While this measure is long overdue it’s also giving the financial services industry a headache. Australian financial institutions compete fiercely amongst each other to attract new and better serve existing customers. In the process, they’re driven to expose more sensitive processes and data to the internet. At the same time as data is being made more freely available, hackers are innovating and automating their attack processes to access accounts, extract data and monetize their efforts.
A favored attack vector for malicious automation is the online customer portal, a ubiquitous feature of all sectors of the financial services industry. With the increasing momentum of digital transformation, institutions are looking to provide a richer user experience by boosting the capabilities of these portals. However, the greater functionality is also leading to a change in the risk profile.
In many cases these portals have limited security enforcements in place. Institutions traditionally believed the risk profile was low because the functionality of the site sat behind a log-in page. As a result, security risk assessments relied on the effectiveness of the authentication process to keep attackers out; the security controls in place behind the log in process were often limited or non-existent.