Royal Holloway: Protecting investors from cyber threats

Table Of Contents

• Over 10% of all attacks target individual investors, generally personal customer accounts. The motivation for almost all attacks against personal investors is theft.
• They are carried out by organised criminal gangs (i.e., non-state actors), mostly working from Eastern Europe; The principal attack vectors are malware, forms of card theft and “multiple” vector attacks.
• The fact we still don’t know technically how many of the attacks were carried out or by whom limits any conclusions we might draw but suggests that the criminals are one step ahead of everyone else.
• Investors should begin to expect, and insist, that investment platforms provide good quality data that demonstrate how secure their platforms are compared to their competitors. Conventional threat models are inadequate because they are designed to protect the financial institution and not investors.
• Both strategic and operational threat models need to be developed for the investors’ threat landscape.
• A practical step financial platforms and banks could take to better prevent or mitigate attacks is to develop relevant threat model scenarios.
• Investing resources that defend against known or probable attack scenarios is self-evidently a better use of resources than any ‘hit and hope’ defence strategy. If you misunderstand the threats you and your customers face, the chances are also you will be the less secure for it.
• Investor security must become a stronger priority. Put simply, make two-factor authentication (2FA) mandatory and use hard tokens.
• Investment platforms could also be more proactive in helping their customers protect themselves by developing safer online behaviours.
• Publish an industry-standard benchmark so customers can decide for themselves if your site is secure to use or not.