Four things hackers seek out on a bank job
The four key things that hackers are looking for when attacking a bank - and eight ways to stop them...
It’s been a torrid year for the banking sector, some particular highlights being the swiping of a cool $81m from the Bangladesh Bank, which in turn appears to have inspired a series of similar ‘man-in-the-middle’ type attempts on the SWIFT system. SWIFT chief executive Gottfried Leibbrandt recently told a banking conference in Geneva that hackers had successfully breached the systems of two banks over the summer (likely using a Trojan dubbed ‘Odinaff’) and a third bank repelled an attack before fraudulent SWIFT messages could be sent.
Impressively, reported attacks on financial institutions in Britain have risen from just five in 2014 to 75 so far this year, according to data from Britain's Financial Conduct Authority (FCA). However, many industry observers believe the real figures on attacks could be significantly larger. One set of researchers from Kaspersky reckon that cybercriminals tried to inject more than 1 million malware programs into financial companies worldwide, a 50 per cent jump from the same period in 2015.
Certainly when compared to the wider picture for 2016, which some researchers believe will see companies and individuals get hit with 90 million attacks, 75 looks a little optimistic.
Banks are obvious targets for hackers, mainly due to the range of valuable information they hold - cash being just one, of course! Attackers attempting to breach a banks defences will be targeting four main areas or types of information. As in the Bangladesh Bank attack, access credentials to the SWIFT network, or indeed any similar money transfer system, or tunnels to home equity line of credit are a primary attack vector. Then there’s the valuable consumer data itself, which can be split into two groups, actual consumer banking information, and supporting identity information to be dumped for later exploitation or sale. Finally, there is confidential market data that can be used for trading.
These four key areas are where banks should look to harden their IT security especially, as the consequences of a breach involving any of them would be particularly damaging to the bank or it’s reputation. So with all this varied, yet valuable data lying around, what can banks do to protect it?
The first thing banks are definitely doing is spending - PMorgan Chief Executive Officer Jamie Dimon said recently that he expected the bank’s $600 million annual outlay on IT security to rocket to $1 billion in the next few years.
As Ilia Kolochenko, CEO High-Tech Bridge has pointed out: “Companies [often] spend their budgets on new technologies, before conducting proper risk (re)assessment and quite often omit cybersecurity RFPs best practices. This explains why, regardless of regularly-mentioned budget increases, the average cost of cybercrime rose again in 2015 to $7.7 million, while overall cybercrime costs are projected to reach $2 trillion by 2019.”
The G7 recently issued new IT security guidelines for financial institutions, which offer some key advice. The eight point plan begins with the establishment of a cybersecurity strategy and framework, defining roles and responsibilities for personnel implementing it, conducting a full asset audit, establishing a systematic monitoring process, response, recovery, information sharing and continuous learning.
Unsurprisingly the broad strokes here are applicable to most large enterprises that have valuable data assets, and just as for wider enterprise, there’s no magic bullet. However, as the G7 document summarises: “These elements serve as the building blocks upon which an entity can design and implement its cybersecurity strategy and operating framework, informed by its approach to risk management and culture. Working together, informed by these elements, private and public entities and public authorities can help bolster the overall cybersecurity and resiliency of the international financial system”.
Maybe if financial institutions can work effectively together to combat online criminals they’ll be able to take a real step forward in an increasingly one-sided battle...