They were patient. That’s how one security company executive — who monitors the guestbook-like log data of his clients — described attackers eyeing up one of his customer's network backups. The criminals were quickly booted. But, they were, the executive said, clearly hatching a bigger scheme. His best guess: seeding false data.

Despite recent headlines, the future of cybercrime has little to do with increasingly popular strains of malware — think, ransomware. Soon, criminal hackers hell bent on disrupting a business might work hard to undermine the confidence customers have in, say, your bank. They could accomplish such a task by slightly changing company information.

That means bank customers might end up not being able to complete an ATM transaction because of a modified four-digit PIN. That’s not bombast. Such prognostication isn’t far off in a world increasingly dominated by reports of NSA-leaked exploits and big box breaches. 

Last week, I attended both Black Hat, a conference showcasing tools meant to protect networks, and DefCon, where hackers display research on how to break those same defenses. At the former, I met with security companies that help banks manage threat intelligence feeds, fight fraud, and practice good cybersecurity hygiene, among other vital functions. At the latter, researchers demonstrated exotic — and mostly impractical — techniques to cryptographically forge files, potentially allowing attackers to upload malicious updates; bypass the security protections of card readers; and 'weaponize' machine learning. All with the goal of helping ordinary firms improve their security posture. 
     
It’s an annual illustration of the vast walls security teams must erect, while outsiders try to chip away at the smallest holes to potentially expose company secrets. We’ll leave the discussion of risk, and how banks prioritize patching software weaknesses, for another post.


Author

About Sean Sposito

Sean Sposito is an analyst in the fraud and security practice at Javelin Strategy & Research. His primary focus is the intersection of retail banking and information security. The topics he’s keenly interested in are vulnerability disclosure, cybersecurity insurance, threat intelligence, and the overall challenges facing security executives inside financial institutions. 

Before joining Javelin, Sean worked as a reporter at the San Francisco Chronicle, the Atlanta Journal-Constitution, and American Banker, among others. As a content strategist at the Christian Science Monitor, he counseled security vendors, PR agencies, and in-house communications executives on storytelling techniques and media engagement. 

He has moderated panels at the Visa Security Summit, the ATM Debit & Prepaid Forum, the Emerging and Mobile Payments Card Forum, the Mobile Banking and Commerce Summit, and the Mobile Payment Conference, among others. He holds a bachelor’s degree from the University of Missouri’s School of Journalism. 

Stay in Touch!