Latest news with #threatactors
Forbes
22-05-2025
- Business
- Forbes
Ensuring Financial Data Security In The Quantum Era
Financial market organizations are used to the idea of speculation. Buying undervalued assets to realize value from them at a later point is a well-established strategy. But – on the other side of a very dark mirror – another kind of speculation is stalking even well-established financial players. Bad actors are already exploring the next horizon of cyber-attacks with the goal of harvesting encrypted data. Today, the encryption is safe and the data is useless to the thieves. But they speculate that, armed at some point in the future with a 'cryptographically-relevant quantum computer (CRQC) – a quantum computer equipped with the right software – they will be able to break the encryption and gain access to the data, with devastating consequences. This point in time is often referred to as Q-Day. While quantum threats will target industries ranging from power utilities to transportation providers, we believe the financial sector will be near the top of the list of targets for threat actors. The potential gains from stealing money or creating mayhem in the markets will be too appealing to pass up. The good news is that Q-Day is not yet upon us, and there are actions that banking, financial services and insurance (BFSI) companies can take now to prepare for the quantum security threats of the future. It is possible that the quantum era could simply look like business as we know it, with full continuity of operations and management of risks. For BFSI companies, data security is a significant challenge that gets more difficult with every passing day, even without the looming threat of a CRQC. Today's financial institutions are using more connected devices than ever. More devices means more potential backdoors or other vulnerabilities that can be exploited. Additionally, a recent report by the US Department of the Treasury found financial institutions are seeing an increase in more sophisticated, AI-powered phishing and social engineering attacks. Where sensitive financial data is stored and managed, and how it is transported for transactions, is also cause for concern. Years ago, financial institutions would have hosted their data workloads in their own on-premises data centers. Now, in a highly digitalized financial world, workloads are often distributed across multiple public and private cloud networks, meaning financial institutions have less visibility and control over the security of their data once it leaves their premises. While financial institutions can (and do) encrypt data to protect it as it travels between clouds, they must trust that their service agreements will hold true and cloud-based data repositories are fully secured to their specifications. Adding to this challenge are the increasingly stringent (but fragmented) regulatory requirements around data sovereignty and privacy, especially for enterprises with operations in multiple countries. It's not easy to determine the best way to comply with DORA, NIS2, OSFI B-13, CPS 230, NIST CSF 2.0 and the many other standards that are all very similar but different in their own ways. Even if an enterprise's headquarters isn't subject to a specific standard, that doesn't necessarily mean its satellite operations, or its globally distributed customer base aren't affected. That said, in today's rapidly evolving geopolitical climate, many BFSI companies want to avoid having their data travel through certain countries, preferring to keep everything — including the people and systems managing their data and devices — within their own jurisdictions. That's not always easy to do, especially with the industry's high levels of AI usage. The financial services sector is among the most mature when it comes to AI adoption, using the technology for a broad range of applications. For example, AI is being used for fraud detection to identify anomalies and suspicious activities in financial transactions. According to Mastercard, AI software can boost a bank's fraud detection rates by an average of 20% — and in some instances, by up to 300%. Additionally, AI-powered transaction monitoring can help cut down 'false positives' (i.e., when a legitimate transaction is mistakenly flagged as a fraudulent one) by more than 85%. But given that most banks don't have the infrastructure in place to build and train their own AI models, where is that AI analysis actually happening? How much sensitive customer data is now being stored and processed off-premises in an AI cloud? How secure are the AI models themselves? Questions like these are enough to keep CTOs, CISOs and risk management teams up at night right now. When AI and quantum computing eventually converge, we can assume BFSI companies will need to adapt even faster to an ever-evolving threat landscape. To protect their data in the AI and quantum era, BFSI companies can take the following actions, starting today: With Q-Day looming, the worst thing banks and other financial institutions can do is nothing. Companies can and must take action now to protect their financial applications, systems and digitalization investments. Of course, conducting infrastructure assessments and upgrading networks takes time as well as the right expertise and skills. But even though the word 'quantum' on its own can feel like a major technology leap, companies don't need to have quantum engineers on staff to set up the systems required to defend against future quantum cybersecurity threats. They also don't need to do this alone. Experienced IT network partners who have successfully deployed quantum-safe networks for financial institutions have the expertise to guide them through the process of architecting their networking and security technology evolution, every step of the way. The result? A solid, secure foundation to protect BFSI companies from today's threats and mitigate the risk of the threats still to come, so these institutions can thrive in the era of quantum computing and AI.
