The outcome of a recent simulated cyberattack against financial-services companies, government organizations, retailers and payment processors illustrates the need for a concerted effort to spurn would-be attackers.
Participants in the simulation held Feb. 9 to 11 included 634 financial institutions, 67 business and government entities, 34 card processors, and 29 retailers. Sponsored by the Financial Services Information Sharing and Analysis Center, a Sterling, Va.-based group, the simulated Cyber Attack Against Payment Processes Exercise spawned 15 recommendations ranging from developing a data-security standard for third-party processors to creating education programs for the payments industry.
“Businesses have been ripped off, and financial institutions are in the middle many times,” Bill Nelson, the center’s president and CEO, tells PaymentsSource. “We have a responsibility to help customers.”
The center designed different attack scenarios for each group. Financial institutions were subjected to a three-part attack that attempted to deny user access to an entity’s website, trick a business customer into loading malicious software and a breach at a fictional third-party check processor.
“The fact is, if there was a major checking-account breach, it could be a much bigger problem than when card data are compromised,” Nelson says.
The top three steps financial institutions found they should take include using multifactor authentication, setting per-transaction and daily limits, and having their business clients set up a dual-control system in which one person may initiate a payment but another must authorize it.
In the exercise, payment processors faced two simulated threats. One was an attempt to get an executive to unknowingly install malicious software on a computer, and the other was to overload the company’s network. The exercise programmers delivered the fake malware via an e-mail that appeared to come from the executive’s daughter with a link to view some vacation photos, Nelson says.
Education is the top recommendation for all payments-industry organizations, he says.
For example, the payment processors involved in the simulation saw the need to talk to their employees about the attacks and to develop messages to tell customers in the event of a breach, Nelson says.
A majority, 64%, of participating payment processors would look for advice from the card brands following a breach, and by the third day of an attack, 74% would reach out to their regulators, the center says.
The lesson is a simple one, Nelson says. “Payment companies need to have an integrated, layered defense strategy,” he says. “If you have just one, the bad guys will find a way around it.”
What do you think about this? Send us your feedback. Click Here.