Cause and Effect: If you build it, will they come?

July 23, 2014
/   Spotlight

Many financial institutions assume that digital banking is lucrative because the most valuable customers happen to bank online. While there is certainly a correlation between online bankers and higher profitability, quantitative evidence suggests that...

Intuit 2020 Report: The Future of Financial Services

April 11, 2011
/   Insights

Today, Intuit released the latest edition of the Intuit 2020 report, Intuit 2020 Report: The Future of Financial Services, which identifies and examines four key trend areas that will  transform the financial services industry...

Fast Facts: Student Loans

January 22, 2013
/   Insights

The Financial Services Roundtable recently released another iteration of its Fast Facts, reliable, bullet-point research about issues facing the financial services industry. Topics span TARP, Dodd-Frank, insurance, lending, retirement savings and more.  Below are some updated Fast...

The Top 10 Trends in the Digital Banking Industry

December 18, 2013
/   Spotlight

2014 is rapidly approaching and as the year wraps, the Digital Insight team has pulled together the top 10 trends in the digital banking industry based on data and trends from studying financial institutions....

Making Banking Fun: Gamification in Financial Services

August 5, 2013
/   Insights

Recently, the team sat in on American Banker’s webinar, “Gamification in Financial Services: Five Proven Ways to Get an Edge,” which shared how leading brands in financial services have applied gamification to reach...

Technology M&As: The Beats Go On

May 29, 2014
/   Insights

The ongoing fascination with Apple’s $3 billion purchase of Beats Electronics is entirely understandable, because it’s a cool story. However, it also says a lot about what’s going on between finance and tech.

What We’re Reading

May 5, 2011
/   Spotlight

Below are interesting stories the staff has been reading over the past week. What have you been reading? Let us know in the comments section below. Virtual Banking Worlds Provide Tangible Lessons American...

Small Business: Perception vs. Reality

November 21, 2012
/   Insights

In the most recent election cycle, like most others before it, the one sector of the economy that got the most attention was small business.  This is the future, we were told by every...

What We’re Reading: Thanksgiving Edition

November 22, 2012
/   Spotlight

Below are interesting stories the staff has been reading over the past week. What have you been reading? Let us know in the comments section below or Tweet @bankingdotcom. Mobile Thursday? Plans for Thanksgiving...

Ever since the creation of the bank, criminals have set their sights on these institutions as a get-rich-quick scheme. Though their goals have remained the same, their methods have evolved, as today’s bank robbers have traded in their masks for keyboards. For those in the banking industry fighting on the front lines of the escalating cyber war, this isn’t news. But as attacks continue to become more targeted and sophisticated, IT teams are struggling against a range of agents, from common hackers to nation-states, to keep their networks and their vaults secure.

The Turning Point
After two years of avoiding detection, a massive cyber criminal ring was uncovered by Kaspersky Labs in 2015 dubbed Carbanak (after the strain of malware used in the group’s attacks) that infiltrated over 100 banks in 30 countries, making off with as much as $1 billion. This signaled a departure from the more customary attack, where the target is personally identifiable information (PII) belonging to bank customers. Instead, Carbanak targeted the banks’ internal money processing services and automated teller machines (ATMs).

Gone Phishin’
Given Carbanak’s success, attackers are turning their attention away from customer PII and toward the banks themselves. New variants of the malware surfaced last fall delivered through phishing attacks, and new criminal groups emerged as recently as this past February, employing similar tactics of spear phishing to embed customized malware and gain control over bank machines.

One such group stole over $100 million in March 2016 from the Bangladesh central bank account at the Federal Reserve Bank of New York. Attackers spied on the Bangladesh Bank for weeks before the attack, quietly infiltrating dozens of computers with phishing attacks to steal credentials for payment transfers. The attackers then ordered fraudulent transfers from the Federal Reserve and deposited the funds into bank accounts in the Philippines.

