Financial services is a highly regulated industry, but that doesn’t mean it’s immune to cybersecurity woes. According to a new report, financial services organizations experience higher rates of phishing and man-in-the-middle (MiTM) attacks via mobile devices than other industries, and technology trends are making the issues even more complex.
The financial services mobile security report, published by Wandera, draws on data from 4.7 million events across 225 financial services customers. Wandera compares incidents such as phishing attacks (57% of organizations in financial services have seen these, compared to 42% across all industries) and MiTM attacks (36% in financial services compared to 24% all industries) involving mobile devices.
The specifics of the threats come in the context of rising overall threats. In the UK alone, the number of breaches in the financial services industry increased by 480% from 2017 through 2018.
One of the important findings in the report, according to Michael Covington, vice-president od product strategy at Wandera, is what is not a major issue: “I think a lot of people, when they think of threats on mobile, they think of malware, and it just isn’t there,” he says. “I think it’s largely because the mobile devices themselves are fairly well-built.”
Instead of malware, criminals are using phishing attacks to gain access to financial services networks, but not just any attacks. “We’re seeing more targeted attacks within financial services instead of kind of the scattershot approach where you send out a phishing attack to everybody in the organization,” he explains.
The success of phishing attacks on mobile devices in financial services may be part of a larger pattern of risky mobile behavior by those in the industry. According to the report, 42% of the organizations represented had devices with “side-loaded” apps — apps downloaded and installed from sites other than the app stores approved for the device. Covington says, “You start to see the implications of letting employees manage their own device.”
And those employees are managing their devices in tremendous numbers, he says. Employee-owned devices, used to conduct company business, are targets because of the sensitive data they contain.
“There’s no doubt in my mind that the criminal side of the equation is after rich data,” he says. And the availability of rich data goes beyond the data just on the mobile devices since their users have access to enterprise applications and databases. “That’s also why phishing attacks are specifically on the rise within financial services organizations because it’s the credentials that the attacker can get,” Covington says. “Those provide them access to the data repositories in the cloud or in the data center.”
Protecting your organization from employee mobile devices comes down to better managing mobile devices. “They need to be making sure that when a user logs into a service that it is indeed that user. And they need to look at the devices that those users are coming from,” he says. “Sometimes it’s going to matter to an organization if it’s a sanctioned device. Other times it won’t.”
Ultimately, though, it comes down to only giving verified and authorized users access to corporate resources from their mobile devices, and only if those devices are trustworthy, he says.
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.
Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio