Cyber-Threats Continue to Target the Financial Industry

During Congressional testimony, Homeland Security, FBI and Secret Service officials warned of continued attacks and evolving cyber-threats against the financial sector.

Cyber-criminals continue to target United States businesses, the country's financial institutions and government agencies in an ongoing effort to steal both money and information. Still, despite the best efforts of local, state and federal law enforcement, these cyber-criminals show no signs of slowing down, according to new Congressional testimony by some of the country's leading cyber-security experts.

Financial services is "where the money is" so cyber-criminals increasingly target this sector, Greg Schaffer, acting deputy undersecretary at the Department of Homeland Security, told the members of the House of Representatives Financial Services Committee's Subcommittee on Financial Institutions and Consumer Credit on Sept. 14. Officials from the Secret Service and the Federal Bureau of Investigation joined Schaffer to discuss trends in cyber-crime.

The FBI is currently investigating more than 400 cases of fraudulent wire transfers from business bank accounts that total about $255 million in stolen funds, testified Gordon Snow, the agency's assistant director. There are other types of attacks against financial systems, such as payment processor breaches, stock trading fraud, ATM skimming and mobile banking attacks.

Cyber-criminals' capabilities are at "an all-time high," Snow said.

Noting the number of security breaches and security attacks in this year alone, U.S. Rep. Shelley Moore Capito (R.-W.Va) said the threats were "especially acute" in the financial services industry.

The annual cost of cyber-crime is about $388 billion, including money and time lost, or about $100 billion more than the global black market trade in heroin, cocaine and marijuana, said Brian Tillet, chief security strategist at Symantec.

The good news is that financial institutions are doing something right.

"Statistics indicate financial institutions are doing a better job of stopping fraudulent transactions from being created and from funds leaving the financial institution," said William Nelson, president of the Financial Services Information Sharing and Analysis Center. According to a recent FSISAC study, only 36 percent of reported commercial account takeovers resulted in funds leaving the financial institution in 2010, compared to 63 percent in 2009.

The financial services industry has generally "been ahead of the curve" when it comes to recognizing cyber-security attacks, but they need to be able to respond to evolving threats, Tillet said.

Mobile banking and Twitter offer new opportunities for cyber-crime, the FBI warned. Criminals are sending malicious text messages and posting specially crafted links on Twitter to gain access to users' online banking accounts. To counter this trend, financial institutions often send text messages to users to verify that online transactions were actually initiated by the authorized user. However, criminals have found a way around this practice as well.

"Infected mobile phones forward messages to the criminal, thwarting the bank's two-factor authentication," said Gordon Snow, assistant director of the FBI's cyber-division.

It was critical for financial institutions to share information with other institutions, as well as federal law enforcement agencies, in order to "effectively combat" cyber-criminals, Capito said.

"We are in a better place today, in terms of information sharing, than we've been in the 15 to 17 years I've been in this space," responded Greg Schaffer, acting deputy under secretary at the Department of Homeland Security. However, companies are sometimes unwilling because of concerns about privacy and liability, Schaffer said.

"Some institutions have concerns about the privacy implications of sharing information with the government or about brand damage that may result from reporting an incident," Schaffer of DHS said.

Snow said he's met with his counterparts in DHS and Secret Service more than 150 times, adding that "we have meetings even when we don't want to have meetings." He said information sharing needed to be faster and not wait for face-to-face meetings since threats are coming "in nanoseconds."

"The bottom line is: No one entity has all the information; it takes team work to bring all the pieces together to complete the picture," said Greg Garcia of Bank of America. Actionable threat information that is not shared is "useless information," he added.

Criminals are also better at information sharing than law enforcement agencies, said A.T. Smith, assistant director of the Secret Service. They harvest personal information belonging to the victims and distribute it to other attackers and exchange attack tools and strategies online, Smith added.

Cyber-threats are still not being taken seriously enough across the industry, Snow said. Industry standards aren't very high and most firms are sending out the "freshman team" to handle security, as opposed to the more experienced and skilled staff, Snow said.

The hearing is one of the many being held in Congress as lawmakers look over the White House's comprehensive cyber-security proposal released in May. The Senate has already held several cyber-security hearings. Both Democrats and Republicans have identified cyber-security as critical to both national security and the economy, and it is likely that a package will reach the floor for full debate in both the Senate and the House of Representatives this fall.