Financial institutions face constant cybersecurity threats in the form of account takeovers and ransomware attacks, according to Rick Van Luvender, vice president, Global Security Services, Fiserv.

In a recent Raddon webinar, Strategic Insights for Credit Unions, Van Luvender outlined exactly how these bad actors leverage tools aimed at a variety of criminal outcomes. He also described how financial institutions can monitor, detect, defend and thwart these threats and how consumers can be alerted to the traps aimed at them.

To put a number on this issue, Van Luvender said there are more than 16 billion compromised credentials that sometimes could match the online banking login information of an accountholder. The compromise could exist through no fault of the accountholder, but if hackers use this in the form of account takeover, they could gain access not only to the account, but also to the financial institution’s systems.

Cybercrime Advancements

A tactic called credential stuffing is when criminals replay login attempts hoping to gain a valid piece of information to gain access to the institution. For financial institutions looking to detect this activity, a sudden surge in incorrect login attempts is “the canary in the coal mine,” Van Luvender said.

Unfortunately, there are entire toolsets on the dark web that facilitate credential stuffing and account takeovers, he warned.

Van Luvender described an entire underground economy that deals in trading these credentials to others who specialize in moving money through different accounts and ultimately taking it out of the country. If a breached account doesn’t have enough funds to make it attractive to drain, the information might be used to pivot to a linked online account that is more lucrative, such as a frequent traveler account. With this type of linked account, points could be leveraged to acquire goods that can later be resold for cash. This cash then can be transferred to other accounts controlled and moved by the criminal network.

Account takeover is when someone gains access to an account that is not theirs and logs into the account. Account takeover fraud occurs when someone uses this unauthorized access to:

• Buy goods or services
• Mine the account for personal data
• Sell account access to others

The question then circles back to: How do criminals get into the account to take it over?

The various means of gaining access are called attack vectors. These include credential stuffing, phishing and malware. Phishing attempts occur through email, SMS/text messaging and social media messaging. Threat actors imbed malware that includes keystroke logging and remote access trojans.

Keystroke logging is when all the activity on the consumer’s computer is logged and relayed to the attacker to use. Remote access Trojans are malware programs that include a back door for administrative control over the target computer. These are usually downloaded invisibly with a user-requested program – such as a game or sent as an email attachment.

Credentialing Is Key  

When consumers use the same usernames and passwords on multiple sites, it widens the net that threat actors can cast in compromising accounts on various platforms. Van Luvender cited studies by some of the password management companies that millennials are more likely to duplicate usernames and passwords than are baby boomers. However, millennials are more apt to adopt multifactor authentication because they are comfortable with the tools. On the other hand, baby boomers are more likely to take great care in selecting usernames and passwords and not reusing them, according to MyTechDecisions.

If financial institutions have multifactor authentication, criminals attempting to gain access to accounts might move to using the stolen credentials on aggregator sites without multifactor identification. These sites are those where consumers combine views of several accounts to get a broader view of their financial holdings. Detecting a surge in access through aggregator sites could be a way for financial institutions to identify fraudulent activity or attempts, according to Van Luvender.

Discouraging the reuse of credentials and encouraging the selection of complex usernames is a first step in educating consumers and helping to combat this theft. Requiring multifactor authentication for initial logins and high-risk transactions, such as money movement and changes to contact information, is another countermeasure. In instances where your multifactor identification is not in use, such as with aggregators, institutions might consider annual validation to enable aggregator access to information on a per-accountholder basis.

Stay a Step Ahead

To help institutions prepare for ransomware attacks, there is a Ransomware Self-Assessment developed in 2020 by the Bankers Electronic Crimes Task Force, Conference of State Bank Supervisors and the U.S. Secret Service. In it, there are 16 questions designed to help identify gaps in preparedness and reduce the risk of ransomware.

Other steps that Van Luvender recommends include:

• Update software and operating systems with latest patches – Verify all networks and endpoints are patched or updated regularly, and use automatic updates where feasible
• Educate employees – Include ransomware in security awareness training, and conduct phishing exercises against your employees
• Validate your backup strategy – Validate successful restoration as part of business continuity and disaster recovery testing to identify gaps
• Consider participating in Sheltered Harbor – Implementing Sheltered Harbor standards prepares institutions to provide consumers timely access to balances and funds in a worst-case scenario

As bad actors get better at fraudulent financial activity, it’s essential for institutions to get better at detecting and thwarting these threats. Keeping pace or, better yet, being one step ahead of this threat requires preparedness, gap identification, and strong endpoint detection and response. Keeping up is always cheaper than catching up.