Humans are the biggest weakness in banks’ cyber defences, but there are several others that also need attention, penetration testers have revealed.
Banks have formidable barriers to external cyber attacks, but some are still vulnerable to internal attacks using social engineering, vulnerabilities in web applications and the help of insiders, a report reveals.
As soon as attackers access the internal network, they find friendly terrain that is secured no better than companies in other industries, according to a report on cyber attacks on banks by Positive Technologies.
The weakest link in bank security is the human factor, the report said, with attackers able to bypass the best-protected network perimeter easily with the help of phishing.
Employees falling for phishing messages
Phishing messages can be sent to bank employees both at their work and personal email addresses, and this method for bypassing the network perimeter has been used by almost every criminal group, including Cobalt, Lazarus, Carbanak, Metel, and GCMAN, the report said.
In tests by Positive Technologies, employees at 75% of banks reviewed had clicked on links in phishing messages, and those at 25% of banks entered their credentials in a fake authentication form. At 25% of banks, at least one employee ran a malicious attachment on their work computer.
With access to the internal network of client banks, Positive Technologies penetration testers succeeded in obtaining access to financial applications in 58% of cases.
At 25% of banks, they were able to compromise the workstations used for the management of automatic teller machines (ATMs), which means the banks tested were vulnerable to techniques similar to ones used by Cobalt and other cyber criminal gangs in actual attacks.
Another key finding of the report is that attackers often gain access to banks’ internal networks by compromising business partners and contractors, who may poorly secure their networks, and place malware on sites known to be visited by bank employees, as seen with Lazarus and Lurk.