Finextra
12-05-2025
- Business
- Finextra
Banks still unnecessarily burdened by porous security: By Frank Moreno
Banks have invested heavily in fraud prevention over the past five years. However there are still some glaring gaps (as well as some hidden risks) that have yet to be addressed. And, if these are not remedied in 2025, threat actors will exploit them – at massive cost to the financial institutions (FIs) and their customers. GenAI gets smarter and cheaper Fraudsters have not necessarily gotten smarter, but GenAI certainly has, quickly generating highly realistic and personalized content. It also allows fraudsters to automate the creation and distribution of socially engineered messages across multiple channels. This scalability increases the likelihood of successful attacks without requiring extensive manual effort. In addition, deepfake and voice cloning is almost impossible to spot and GenAI can use personalized data to target an emotional response that will fool the most cynical individual. GenAI can even generate synthetic identities by combining real and fake information. In 2022 alone, the FBI counted 21,832 instances of business email fraud with losses of approximately US$2.7 billion. What's more, the Deloitte Center for Financial Services estimates that by 2027, generative AI email fraud losses could total about US$11.5 billion in an 'aggressive' adoption scenario. This growing and shifting threat will challenge banks' efforts to stay ahead of cyber criminals and banks must hit back with a considered and agile security response. This is especially true as DeepSeek has entered the fray, doing the same work faster and cheaper than ever before. Ironically, the best way to fight AI is with AI, and banks should deploy AI models with risk-based authentication (RBA). This allows them to analyze their own customers' behavior over time so they can create profiles that help distinguish between normal and suspicious activities. This will enable faster responses to potential fraud - regardless of the new cybercrime modus operandi. Mobile channels left wide open Almost half of US banks could be leaving their customers vulnerable to Account Takeover (ATO) fraud due to inadequate protection of their mobile channels. Consequently, criminals are increasingly using mobile devices to gain unauthorized access to bank accounts, rather than mobile web or desktop. Why would criminals struggle to break into the back door when the mobile side door is left wide open? With biometric authentication now becoming standard on new devices, fingerprint scanning and facial recognition are increasingly part of our everyday lives. Banks should be using open standard FIDO2's public key cryptography to enable secure, passwordless and SMS-free logins across devices and platforms, which can't be intercepted. Solutions are also available to create a digital 'fingerprint' of a mobile device or desktop browser to create trusted devices that banks can recognize when transactions are initiated. Outdated fraud prevention technologies Despite rapid advances in security technology around the world, in many instances the US banking industry seems to cling to technologies that are no longer fit for purpose. Many existing fraud prevention tools are simply not designed to adapt to new types of fraud. For instance, traditional rules-based systems may generate excessive false positives, leading to customer frustration. The reliance on legacy solutions like SMS one-time passcodes (OTPs) poses another challenge. According to Liminal's 2024 Link Index for Account Takeover Prevention in Banking, losses from these attacks have been growing, averaging from $6,000 to $13,000 USD per ATO incident in the banking industry and US banks have seen an increase of 66.8% in social engineering attacks in the last two years alone. Despite the fact that banks know OTPs are not safe, Liminal says only 44% of banks are using mobile device signals for protection. By using advanced authentication, banks can leverage active and silent authenticators (via push messages and behavioral biometrics), supported by risk signals for the optimal authentication challenge. In addition to active authentication where people must perform a task to confirm a transaction, there's also silent authentication. Behavioral biometrics, which analyze user interactions with devices (like typing speed and mouse movements) can help detect deviations from typical behavior for more nuanced fraud detection - particularly in cases where scammers impersonate legitimate customers. Collecting mobile device signals like the SIM card number, network related signals like the IP address, behavior signals like user interaction, and security related