SAN FRANCISCO — Many of the stories about attacks on banks, payment processors and other portions of the financial services system around the world depict these intrusions as highly sophisticated operations conducted by top-level crews. However, the majority of the attacks these companies see aren’t much more advanced than a typical malware attack, experts say.
“About two thirds of the attacks on our merchant community are low to moderate complexity,” Ellen Richey, executive vice president and chief enterprise risk officer at Visa, said during a panel discussion on threats to the financial services industry at the Kaspersky Lab Cyber Security Summit here Tuesday.
The last couple of years have been tough on banks and other financial services companies when it comes to security. Many of the larger banks in the United States and elsewhere have been the targets of massive DDoS attacks for more than a year now, with many of these attacks being attributed to hacktivist groups. These banks, of course, always are targets for cybercrime gangs looking for some quick money. But Richey and the other panelists said that while they certainly see attacks against their networks from determined, skilled attackers, a great deal of what they see every day is pretty mundane.
Attackers looking for a nice pay day often won’t target a bank directly, but will hit a partner or supplier the bank uses and go from there.
That strategy isn’t new, but it’s proven to be effective.
“People aren’t going to go after hard targets, because it exposes them,” said Steve Adegbite, senior vice president of enterprise information security program oversight and strategy organization at Wells Fargo & Co. “They go after the lower level merchants and walk up the chain from there.”
While figuring out who is attacking an organization can be an intriguing exercise, Adegbite said that in a lot of cases it doesn’t matter much who is doing what. The end result of a successful attack is the same: a disruption to the business.
“Within financial services, it’s about customer service and keeping things running and keeping the lights on. When I go in there after the fact and strip everything down, whether it’s a nation state or a kid in his basement, it’s forcing us to deal with an incident.”
Richey said that Visa, with its massive network of merchants and huge profile around the globe, sees all shapes and sizes of attacks, but has seen a big jump in the number of DDoS attacks in recent years.
“The piece we’re seeing in the last two to three years is denial of service attacks. It’s primarily hacktivists,” she said. “The industry has amped up its defenses to deal with it.”
That increase in defenses has occurred across the financial services industry, but as well-funded and sophisticated as the security teams in these companies are, they can’t go it alone. Adegbite said that he and the Wells Fargo security team collaborate with as many people and organizations as they can when it comes to defending their networks.
“Cybersecurity is a team sport. The amount of things we’re dealing with, we can’t handle it all ourselves,” he said. “We form a community of defenders all the way through.”