Pub. 13 2018-2019 Issue 1

WWW.NEBANKERS.ORG 14 changes to their contact, login, banking, or payment informa- tion. Fourth, it failed to require email validation at account cre- ation. Finally, it failed to use basic security tools to prevent rapid account access attempts from the same device or IP address. Verizon Data Breach Incident Report Like the bills from state and federal governments that Tax- Slayer helps its clients pay, data breaches are becoming a nearly universal experience. According to the recent Data Breach Inci- dent Report (DBIR), 10 compiled by Verizon, there weremore than 53,000 incidents and 2,216 confirmed data breaches in 2017. Of those, 598 incidents and 146 confirmed data breaches affected the financial and insurance sectors. 11 Those figures do not even include banking Trojan botnets, one of themost popular forms of online mischief against banks, or the illicit use of stolen online banking credentials (of which more than 43,000 successfully achieved account access). 12 Whether banks will be targeted in 2018 is not a question of “if,” but “when.” Perhaps unsurprisingly, the financial and insurance sec- tors are disproportionately threatened by external actors (92 percent) with financial motives (93 percent). 13 By comparison, those numbers were 73 percent and 76 percent, respectively, for the entire data set. 14 Notably, there was a significant downward trend for insider fraud among bank employees. 15 U.S. companies, and banks in particular, are overwhelm- ingly targeted by one specific type of hacking attempt: botnets. A botnet is simply a network of internet-connected devices that a hacker remotely controls but does not own. Botnets typically harm companies in one of three ways. First, a hacker can simply use a botnet to enter stolen credentials into a websitemuchmore quickly than she could enter them herself. This is fundamen- tally the same technique the TaxSlayer hackers used to perform their list validation attack, although it is not clear whether they entered those credentials manually or used some kind of auto- mated botnet. Banks were on the receiving end of 91 percent of these attacks by botnets in 2017. 16 Second, a botnet can be used to launch a Distributed Denial of Service (DDoS) attack against a company, which floods its capacity to handle incoming traffic and slows or shuts down the site. As was mentioned above, these two types of attacks were so numerous that Verizon declined to include them in the statistics cited above for fear of drowning out everything else. 17 Finally, a hacker can seize control of a given company’s computers and “recruit” them into his botnet, where he can use them to launch attacks of the first two types. 18 This can cause significant performance degradation or even shut down that company’s system while the botnet is engaged. Two attacks that are highly specific to the financial sector are also on the rise: payment card skimmers and ATM “jackpot- ting.” 19 Excluding those attacks and the botnet attacks described above, the next top three attack patterns were crimeware (includ- ing ransomware), web applications, and phishing at 49, 36, and 30 attacks respectively. 20 Those attacks are frequently related: Counselor’s Corner — continued from page 13