signals like biometric data, banks can further determine risk and prevent ATO attempts. Organizational silos create security gaps Despite digital transformation efforts, many traditional banks are dealing with a nasty hangover of organizational silos, where different departments (fraud prevention, information security, identity management) do not effectively communicate or collaborate. The same holds true for retail and commercial banking, digital banking teams and contact center operations. This fragmentation is leading to gaps in fraud detection and response strategies and fraudsters are flourishing in these gaps between the channels. Lack of collaboration hurts everyone Banks have never been known for their willingness to share, but the lack of collaboration is hurting the entire ecosystem. While larger banks have extensive historical data that enables them to develop robust AI models for fraud detection, smaller banks often lack sufficient internal data and resources, making it difficult for them to create effective AI solutions. In March 2024, the US Treasury released a report on this problem, calling for enhanced data sharing collaboration among financial institutions. A tech-forward, multichannel response US banks are standing on a precipice. To remain competitive they must prioritize innovation. And this means adopting more sophisticated technologies that can analyze the context of transactions in real-time and across various channels. A more integrated approach is also necessary to address the multifaceted nature of fraud - both between the individual departments and channels in a bank, as well as between banks. Regardless of separate investments in push notifications, RBA, behavioral biometrics, FIDO or passkeys, if banks are not looking at both active and silent signals across the originating and authenticating channels and capturing all the signals of all the existing infrastructure they have for a complete picture, they will remain exposed. The technology solution is available and tried and tested. What is required is a willingness to do things differently.
Forbes
10-05-2025
- Forbes
Email Blob Attack Bypasses Security Protections, Steals Passwords
Beware the blob attacks. It might sound like an old B-movie horror film, but the blob is very real and very scary nonetheless. With email increasingly coming under attack from threat actors, and stolen passwords often used to gain initial access to email accounts, anything that combines the two things is a security nightmare. Welcome to the very dark and dangerous world of email blob attacks that will compromise your passwords. Threat intelligence experts have been monitoring a new threat to email users, and specifically their passwords, for some time now. That threat comes by way, as is nearly always the case, of a legitimate internet technology. Using Blob URIs to distribute phishing pages that can steal user credentials by way of email inboxes is proving to be something of a hacker's friend. 'Blob URIs are generated by a browser to display and work with temporary data that only that browser can access,' Jacob Malimban, a member of the Cofense Intelligence Team, said. By way of an example, you will find services such as YouTube storing videos temporarily within a browser using blob URIs. The advantage of a blob is that only the browser that generated it can access it. That's the good news. The disadvantage of a blob is that only the browser that generated it can access it. 'Because the data is local to a client browser,' Malimban explained, 'blob URIs cannot be directly accessed over the internet like usual websites.' Which means that the ultimate password-stealing phishing page is not accessible over the internet like other malicious sites, 'because the blob URI used to visit it is generated locally.' Have you guessed why this is such a security nightmare yet, horror fans? Yep, it makes identifying and stopping such attacks harder than they should be, especially for those defenses using AI that have yet to learn 'how to distinguish between legitimate and malicious blob URIs,' Malimban warned. Although it's important to remember that these blobs can be used for legitimate purposes, if you get an email which includes a link to a site where the address bar has either 'blob: or 'blob: at the start, you should be on high alert for a potential phishing attack. According to Malimban, multiple campaigns are currently using the blob URI attack methodology. 'Campaign lures for logging in include receiving an encrypted message, accessing your Intuit tax account,' Malimban said, 'and reviewing an alert from a financial institution.' You have been warned, be on alert for the blob and protect your passwords.