Further cementing malware as the preferred weapon of the modern day bank robber is the discovery of a new hybrid banking trojan called GozNym – a combination of the Nymaim malware that first popped up in 2013 and Gozi malware that emerged in 2012. Attackers successfully used GozNym to steal an estimated $4 million by targeting the customers of banks in April 2016. Once inside the bank’s system, the GozNym trojan transfers financial data and screenshots back to the attacker, who then can use that information to steal directly from the bank customer’s account.

Phishing attacks are one of the oldest tricks of the hacker trade, and for good reason: they’re immensely successful. Attackers take meticulous care in developing convincing emails that appear to be legitimate banking communications to trick bank employees – or third parties with access to bank systems – into handing over their user credentials. Once inside, attackers exploit known vulnerabilities in commonly used applications that remain unpatched by large banks due to their cumbersome infrastructure.

Securing the Vault
While bank IT teams have made strides to protect customer data and limit credit card fraud, the security of the bank’s own internal systems has been taking a backseat.

Here are a few steps that bank IT teams can take to better secure the vault:

  • Assume the network has already been breached. Or, if it hasn’t, it will be soon. Adopting this mindset forces the IT team to prioritize the most business-critical parts of the network. This is where network segmentation works as a strategy. When done correctly, network segmentation, achieved through the creation of network zones, limits the ability for a hacker to move laterally across a compromised network. Network segmentation is a constant job of updates and configurations, but it can mean the difference between a hacker getting only as far as an employee’s infected computer, instead of helping themselves to the bank’s ATM systems.
  • Establish an enterprise-wide security policy. A well-defined security policy serves as a crucial road map for any bank IT team to maintain a truly adaptive security architecture. It’s what helps the people tasked with protecting the bank’s systems determine the best way for the network to operate with minimal risk. Additionally, the security policy should take into consideration all regulatory and enterprise compliance requirements and how often patches are being applied.
  • Enforce your security policy. It’s one thing to have a security policy in place that defines how the IT platform behaves, and another to actually enforce it. Doing the former but not the latter can lead to some serious problems. A good security policy is a dynamic, constantly evolving document that should be updated continuously. It’s a collaborative effort across the enterprise–network operations, security operations, and the CIO.

We’re facing a new generation of attackers that have an intimate knowledge of banking systems’ inner workings. While managing network security has become a complex, resource-intensive task, it’s crucial for senior management to have an accurate picture of the organization’s security posture at all times and the ability to act quickly to close any gaps. Carbanak proved last year that stealing directly from the bank’s systems yields far bigger payouts for cyber criminals than the sale of stolen PII, and this trend shows no signs of slowing down as new variants continue to emerge now, over a year later.

Ofer Or is vice president of products at Tufin®, the leader in Network Security Policy Orchestration. Tufin enables the world’s largest financial institutions to centrally manage, visualize & control enterprise-wide policies while maintaining cybersecurity, business agility and continuous compliance. For more information, visit


Insights’s perspective on industry news and trends



Must-read news and insights from financial industry leaders



Compelling voices and contributed content from around the web

James W. Gabberty

Gabberty is a professor of information systems at Pace University in New York City. An alumnus of the Massachusetts Institute of Technology and New York University Polytechnic Institute, he has served as an expert witness in telecommunication and information security at the federal and state levels and holds numerous certifications from SANS & ISACA.

Brad Strothkamp

Zachary Ehrlich

25-year-old writer, and as a native San Franciscan, I am unreasonably loyal to Bank of America, if only for their superhero-like origin story, involving the 1906 earthquake and Italian fruit vendors.

Marisa Mann

Marisa Mann brings over 15 years of experience in consulting and financial services industries to the Solstice team, working on large scale enterprise initiatives across many technologies, including specializing in the digital space – Internet and mobile. Mann is passionate about mobile and the endless possibilities for the enterprise, delivering business value through strong brand recognition and driving to excellence in the consumer experience. Prior to Solstice, Mann worked at JP Morgan Chase, Diamond Management and Technology Consultants, Washington Mutual, Inc, and Accenture.