Fast Facts: Student Loans

January 22, 2013
/   Insights

The Financial Services Roundtable recently released another iteration of its Fast Facts, reliable, bullet-point research about issues facing the financial services industry. Topics span TARP, Dodd-Frank, insurance, lending, retirement savings and more.  Below are some updated Fast...

Cause and Effect: If you build it, will they come?

July 23, 2014
/   Spotlight

Many financial institutions assume that digital banking is lucrative because the most valuable customers happen to bank online. While there is certainly a correlation between online bankers and higher profitability, quantitative evidence suggests that...

Intuit 2020 Report: The Future of Financial Services

April 11, 2011
/   Insights

Today, Intuit released the latest edition of the Intuit 2020 report, Intuit 2020 Report: The Future of Financial Services, which identifies and examines four key trend areas that will  transform the financial services industry...

The Top 10 Trends in the Digital Banking Industry

December 18, 2013
/   Spotlight

2014 is rapidly approaching and as the year wraps, the Digital Insight team has pulled together the top 10 trends in the digital banking industry based on data and trends from studying financial institutions....

Small Business: Perception vs. Reality

November 21, 2012
/   Insights

In the most recent election cycle, like most others before it, the one sector of the economy that got the most attention was small business.  This is the future, we were told by every...

Industry Perception, Optical Delusion

January 14, 2013
/   Insights

In Washington, they talk a lot about ‘optics.’ This has nothing to do with regulatory scrutiny, or government mandates on eyeglasses. It has to do with perception—how something looks, the way a particular story...

Social Banking: Blessing or Curse?

August 1, 2012
/   Insights

While the topic of Facebook and banking has generated plenty of heat (though not necessarily a lot of light), the debate seems mostly focused on two broad issues: The much-maligned IPO, and the notion...

Mobile Banking Engagement: Data from Digital Insight

June 24, 2013
/   Spotlight

Intuit Financial Services has been conducting a comprehensive and ongoing study of financial institution customers. From these studies, the company has been able to provide a deeper view of banking customer behavior across several...

We’ve come a long way from Nigerian chain letters.

Those with a memory for the unintentionally hilarious can well remember those gems. They typically involved a wealthy individual who needed help moving millions around, and was willing to pay out huge sums of money in return for any assistance. As social engineering it was crude in the extreme, preying on the weaknesses of individuals lured by the prospect of a quick buck (or millions of bucks). The language was almost always clunky and the context ridiculous, which made anyone falling for the scam ripe for derision. But of course, there were surely people who took the bait, which is why the practice lasted for quite a while.

Today we have FIN4, and it’s a very different world out there.

This Monday, security firm FireEye dropped a critical announcement: A group of highly sophisticated cybercriminals have spent the past year hijacking email correspondence between senior executives at publicly held healthcare-related organizations. The strategy used e-mails with language aimed at compliance officers, legal counsel, operational chiefs, etc. In many cases these professionals opened the e-mails and clicked on links or attachments purporting to be from legitimate clients, which in turn directed them to a fake login page that required a sign-on. And from there on it became a joyride for the bad guys, who could steal information or even insert their own.

Sure, it’s easy to shrug at these escapades—in the past year there’s been a litany of massive data breaches at brand-name enterprises, from retailers and restaurants to financial services institutions. Millions of credit card numbers have been stolen and reams of confidential information compromised. It’s essentially so common that we’ve become numb to it.

Still, each new form of intrusion brings its own level of complexity, and the latest is no exception.

From what we know so far, FIN4—the name given to the attackers by the security firm—doesn’t resemble other recent worrisome infections, such as the Advanced Persistent Threats (APTs), which are alleged to be launched by rogue nations. These invasions don’t use malware, the systemic problem now plaguing networks around the world, which means even up-to-date defense strategies can be powerless to stop them. They instead seem to be launched and micro-managed by a small group of individuals who are intimately familiar with the inner workings of the industries and corporations they attack.

The perpetrators don’t just use flawless English, they seem very comfortable with the industry parlance used by the businesses they target. They know their way around compliance mandates, seem familiar with recent industry occurrences and maneuver easily around sensitive areas. Researchers analyzing patterns believe the attacks likely originate in Western European nations, or possibly even inside the United States.

Again, these are mostly attacks against different corners of the healthcare industry—medical device makers, pharmaceuticals, healthcare planning providers and so on. But of course, the common target is money, either through direct theft or more insidious forms of stock manipulation. That brings it back to us in the banking world.

More to the point, no one can possibly think that this new form of crime will stay within the confines of one industry, and that’s a depressing thought. Cybercrime has been around a long time, of course, but typically it seems like an external threat—villains from elsewhere worming their way into the infrastructure to pilfer what they can.

This is a little different. Many of us have been targeted by some kind of social engineering scam courtesy of the personal inbox and the home phone, or even the good old-fashioned letter. However, this breed of assault comes in via the corporate server, speaking our language (in every sense) and persuades us to give them access to the network. By any definition, that’s a new kind of invasion that mandates a new kind of defense.


Insights’s perspective on industry news and trends



Must-read news and insights from financial industry leaders



Compelling voices and contributed content from around the web

James W. Gabberty

Gabberty is a professor of information systems at Pace University in New York City. An alumnus of the Massachusetts Institute of Technology and New York University Polytechnic Institute, he has served as an expert witness in telecommunication and information security at the federal and state levels and holds numerous certifications from SANS & ISACA.

Brad Strothkamp

Marisa Mann

Marisa Mann brings over 15 years of experience in consulting and financial services industries to the Solstice team, working on large scale enterprise initiatives across many technologies, including specializing in the digital space – Internet and mobile. Mann is passionate about mobile and the endless possibilities for the enterprise, delivering business value through strong brand recognition and driving to excellence in the consumer experience. Prior to Solstice, Mann worked at JP Morgan Chase, Diamond Management and Technology Consultants, Washington Mutual, Inc, and Accenture.

Zachary Ehrlich

25-year-old writer, and as a native San Franciscan, I am unreasonably loyal to Bank of America, if only for their superhero-like origin story, involving the 1906 earthquake and Italian fruit vendors.