Banks facing increasing 'multi-channel' cyber threats, says new report

According to a new ThreatMetrix report on cyber crime, citing data on cyber attacks the company had identified, there were more than 100 million cyber attacks made on transactions in the final three months of 2015, up 80% on levels recorded for the corresponding period the previous year.

"Financial institutions continue to be big targets for organised attacks and face multi-channel threats from the same location or simultaneous attacks on a single access point from multiple locations across the globe," the report said.

ThreatMetrix said that migration towards the EMV standard to support smart card transactions in the US contributed towards a 40% rise in the number of attempts at cyber crime it saw between the beginning of October and end of December 2015 compared to the same period in 2014.

ThreatMetrix said that there was a correlation between the growing number of transactions being processed and the number of attacks companies are facing, and said that banks are facing new threats associated with the rise in use of mobile devices by customers.

"Key attack vectors that fraudsters are leveraging are: unsecured wireless networks to intercept user credentials; encouraging users to download hacked versions of legitimate applications from third party stores to deliver malware onto a device (which is generally jailbroken or rooted); intercepting personal information that can be inadvertently leaked by legitimate mobile applications," ThreatMetrix said.

"The biggest impact of cyber attacks was seen on the new account origination transactions, as fraudsters used new accounts to make purchases using stolen credentials. These transactions increased by over 133% and the attacks grew by 180% compared to last year. With consumer identity data widely available due to recent breaches, traditional identity assessment methods are becoming ineffective," it said.

Technology and payments expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said that security has been high on the banks' agenda for some time and plays an important part in every project, as well as business-as-usual operations, but that banks "have a difficult balance to strike" in addressing the risks they face. 

"As there is no end to the money that can be spent on security and fraud protection and no end to the risks, how do you answer the question of how much should be spent?" McFadyen said. "Security and fraud risk cannot be eliminated in today’s environment, only managed, and some risks are greater than others."

Cyber risk expert Ian Birdsey of Pinsent Masons said that, notwithstanding significant investment by banks in IT security, they remain "a rich target due to the nature of financial data held".

"The stakes are high for banks in terms of their corporate reputations and the impact of a significant data breach or outage that can arise if cyber attacks are successful," Birdsey said.

Earlier this week Interpol announced that it had reached an agreement with Barclays which will see staff from the bank work full-time at the law enforcement agency's Cyber Fusion Centre.

The Centre "provides a neutral, global platform for law enforcement, the private sector and academia to work collaboratively, sharing actionable threat information and developing operational responses", Interpol said. Barclays is the first financial services company to join the information sharing initiative.

At the time, Birdsey said that the closer links forged between Barclays and Interpol was indicative of the proactive approach needed from all companies in the financial services sector to address cyber risks they face.