PaymentsJournal
No Result
View All Result
SIGN UP
  • Commercial
  • Credit
  • Debit
  • Digital Assets & Crypto
  • Digital Banking
  • Emerging Payments
  • Fraud & Security
  • Merchant
  • Prepaid
PaymentsJournal
  • Commercial
  • Credit
  • Debit
  • Digital Assets & Crypto
  • Digital Banking
  • Emerging Payments
  • Fraud & Security
  • Merchant
  • Prepaid
No Result
View All Result
PaymentsJournal
No Result
View All Result

Let Ethical Hackers Unmask Cybercriminals

By Tyler Leet
June 27, 2014
in Industry Opinions
0
0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn
Andre Stoorvogel, Author at PaymentsJournal

The Federal Financial Institutions Examination Council(FFIEC) has made it clear that the ongoing cyberattacks targeting web-based ATMand card authorization systems may be inevitable for financial institutionsthat do not act quickly.

The attacks are attributed to a scheme dubbed “UnlimitedOperations” by the U.S. Secret Service. Unlimited Operations hackers, nonewcomers to the cybercrime landscape, have shed their highly sophisticatedtechniques and turned to a tried and true means of initial access: throughfinancial institution employees who inadvertently help them gain access tosystems when they fall victim to social engineering tactics.

The criminals begin with phishing, where emails appearing tobe from an authentic and legitimate source—aka, the phish—contain malware thatis activated when an institution’s employee opens a link or attachment withinthe phony email. The FFIEC describes the broad and concerning consequences ofthis tactic: “once installed, criminals use the malware to monitor theinstitution’s network to determine how the institution accesses ATM controlpanels and obtain employee login credentials …”

Just one successful phish can provide cybercriminals withthe keys to the kingdom, because they can gain access to such powerful systemrights as the ability to remove withdrawal limits. According to the FFIEC, onesuccessful phishing scheme yielded an almost unbelievable $40 million for the cybercriminals, who only needed 12 debit cards tocarry out the heist.

With respect to its new guidance, the FFIEC “expectsfinancial institutions to take steps to address this threat by reviewing the adequacyof their controls over Information Technology networks, card issueauthorization systems, systems that manage ATM parameters, and fraud detectionand response processes.”

Among its recommendations, the agency is calling onfinancial institutions to follow several risk-mitigating steps, including conductingexercises that simulate this type of attack. To accomplish this, you can employtwo industry solutions that, hand-in-hand, help determine the attack patternsthat can be used in your environment to accomplish these goals: advancedsocial engineering with network exploitation and internalpenetration testing.

With advanced social engineering, third-party consultantsconduct thorough reconnaissance on your organization and its employees, performa safe and precise strike on your systems using the intelligence gatheredduring reconnaissance efforts, and mimic real-world attacks by diving deep intoyour organization’s infrastructure, systems and data. They do so usingproprietary software and remote connections that are largely undetectable byantivirus, firewall and other security implementations.

Beyond this “outside-in” testing approach, internalpenetration testing simulates the activity of an attacker on your internalnetwork and attempts to gain privileged access to sensitive systems and datawithout interruption of service. Throughhands-on, manual testing and research, consultants identify vulnerabilities,issues and situations that a basic scan would not detect, allowing them toprovide insight into the attack chains and sequence necessary to conduct areal-world attack against your organization.

The FFIEC also recommends using its prescribed riskmitigation measures as an ongoing guide, as outlined within its IT ExaminationHandbooks. These measures fall into seven categories:

1. Routine and ongoing information security riskassessments

2. Security monitoring, prevention and mitigation

3. Protection against unauthorized access

4. Implementation and routine testing of controls for criticalsystems

5. Information security awareness and training programs

6. Testing of incident response plans

7. Information sharing within the industry

So, as cyberthreats continue to increase and evolve, ensureyour financial institution remains in compliance with the FFIEC using advancedsocial engineering and internalpenetration testing to help you identify your weaknesses before criminalshave the chance.

And download our free white paper, Think Like aHacker, to gain powerful insight into today’s most dangerous cyberthreats.

Tyler Leet is directorof Risk and Compliance Services for CSI Regulatory Compliance. With experiencein network/security administration, Tyler also conducts information securityreviews for financial institutions and specializes in external penetrationtesting.

0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn
Tags: CreditDebit

    Get the Latest News and Insights Delivered Daily

    Subscribe to the PaymentsJournal Newsletter for exclusive insight and data from Javelin Strategy & Research analysts and industry professionals.

    Must Reads

    Making Real-Time Payments a Reality

    Fulfilling the Promise: Making Real-Time Payments a Reality

    July 10, 2025
    mortgage

    The Rich Benefits of In-House Payment Systems

    July 9, 2025
    digital cards

    Beyond Plastic: Why Digital Cards Are the Future

    July 8, 2025
    What Premium Card Overhauls by Chase and Amex Reveal About the Credit Card Market

    What Premium Card Overhauls by Chase and Amex Reveal About the Credit Card Market

    July 7, 2025
    Rewire Acquires Imagen, Looking at Prepaid Cards for Migrant Workers

    Smells Like Team Spirit: What Makes Cobranded Credit Cards Work

    July 3, 2025
    uk banking outages

    New Continuous Strategies for Battling Account Takeovers

    July 2, 2025
    Fraud Monitoring

    What to Expect When Nacha’s Fraud Monitoring Rules Take Effect

    July 1, 2025
    payments

    Don’t Just React to What’s Next in Payments—Anticipate It

    June 30, 2025

    Linkedin-in X-twitter
    • Commercial
    • Credit
    • Debit
    • Digital Assets & Crypto
    • Digital Banking
    • Commercial
    • Credit
    • Debit
    • Digital Assets & Crypto
    • Digital Banking
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    • About Us
    • Advertise With Us
    • Sign Up for Our Newsletter
    • About Us
    • Advertise With Us
    • Sign Up for Our Newsletter

    ©2024 PaymentsJournal.com |  Terms of Use | Privacy Policy

    • Commercial Payments
    • Credit
    • Debit
    • Digital Assets & Crypto
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    No Result
    View All Result