KPMG recently warned of the impending threat of cyber attacks on banks. It’s not just masks and swag bags anymore. The past year has seen various hacks and breaches to online banking and bank services such as ATMs.
As Geoff Webb, director of solution strategy, NetIQ, points out though, banks and financial institutions have always been the target of attacks. "Banks and other financial institutions have always been the target of attacks. As the famous 1930’s bank robber Willie Sutton was reported to have said when asked why he robbed banks "because that’s where the money is." Banks represent a tempting target for attackers – and hacktivism should not be ignored as a potential threat to any global organisation," he says.
But Peter Armstrong, director of cyber security at Thales UK argues that cyber security needs to be places higher on the agenda: "The consequences of cyber attacks are now so severe that cyber defence must become a board room discussion where companies explore what measures need to be put into place to ensure they are acting proactively – not reactively."
Ron Gula, CEO, Tenable Network Security says: "The financial industry has been reactive for the past decade, if not longer. The amount of phishing attempts that the banks have to deal with is stunning and the organisations they’ve built over the past few years for efficient ‘take downs’ to protect their customers are being used to help fight the new round of DDOS attacks.
"In terms of the latest solutions, on the outside of a bank, the cloud and the ability to mine data quickly to pin point where botnets are, where the phishing emails are coming from, .etc is the latest in this fight. On the inside of the network though, there are no silver bullets compared to an effective security programme which monitors the network and keeps it secure on a continuous basis."
The government is trying to ensure a greater awareness of cyber risks in the finance sector. In February a new scheme would launched to promote cyber security, which should help deliver better security aimed at preventing cyber threats. The review will also seek to include information on correction techniques by detailing effective business continuity models for organisations.
Employees as an internal threat
Armstrong also argues that banks need to be protected from the inside out. "As well as unsecured networks, an employee could pose an internal threat through malicious intent or unintentional ignorance. To combat insider threats, firms need to invest in employee security training and awareness programmes to avoid accidental breaches."
"There are a number of IT administered employee controls which organisations can consider, including network monitoring technology which alerts the necessary parties when rogue devices connect to the network to either infect a corporate IT system. This could help prevent the problems that KPMG has revealed in its report," he adds.
In order to ensure their data is secure, Webb maintains that banks need to have a back-up to their firewalls. "One of the major things banks need to consider is that it’s not enough to have a firewall in place and assume that this will keep the bad guys out. Banks have to assume that their firewalls will be breached, and focus on what happens next," he says.
"The first thing a hacker will do once inside the firewall is to elevate his privilege level and assume the identity of a privileged user. To all intents and purposes he now appears to be a normal employee, with high level clearances and permissions to access the bank’s most sensitive data and assets on the network. For this reason it’s not really helpful to think about threats coming from either purely external or internal sources."
Online and ATM fraud
The past year has seen a 12% increase in online account fraud. Raj Samani, CTO EMEA at McAfee says: "Technical innovation is consistently occurring to reduce such fraud, such as more stringent measures to verify the identity of a user. However, as highlighted by the McAfee Quarterly Threats Report, cybercriminals are also innovating to bypass these controls. One recent example is malware that is capable of capturing SMS authentication messages from the bank.
Earlier this year, hackers stole $45m from banks in a global ATM heist. McAfee’s recent Cybercrime Exposed report revealed that credit card details can be bought on the black market for £16 without a PIN, £65 with PIN and £130 for a PIN and guaranteed good balance, so it’s clear it’s easier than ever for crooks to carry out this kind of activity.
Stolen bank login information commands an even higher price than credit card numbers. EU online banking logins costs 4-6% of the account balance, US online banking logins cost 2% of the account balance, PayPal logins cost 6-20% of the account balance and Western Union transfer details cost 10% of the transfer amount.
Samani says: "To combat this, banks in Europe and Asia require two-factor authentication, for example via a card reader or SMS text messages. When customers log into their banks online, they are must enter a code from the second factor to get access to their accounts. This step prevents an attacker who steals only username and password from reaching a victim’s money."
He adds: "Raising awareness of cyber security should not only be limited to online banking, or indeed financial transactions. Education needs to be improved across all digital transactions. Ensuring a consistent message throughout the financial sector is imperative to avoid potential confusion."