Pandemic stay-at-home orders forced banks to move brick-and-mortar services online. According to a 2021 American Bankers Association survey, digital banking frequency increased during the pandemic, with 44 percent of customers using mobile apps and 26 percent using PCs and laptops.
“Consumers have become accustomed to mobile deposits and taking out home loans from their homes,” said HORNE Cyber Managing Partner Mike Skinner.
Few are leaving the conveniences of mobile banking to return to brick-and-mortar services.
Generation Z and millennials prefer online banking experiences. According to a 2021 Statista survey, U.S. consumers aged 18 to 34 spend 253 minutes a day on smartphones.
“Many members of younger generations have never been in a bank, except maybe to open an account. They do everything on the app,” Skinner said.
Because of that, banks are shifting more financial services to mobile apps to meet the demand.
The pandemic forced many bank employees to work from home for the first time. Banks rushed to extend the network to the home to maintain their productivity.
Because of mobile banking and hybrid working models, network complexities increase a bank’s cybersecurity vulnerabilities. It pays to know how to reduce the risks.
Mobile apps, hybrid working models expand bank networks, cyber issues
“Financial institutions are digitally transforming banking to integrate with mobile apps,” Skinner said.
Mobile application developers and integrators make the transformations possible. But third-party vendors increase the size and complexity of banking networks and introduce security vulnerabilities.
Developers use remote desktop protocols (RDPs) and virtual network computing (VNCs) to connect to banking servers to develop robust mobile apps. But the bank must authenticate users to protect the network from cybercriminals, and remote server access is subject to weak access controls.
Criminal hackers know it, so they target RDP and VNC servers with cyberattacks. They can alternatively breach third parties to steal the credentials for these connections.
Developers and integrators leverage banking APIs to connect financial services to mobile apps.
“Integrators such as Plaid use APIs to connect mobile apps to financial institutions so customers can transfer money to their crypto-wallet,” Skinner explained.
Criminal hackers breach ubiquitous banking APIs to intercept financial data.
“While a community bank may have dozens of APIs, a JPMorgan, Chase or Bank of America probably has thousands. The more APIs, the broader the institution’s attack surface,” Skinner said.
Hybrid working models add more complexity and risk.
“Banks were centrally managed, with few employees working remotely. Since COVID, even loan officers are working from home,” Skinner said.
Working from home connects bank networks to employee-owned endpoints, such as home computers, decentralizing the network perimeter. Remote workers require authentication and authorization to confirm their identities and secure connections and encrypted data transmission using virtual private networks (VPNs) to keep banking data safe. Implementing and managing these tools is not trivial and the tools have vulnerabilities of their own.
MSPs secure and expose modern banking networks
Banks are responding by entrusting cybersecurity to MSPs.
“Banks use MSPs to implement VPNs for work-from-home and monitor mobile apps and network traffic,” Skinner said.
But MSPs add cyber risks. MSPs have administrative access rights and privileges on the bank’s systems and install software agents to manage and monitor core servers and network devices. Criminal hackers who gain control of the MSP inherit the rights, privileges and connections across the bank’s network. They can disrupt operations and steal the bank’s intellectual property, customer records and funds. Breaches can bring regulatory penalties, lawsuits, credit downgrades and reputational damage.
“MSPs are attractive targets for cybercriminals. If they breach the MSP, they might access data from all its customers, including the banks,” Skinner said.
Cyber securing the digital bank
Banks can manage third-party provider and MSP risks, Skinner said.
“Make vendors do their due diligence and monitor their cybersecurity posture,” he said.
Banks can contractually require vendors to maintain security controls for their organizations that align with the bank’s controls, and banks can audit the controls. By enforcing contracts and controls, banks can mitigate third-party vulnerabilities, Skinner explained.
“MSPs must meet explicit requirements for access control security, so they know who has access to bank login information,” he said.
Banks can require specific security methodologies and approaches for particular services.
“Mobile app developers must apply secure development lifecycle processes to develop mobile banking apps,” Skinner said, adding that it limits vulnerabilities in web and mobile banking apps.
MSPs providing backup and recovery services must confirm that backups target everything in the scope of the backup plan. They must test complete data restoration regularly, and the more essential the systems and data, the more frequent the tests.
“So many times, banks have an outage, or a system goes down, and they’ll go to bring it back up, and they can’t recover the data,” Skinner said.
Banks can’t afford backups that don’t work in a breach or ransomware attack. They can specify multifactor authentication (MFA) for mobile app consumers, home-working employees and third-party vendors.
“Users access banking networks and systems, moving from one system to another. If an attacker gains unauthorized access to a system through a trusted user account or an administrator account with extra privileges, they could pivot to other systems,” Skinner said.
MFA can prevent unauthorized access and lateral movement inside the network.
Empowering employees and customers
Customers and employees enjoy the independence of mobile banking and working from home, and they won’t let it go away. To strengthen cybersecurity, banks need to make it work for everyone.
“Banks need to make security, including MFA, easy and seamless. If it’s hard, users turn it off or find a way around it,” Skinner said.
Banks must replace the money that customers lose to criminal hackers. By training their employees, vendors and customers on cybersecurity, banks mitigate the risk of phishing emails and business email compromise (BEC) attacks that fraudsters use to rob customers and financial institutions.