In the global pandemic, would-be-hackers are putting fresh energy into exploiting people who are anxious, uncertain, and exhausted from everything happening in the world. And when I consult with community financial institutions about security, I tell them that complexity is the enemy of security. You might wonder how that can be true.
The more complex your measures are, the harder it is for hackers to get in. But it can also make it harder for consumers to use. So you have to find the balance. The issue is that complexity creates friction for users, who eventually abandon that complexity in search of convenience. In essence, the best system is the one that people will embrace and use habitually. Community financial institutions have to walk a line between maximum security and maximum convenience.
What I mean is this: the best security measures fade into the background of everyday life, becoming all-but invisible. Biometric authentication over smartphones is an excellent example. Users barely notice, and the methodology is arguably much stronger than passwords alone. You can also think of it this way: when you visit Disneyland, you don’t notice the elaborate infrastructure of cameras, barriers, and gateways that manage the millions of guests who visit every year – it's unseen, and yet, highly effective. Achieving the same level of seamless protection at a community financial institution is a major undertaking, but it’s not impossible.
Changes in society or technology create fresh opportunities for attackers. Usually the goal is to take over individual account, or a pool of accounts. Whether the hackers purchase credentials on the dark web, or convince users to share sensitive information, they’re always looking to slip past your best defenses. Here are some of the ways cyber criminals are working to get more of your precious data.
This is a special kind of attack. Thanks to the dark web, would-be-attackers can acquire usernames and logins for as little as 75¢ per pair. Once acquired, attackers use software to attempt hundreds if not thousands of login attempts in a short period of time. These types of attacks can overload your systems and make it difficult for legitimate customers or members to access their accounts. And recently, when Americans were anxiously waiting for government stimulus checks to hit their accounts, many online banking systems crashed under what could have looked like a credential stuffing attack. Ask your online banking vendor about their approach to dealing with credential stuffing attacks — this isn’t a problem that you can easily tackle on your own.
SMS banking has been around for a while. European banks first started implementing it in 1999. Mobile banking through smartphone applications is currently more popular, and it still presents an entry point for attackers. Especially as more institutions use SMS communication as part of their multi-factor authentication routines. In short, because consumers are accustomed to receiving legitimate text messages from their bank or credit union, they’re more likely to be taken in by an attack that looks like this:
It's worth teaching your account holders to recognize suspicious communication — and clarify what legitimate communication from your financial institution looks like.
There’s no perfect solution when it comes to data security, but there are some measures you can, and should take, to protect the information your institution is entrusted with.
Up to 80% of data breaches happen through third-party vendors. If that makes you feel justified in avoiding partner integrations, withhold judgement for a moment. It’s true that the easiest thing to do is isolate your institution from the risk that new vendors pose. However, this will only accelerate a different risk: the attrition of account holders who are frustrated by the lack of technology, innovation, and convenience.
The best thing you can do is perform due diligence on potential partners and be willing to ask hard questions. Your security posture is only as good as your weakest partner.
The computing cloud may feel scary, but the risks are manageable. On a regular basis, I speak with executives at community banks and credit unions who view the “cloud” with trepidation and distrust. Coming from the conventional, self-sufficient, onsite server approach, I completely sympathize with their concerns. Speaking as someone who is responsible for ensuring the data security of more than 900 financial institution clients, I view cloud security as a primary objective. And based on my experience, the risks of a cloud computing model are manageable and well within the acceptable risk tolerance that most institutions already have. I encourage you to ask questions and insist on detailed answers (we’d love to explore those questions with you, even if you’re not a client: https://www.kasasa.com/contact-us).