How a new generation of digital bank branches is at risk from cyber attack.

Banks have been focusing on cybersecurity for many years now, but the risks they face seem greater than ever before. As the industry undergoes a rapid digital transformation in its services and new style digital bank branches, there should be a simultaneous focus on modernizing cybersecurity strategies.

Some of the raised concerns can be traced to whether the Ukrainian war will spill over into cyber attacks on the banking system. An alert in spring 2022 from the European Banking Authority suggested the risk of this happening had increased. On its risk dashboard, the EBA said the dangers of the exposure to Eastern European Banks collapsing were less of a threat than “second-round” effects like cyberattacks that “may be more material from a financial stability perspective.”

Whether driven by nation states or not, cybercriminal gangs continue to target banking services – particularly ATMs – to steal money and valuable financial information about customers and cause business continuity disruption and service interruptions.

According to Zion, the global ATM market accounted for US$15.1 billion in 2020 and is expected to rise to US$21.2 billion by 2028, growing at a CAGR of around 4.8% between 2021 and 2028. The financial services industry is undergoing rapid digital transformation, banks cannot afford to neglect cybersecurity strategies, especially at a time of increased risks and threats.

The European Association for Secure Transactions (EAST), which tracks ATM fraud attacks for financial institutions in the EU, reported 202 successful jackpotting (ATM malware and logical attacks) in 2020; resulting in losses of €1.24 million (approximately US$1.4 million or about US$7,000 per attack). While other types of ATM fraud reported, such as card skimming and physical attacks were down, jackpotting attacks represented a 44 percent increase in number of attacks and a 14 percent increase in losses from 2019.

These attacks on financial services can generate lucrative cash returns, which encourages gangs to invest serious internal budgets into research and development to prepare attacks.

However, banks can still take preventative measures to reduce the likelihood of attacks and mitigate the damage caused. Cybersecurity management must complement and coexist alongside digitalization programs, especially on the deployment of even the most advanced ATMs and assisted self-service terminals (ASSTs), which are now being used in next-generation branches and digital banking hubs, that are particularly vulnerable to attack. Security leaders should hone into these for cybersecurity review and consider the Zero Trust model. It helps to secure critical endpoints and other parts of the banking service infrastructure. It is mission critical for security teams to minimize the attack surface, obtain greater visibility of what is happening, and have faster insight into anomalous activities that could be (or are) suspicious.

Zero Trust is defined by a cybersecurity system that minimizes the level of implicit trust so that a system is only accessing software and in use when stringent checks are done. This important concept can be successfully applied to ATMs and ASSTs as they comprise several software layers, including an operating system, hardware vendor/software layer, the multi-vendor layer, plus the different tools for operations, monitoring, security, and so on. Unlike PCs, the software updating on these devices tends to be reactive, which means liabilities can slip into software inadvertently – making the concept of Zero Trust critical in isolating a layer that is unpatched.

Here is a useful checklist to consider when adopting a modern approach to protecting fleets of ATMs and ASSTs used as the digital hubs in new-style bank branches:

• Reduce the attack surface. Access will only be allowed when needed, and not just when it is legitimate, only if the user has been certified for proper operations.

• Control whoever is going to physically manipulate the ATM. Standard solutions like antiviruses have the same level of protection at any time, but when critical devices have a third party manipulating it, banks must be able to control the level of protection and activate specific policies in that specific moment. The bank should be able to monitor what the technician is doing at a time of highest exposure.

• Cybersecurity for banking made easier. Consolidate protection measures on a single platform such as application whitelisting, full encryption of all hard disks and media, file system integrity protection, hardware protection, and a firewall to stop network attacks.

The value of the Zero Trust strategy lies in its ability to allow financial institutions to secure digital self-service banking without trusting the assumed security of mainstream software. This distrust is important because cyber attackers will

hijack legitimate tools and software to launch an attack. Zero Trust for banking endpoints should extend to third-party tools and services that have permission to access ATMs and ASSTs when servicing these devices. Effective cybersecurity must interrogate access and verify it is correct or authorized at all times.

Unlock the Power of WiFi 6: How To Leverage It...

TBT Newsroom • 01st March 2023

Are you tired of being left behind in the technological world? Well, fear not! WiFi 6 is here to save the day and bring your business into the future. With unprecedented speeds and a host of new capabilities, WiFi 6 is the must-have technology for any business looking to stay ahead of the curve.

Sustainable Phones

TBT Newsroom • 04th May 2022

Cat phones (made by UK-based company Bullitt Group) are explicitly designed to be rugged, with devices built to last and have a longer lifespan. Industry Analyst firm Canalys notes that the current average lifecycle of smartphones in the mass market is approximately 37 months for iPhones and 33 months for Android devices.

From Credit Cards To Mobile Payment  

Ripsy Plaid • 27th April 2022

Plaid, the open finance data network, and payments platform have appointed Ripsy Bandourian as its first Head of Europe as it continues to rapidly expand across the continent. Based in Amsterdam, Ripsy will lead the business strategy and operations for Plaid’s Europe arm as it moves into its next stage of growth. 

How biometric technology can be used for remote proof of...

Chris Corfield • 08th April 2022

The pandemic has accelerated the adoption of digital financial services, driving organizations to speed up their transformation programs globally. Most banks, as well as pension providers, are still in the early stages of integrating technologies such as machine learning and artificial intelligence, and as the world continues to battle the long-term effects of COVID-19, the...