Since the news broke earlier this year that cybercriminals have hit multiple banks connected to the SWIFT network, financial institutions’ security practices, as well as the security of SWIFT itself, have come under intense scrutiny. It should come as no surprise then that a number of big banks, as well as SWIFT, are making moves to improve security.
Eight of the world’s largest banks announced have formed a group to combat cyberthreats. Meanwhile, SWIFT is launching a new campaign aimed at increasing awareness of the existing security features in its interface products.
The bank partnership, whose members include J.P. Morgan Chase, Bank of America and Goldman Sachs, is still in its early stages. However, the banks are expected to share threat information with each other, prepare responses to attacks and conduct war games, the Wall Street Journal noted. According to a report released in May by IBM, the financial services sector ranked third in the number of cyberattacks incurred in 2015, behind healthcare and manufacturing.
The group will operate under the Financial Services Information Sharing and Analysis Center (FS-ISAC) and will attempt to build upon that group’s already considerable efforts. “They are trying to provide a support mechanism for deeper information-sharing and collaboration on top of whatever is already going on today,” said John Carlson, chief of staff at the FS-ISAC.
As for SWIFT, the financial messaging network’s new campaign is aimed at making sure their customers secure their environments, as well as enhancing SWIFT’s own security features in its products, noted Stephen Gilderdale, head of SWIFT’s new Customer Security Program. “Through this awareness campaign we aim to make sure our users make the most of SWIFT’s existing security tools and controls,” he said.
SWIFT has good reason to be concerned. When news of the $81 million Bangladesh Bank breach first broke, there was quite a bit of finger-pointing that went on over who was at fault. SWIFT ultimately advised customers that in that incident, and in another one that followed, the network itself was not breached. Instead, hackers exploited vulnerabilities in the banks’ own systems, which allowed fraudulent messages to be sent across the SWIFT network. “The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process,” SWIFT said in a statement at the time.
Of course, while banks are perhaps the goldmine for cybercriminals, corporate entities are still a prime target. Late last week, it was revealed that payments systems at 20 different hotels have recently been hacked.
HEI Hotels & Resorts, which operates Marriott, Hyatt, Sheraton, Intercontinental, Westin and other hotels, said in a statement that it discovered malware on its payment processing systems at properties in California, Washington, D.C. and nine other states. Guests’ names, payment card account numbers, card expiration dates and verification codes—i.e., everything needed to make a card-not-present (CNP) purchase—may have been compromised. The malware is believed to have been active from December 2015 to June 2016, though in some locations it may have gone live as early as March 2015 in hotel restaurants, the Associated Press noted.
HEI isn’t the first hotel chain to be breached; Hilton, Trump and Starwood have also recently experienced incidents. According to Brad Deflin, president of Total Digital Security and a speaker at the 2016 AFP Annual Conference in Orlando, on-property hotel payment systems as just the latest stop in the food chain for cybercriminals. “The lodging segment is being targeted because their local points-of-sale are woefully underprepared and considered honeypots for the type of credit card information hackers seek—large transactions with little accountability,” Deflin said.
The good news, Deflin added, is that cybercriminals may eventually determine that these massive retail breaches are no longer worth the effort. Ironically, the reason for that is the large number of recent incidents. “High volume credit card information is trading on the dark net for a fraction of prices seen not long ago—saturated by billions of stolen records from the mega-breaches of the past year,” he said.
For now though, treasury and finance professionals traveling on business should be wary—not only when making credit card payments, but also when they’re doing work on their laptops in their hotel rooms. “Hackers are reengineering for their next stop in the lodging sector—the hotel WiFi system,” Deflin said. “By monitoring and collecting online activities by guests, cybercriminals get much more than a credit card number. Banking, shopping, email, passwords, business communications, personal information—all of it is collected and leveraged for maximum gain. With the WiFi hack, one individual score can far exceed many point-of-sale attacks.”
Deflin added that all travelers should prepare and use a VPN when on any unprotected network—especially a public WiFi. “With a VPN, all internet activities are automatically encrypted and made invisible to anyone on the outside,” he said.” Advances in software technology have made high-quality VPNs available for iOS and Android devices that are affordable, easy to use, and will work on any network in the world.”