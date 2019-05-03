Anshuman Singh

Last August, hackers managed to wipe off nearly Rs. 100 crores through a malware attack on the server of Pune-based Cosmos Bank and cloned thousands of the bank's debit cards over a period of two days. In 2018, there was a sharp increase in the cost of suffering a cyberattack. According to reports, an incident cost $369,000 on average in 2018, up 61% from $229,000 in 2017.

Amongst all sectors, financial institutions are at the forefront of bearing the brunt and threats of cyberattacks that lead to the loss of data, assets and consumer confidence. With banks possessing personal and financial data of millions, they are natural targets for cyber criminals. Not just that, banks also possess personal and sensitive data of millions of users and with data being regarded as the new oil, this is a goldmine for hackers. Targeting banks offers hackers multiple avenues for profit through extortion, theft, and fraud.

More recently, there has been a significant rise in online scams where fraudsters are sending attractive and luring messages, calls or emails to trap customers. Fraudsters today use a variety of different tactics and methods for stealing a victim’s credentials thereby gaining complete control of the victim’s account. Spear phishing, password stealing, account takeover and credential stuffing are the major cyber threats to financial institutions.

Banking passwords are obviously the most easily monetized since criminals can simply transfer funds from a compromised account to their accounts. The widespread use of softwares that store passwords (from browsers for instance), and password management solutions compound the problem even more.

Cyber criminals spread the password stealing software via a malicious email attachment. When the user clicks on the attachment, a program is installed in the background which routes all their internet traffic to the hacker’s server. So, although it appears that you're talking to your bank's web site, you're really connected to the hackers' server which is doing a fine job of impersonating the bank--except that it's also capturing all the usernames and passwords that you enter. To add to this, the black market for stolen passwords within cybercriminal community is really booming and is turning profitable.

The relevance of a strong and secure password is still unknown to most in India. Most banks still allow end users to configure weak passwords. Weak passwords are set by users on roughly half of systems. Another cause of worry are default accounts with default passwords that are not removed or left behind for administrative tasks. Some common passwords include "admin", keyboard combinations resembling "Qwerty123", blank passwords, and "P@ssw0rd".

However, the weakest link in bank security is the human factor. Even the best technical defences can be compromised by phishing information from employees. Phishing messages can be sent to bank employees both at their work and personal email addresses. Password stealers are great at social engineering and use emails very effectively to solicit sensitive information. These emails often contain an attachment or URL enticing the user to click them. Some commonly used techniques for these attacks include phishing, impersonation and avoiding detection by using trusted file types.

Protecting passwords are not only the responsibility of individuals, it needs to be a consolidated effort between employee and employer. Employees should be regularly trained and tested to increase their security awareness of various targeted attacks. Simulated attack training is one of the most effective forms of training. Deployment of real time spear phishing and cyber fraud defense solutions which will learn an organization’s communications history and prevent future spear phishing attacks.