FIs Hustle As Hackers Ramp Up Corporate Bank Attacks

Earlier this year, a report from Kaspersky Lab and B2B International found that cybersecurity incidents affecting a bank’s online banking services cost an average of $1.75 million to resolve. Each. Most cybersecurity incidents are also linked to additional costs, researchers found, including data loss or loss of brand reputation.

A separate report from MediaPro, released last month, found that members of the financial services sector are surprisingly lacking in cybersecurity and privacy awareness, with researchers classifying 80 percent of the 809 respondents as “risks” or “novices,” meaning those professionals may actually jeopardize the security of the financial service providers in which they work.

A few weeks ago, digital security company Gemalto launched a new solution to target one security threat of online banking: fraud. Its Assurance Hub tool for banks uses machine learning to asses the behavior of users of online banking, from location to biometrics and keypad style.

In releasing the product, Gemalto also reiterated the results of a recent survey that found nearly half of consumers said they would leave their bank if there were a security breach. But banks can also cause customer dissatisfaction if they incorrectly reject a transaction by identifying a false threat, or if they impose too many authentication measures on their customers.

That creates a predicament for financial institutions that need to safeguard both corporate and consumer data.

“Customer data theft can damage a bank’s reputation and expose that a bank is failing to comply with regulation,” said Philippe Regniers, senior VP of marketing at Gemalto, in a recent interview with PYMNTS. “If a hacker manages to infiltrate a bank, they can block access to services, regardless of whether they are motivated for ethical, political or financial reasons.”

According to Regniers, technologies like Big Data analytics and machine learning can be just as effective at combating security issues like fraud in corporate banking as they are in consumer banking.

The technologies “are applied in the same way,” he stated. “These technologies add layers of security, which are able to detect potential fraudulent activity and allow banks to respond appropriately, perhaps requiring an additional signature, or involving a call of the corporate user.”

The rise in mobile payments, too, means FIs can have access to even more data to not only safeguard transactions but provide a deeper level of information to analyze customer behavior.

“What makes these solutions even more important to apply is that banks are increasingly enabling mobile phones as a channel for introducing and approving payments,” the executive said. “The information collected can accelerate processing of claims, providing banks with valuable evidence in the event of a fraudulent transaction. When it comes to low-risk services, these technologies can reassure banks that users are legitimate, thereby reducing some of the friction.”

But in corporate banking, there are a few different hurdles to clear if banks are to safeguard business transactions.

“Hackers are attacking corporate banks a lot more, as there are greater rewards than in the retail banking sector,” Regniers said. “They use a variety of techniques, discovering ways to bypass authentication tokens, as well as deploying MITB (Man in the Browser), MITM (Man in the Middle) or social engineering tactics.”

Recently, banks have deployed the use of tools that enable a corporate client to provide a digital signature by entering a PIN code.

“Unfortunately, hackers have learned to capture these PIN codes and digitally sign transactions without legitimate users being aware,” the executive noted. “Some banks also opt for unconnected one-time password devices, a solution that requires the user to confirm their presence and verify themselves.”

The stakes are often higher in corporate banking than in consumer, with corporate transactions typically larger than consumers’, and with one corporate account often accessible by multiple professionals within the organization. The approach to consumer banking security doesn’t always cut it – and neither does the traditional, two-factor authentication or tokenization that the corporate world has historically deployed. Cybersecurity criminals and fraudsters are becoming just as sophisticated as the latest security tools.

There are a variety of measures banks can take to ensure a corporate client’s identity. Regniers said requiring a “sign what you see” capability is one crucial component, adding that banks must also deploy connected devices, like a PinPad.

Successful security solutions here need to involve user presence, preferably registered via a PinPad, enabling users to enter an authentication code only they know,” he explained. “The transaction needs to be signed in a highly readable way, using higher resolutions when required, This will be combined with web-signing applications that will detect any attempt by malware to interfere with it.”

But when fraud is coming from the inside, banks can have an even harder time combatting the problem.

“Unfortunately, the sharing of credentials is opening the door to internal fraud, which is often very difficult to detect for financial institutions,” said Regniers. “Our recommendation is to provide credentials that are unique to each user,” he said, adding that this may mean one card per user, if a company is deploying a p-card program or the like. “Alternatively, a bank can silently monitor the context of a purchase, such as the device it’s being made from, and other behavioral patterns.”

Whether external cybersecurity threats or internal fraud, the measures banks must take to protect their corporate clients are vast. Luckily, the technologies that banks have at their fingertips to safeguard clients are fast, too. From connected PinPads and Sign What You See requirements to behavioral analytics and biometric authentication, the corporate banking security industry is growing sophisticated, and hustling to stay one stop ahead of the criminals.