How To Defend Corporate Banking Against Trojans, Malware

Corporate banking transactions are increasingly in the crosshairs of hackers.

As these transactions are increasingly done across borders, financial institutions (FIs) must grapple with diverse regulatory requirements while removing friction from the equation.

To that end, OneSpan said earlier in the month that Poland’s Bank Millennium has deployed OneSpan’s Cronto technology to secure transactions and enhance the corporate banking experience, tied in part to encryption.

Transactions are secured by allowing details, such as amount and account number, to be checked before signing, the companies explained.

The Cronto offering, which is revised Payment Services Directive (PSD2) compliant, also helps prevent attacks that are known as “man-in-the-middle attacks” and promote secure connections between devices and the bank.

In an interview with PYMNTS, Will LaSala, director of security services and security evangelist at OneSpan, said when it comes to corporate banking, international regulations stand among the biggest challenges for traditional FIs.

“FIs banking in multiple countries around the world find that regulations, even ones with the same name and request, are often enforced very differently in each country,” LaSala told PYMNTS.

He added that as FIs build systems and processes that address the regulatory requirements, they must continually deploy resources at every level of the firm.

At the same time, fraud remains a pressing and persistent problem. By way of one example, U.S. banks are losing more than $31 billion every year to fraud, including account takeover and new account application fraud.

Corporate transactions have proved attractive to hackers, said LaSala, especially as they require multiple people to complete (thus offering up a range of targets) and often involve large sums of money.

“From a corporate transaction perspective, if a hacker can infiltrate just one person in the chain of people needed to complete a transaction, it could mean millions of dollars changing hands,” he said.

Against that backdrop, he said, cybercriminals use social engineering and banking Trojans to alter financial transactions and steal funds.

Expanding on the use of Trojans, he said banking Trojans disguise themselves as a legitimate app or software that users download and install. Once installed, the Trojans extract personal and account details and transmit them back to hackers for siphoning funds. In other examples, malware can be used to mirror official banking apps and lure users to enter sensitive data.

Each new generation of malware and Trojans is exponentially more sophisticated in evading detection to ensure a longer life of stealing personal and account information. And, Trojans, especially, are proving more popular. LaSala pointed to data from Kaspersky Labs that show the number of mobile banking Trojans increased by 138 percent between 2017 and 2018.

Technologies used to combat corporate transaction fraud, like transaction signing, dynamic linking and risk analytics help make security much stronger for corporate transactions, said LaSala.

“We can also see these technologies being modified and made more customer friendly, so they can be put in place for consumer transactions,” he told PYMNTS.

FIs, increasingly, are looking for technology partners that can help them meet regulations and fight fraud across a single platform and allow for a seamless customer experience, he said.

He said partnerships enable FIs to bring together all of a bank’s individual tech tools for fraud detection, biometrics, identity servers, security appliances and more — and integrate and orchestrate all of them through a single platform regardless of vendor.

Such efforts, said LaSala, “enable banks to be more nimble, effective and efficient in fighting fraud.”