How a new generation of digital bank branches is at risk from cyber attack.
Banks have been focusing on cybersecurity for many years now, but the risks they face seem greater than ever before. As the industry undergoes a rapid digital transformation in its services and new style digital bank branches, there should be a simultaneous focus on modernizing cybersecurity strategies.
Some of the raised concerns can be traced to whether the Ukrainian war will spill over into cyber attacks on the banking system. An alert in spring 2022 from the European Banking Authority suggested the risk of this happening had increased. On its risk dashboard, the EBA said the dangers of the exposure to Eastern European Banks collapsing were less of a threat than “second-round” effects like cyberattacks that “may be more material from a financial stability perspective.”
Whether driven by nation states or not, cybercriminal gangs continue to target banking services – particularly ATMs – to steal money and valuable financial information about customers and cause business continuity disruption and service interruptions.
According to Zion, the global ATM market accounted for US$15.1 billion in 2020 and is expected to rise to US$21.2 billion by 2028, growing at a CAGR of around 4.8% between 2021 and 2028. The financial services industry is undergoing rapid digital transformation, banks cannot afford to neglect cybersecurity strategies, especially at a time of increased risks and threats.
The European Association for Secure Transactions (EAST), which tracks ATM fraud attacks for financial institutions in the EU, reported 202 successful jackpotting (ATM malware and logical attacks) in 2020; resulting in losses of €1.24 million (approximately US$1.4 million or about US$7,000 per attack). While other types of ATM fraud reported, such as card skimming and physical attacks were down, jackpotting attacks represented a 44 percent increase in number of attacks and a 14 percent increase in losses from 2019.
These attacks on financial services can generate lucrative cash returns, which encourages gangs to invest serious internal budgets into research and development to prepare attacks.
However, banks can still take preventative measures to reduce the likelihood of attacks and mitigate the damage caused. Cybersecurity management must complement and coexist alongside digitalization programs, especially on the deployment of even the most advanced ATMs and assisted self-service terminals (ASSTs), which are now being used in next-generation branches and digital banking hubs, that are particularly vulnerable to attack. Security leaders should hone into these for cybersecurity review and consider the Zero Trust model. It helps to secure critical endpoints and other parts of the banking service infrastructure. It is mission critical for security teams to minimize the attack surface, obtain greater visibility of what is happening, and have faster insight into anomalous activities that could be (or are) suspicious.
Zero Trust is defined by a cybersecurity system that minimizes the level of implicit trust so that a system is only accessing software and in use when stringent checks are done. This important concept can be successfully applied to ATMs and ASSTs as they comprise several software layers, including an operating system, hardware vendor/software layer, the multi-vendor layer, plus the different tools for operations, monitoring, security, and so on. Unlike PCs, the software updating on these devices tends to be reactive, which means liabilities can slip into software inadvertently – making the concept of Zero Trust critical in isolating a layer that is unpatched.
Here is a useful checklist to consider when adopting a modern approach to protecting fleets of ATMs and ASSTs used as the digital hubs in new-style bank branches:
• Reduce the attack surface. Access will only be allowed when needed, and not just when it is legitimate, only if the user has been certified for proper operations.
• Control whoever is going to physically manipulate the ATM. Standard solutions like antiviruses have the same level of protection at any time, but when critical devices have a third party manipulating it, banks must be able to control the level of protection and activate specific policies in that specific moment. The bank should be able to monitor what the technician is doing at a time of highest exposure.
• Cybersecurity for banking made easier. Consolidate protection measures on a single platform such as application whitelisting, full encryption of all hard disks and media, file system integrity protection, hardware protection, and a firewall to stop network attacks.
The value of the Zero Trust strategy lies in its ability to allow financial institutions to secure digital self-service banking without trusting the assumed security of mainstream software. This distrust is important because cyber attackers will
hijack legitimate tools and software to launch an attack. Zero Trust for banking endpoints should extend to third-party tools and services that have permission to access ATMs and ASSTs when servicing these devices. Effective cybersecurity must interrogate access and verify it is correct or authorized at all times.