix 2: PwC Threat Intelligence 13 Notes 14 Introduction The financial services sector is constantly evolving, whether customers, rather than necessarily a full retail bank offering. in response to technology advancement or regulatory Their predominant role is – as with wider financial services changes, and nowhere is that more evident than amongst – the management of money, making them an attractive challenger banks – both those that are ‘bricks and mortar’ target to criminals and anti-capitalist hacktivists alike. They and those that are technology-based. Yet the cyber threat provide services to a wide gamut of customers, and will landscape is also evolving, and the cyber threats facing the therefore hold sensitive data on these customers that is challenger banks also adapt to this changing attack surface. attractive to espionage threat actors, including state-backed threat actors. Indeed, a number of challenger banks A sometimes nebulous term, ‘challenger banks’ mainly themselves have been recipients of large amounts of comprise new retail banks that have been given banking investment capital, which itself could be target of espionage licences within the last ten years and are directly competing campaigns seeking insight into deals or private equity with longer-established banks. In many instances, they have activity. More broadly, financial services are often classed changed the way in which consumers interact with their as critical infrastructure,1,2 making the sector an attractive banking providers. Some of these operate in the same way target for sabotage threat actors looking to cause disruption. as established high-street banks; others are on a ‘branchless’, purely digital platform. Regardless, their lack of The sector as a whole is highly regulated, and it recorded legacy infrastructure and traditional organisational structure the second highest average cost of a breach in the 2019 means that they are often able to leverage new technology Cost of a Data Breach Study.3 Yet financial services and digital applications to a greater extent than some more customers have high expectations for the protection of their established banks. data and money, and are more likely to turn to competitors if they do not believe their needs are being met.4,5 Although a term covering a diverse range of entities, many challenger banks will offer niche products or services to 1 ‘Critical National Infrastructure’, Centre for the Protection of National Infrastructure, https://www.cpni.gov.uk/critical-national-infrastructure-0 2 ‘Critical Infrastructure Sectors’, Department of Homeland Security, https://www.dhs.gov/cisa/critical-infrastructure-sectors 3 ‘Ponemon Institute Cost of a Data Breach Study 2018’, Security Intelligence, July 2018, https://securityintelligence.com/series/ponemon-institute-cost-of-a- data-breach-2018/ 4 ‘Ponemon Institute Cost of a Data Breach Study 2019’, IBM, July 2019, https://www.ibm.com/security/data-breach 5 ‘Brits would change their bank following a cyberattack’, ieDigital, https://www.iedigital.com/resources/press-releases/half-brits-change-bank-following-cyber- attack-research-reveals/ (13th September 2017) PwC | Under the Lens – Financial Services: Challenger Banks | 2 It is therefore vital for financial institutions to not only develop a secure environment, but to develop the means to detect and respond to cyber incidents so that any impact is minimised. The challenges inherent in identifying and retaining cyber talent can in turn magnify the complexity of this landscape. Digital transformation plays a key part within the challenger bank space, including in the software and backend of the provision of financial services. This specific importance and reliance on technology - including cloud - amongst many technology-driven challenger banks, means that maintaining visibility of the continuously evolving cyber threat landscape is particularly vital. This is in particular the case for those that operate solely with a digital presence, given the potential for business interruption, reputational and regulatory implications, for example Strong Customer Authentication (SCA) under PSD2. The open technological ecosystems of some digital banking platforms, their partnering with FinTech companies and adoption of new technologies may also create new potential avenues of attack, as demonstrated by Operation Cloud Hopper. It is also important to consider that technology not only underpins challenger bank’s back-end infrastructure but also actual client offerings, for example, in the form of credit decision models. This report provides an overview of the most common cyber threats facing the financial services sector, and challenger banks in particular, in order to generate awareness and illustrate the motivations behind such attacks, as well as support intelligence-led defence. Our analysis is informed by our own in-house intelligence datasets maintained on cyber attacks and targeting from a variety of threat actors, intelligence gleaned from our incident response engagements around the world, as well as publicly-available reports on attacks in the sector. PwC | 3 Timeline of attacks The threat actors targeting the financial services sector as a whole vary in their motivations and in their sophistication – ‘In the past decade, the capability from low-resourced, opportunistic threat actors, through to and motivation of threats to the persistent, highly targeted state-sponsored attackers that financial sector have transformed seek to obtain information from specific organisations. from small-scale opportunistic crimes to efforts to compromise In particular, PwC intelligence reporting over the past few entire networks and payment years shows a consistent trend of criminal threat actors becoming more sophisticated, both in their technical systems.’ capability but also in their ability to target increasingly higher levels in the financial services value chain for larger payoffs; Carnegie Endowment for from individuals (with banking trojans, identity fraud), to International Peace companies (with payment processing systems, ATM hijacking, monetising stolen data), to targeting banking infrastructure itself. Whilst low-level tools, techniques, and (a.k.a. Lazarus, Bluenoroff, APT38) is known to be procedures (TTPs) remain prevalent, over the last few years responsible for more than ten such heists, and more recently more sophisticated attacks have targeted banks and has also targeted the Mexican electronic payment system banking networks around the world. SPEI, compromised banks in Asia and Africa to enable fraudulent ATM cash withdrawals, and has been active in For several years, there has been a steady stream of attacks parts of Africa and the Middle East in 2019. that involve compromising banks with low levels of security maturity – and this is as relevant for challenger banks as it The timeline below documents some of the key attacks is for their more established peers. Threat actors pivot to the targeting challenger banks and financial services more banks’ systems that access payment platforms which they widely, which are discussed in this report. Further real-world leverage to transfer funds to attacker-owned accounts. examples are included in the Case Studies section of this North Korea-based, state-backed threat actor Black Artemis report. PwC | Under the Lens – Financial Services: Challenger Banks | 4 Incident themes Based on past incidents and sector trends, PwC assesses actors fraudulently transferred between USD 15 and 20 that financially motivated threat actors are most likely to million from non-existent bank accounts. target the financial services sector - including challenger banks. For criminal threat actors, organisations controlling While these examples target major interbank networks, the the flow of money are a prime target. According to PwC’s threat also applies to ATM switches, card issuing platforms, Global Economic Crime and Fraud Survey 2018, cyber and domestic payment schemes, which will also impact crime represented the third most prevalent form of fraud for smaller organisations. financial services. Organised criminal syndicates A detailed explanation on how PwC categorises threat PwC intelligence reporting shows an increase in criminal actors by motivation is located in Appendix 1 of this report. syndicates working together to have the maximum impact. This includes international coordination, for example, Black Criminal Artemis' use of global money mules to enable cashing out Due to their role managing and controlling large volumes of from countries around the world, including India, the money, organisations in the financial sector are highly Philippines, and Sri Lanka. attractive targets for criminal threat actors, whether that is through bank heists, stealing valuable data, or DDoS As well as working with criminal organisations to manage its extortion. PwC research shows criminal threat actors cash out operations, reports suggest Black Artemis has executing more innovative and sophisticated forms of been contracting with a criminal syndicate, TA505, which attack, while others continue to thrive using more traditional acts as a distribution network for some of the most prevalent threat vectors. criminal threat actors, as well as operating its own bespoke malware. TA505 is a sophisticated
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages15 Page
-
File Size-