Is banking security in trouble?
FCA watchdog speaks of concerns over banking security as Tesco Bank attack details emerge. Meanwhile Android banking Trojan’s spread through Adsense also hitting the headlines.
Bank security is a particularly live topic at the moment, and the resilience of the systems behind the UK’s high street banks has just been questioned by none other than the Financial Conduct Authority (FCA).
Speaking to the Commons Treasury Committee, Andrew Bailey, chief executive of the Financial Conduct Authority (FCA) told MPs he was concerned about potential weaknesses in the IT systems used by banks.
Over the weekend, attackers successfully drained £2.5m from 9,000 Tesco Bank current accounts, leading to the company freezing online transactions in an attempt to stop the "systematic, sophisticated attack". Bailey described the Tesco attack as “unprecedented” in the UK, and “serious” to Treasury Committee MPs.
Ilia Kolochenko, CEO, High-Tech Bridge, commented: “The situation is not clear yet, and it’s too early to make any conclusions about the origins and the source of the breach. In the past, similar incidents involved many different approaches: from e-banking system compromise to targeted spear-phishing and social engineering campaigns aimed at infecting bank clients’ machines or mobile devices with sophisticated malware, stealing money from their accounts. A massive skimming campaign cannot be excluded either.”
The precise details of the attack have not yet been made public, as the National Crime Agency (NCA) is leading the investigation. However, Mr Bailey did reveal there are considerable wider concerns at play: “The heart of concern is what is the root cause of this [attack] and what it tells us about the broader threats. It looks like it’s [in] online banking, [it] clearly appears to be on [the] debit card side of online banking, as far as we can tell. But it requires further urgent analysis,” he said.
Kolochenko continued to point out how specific the attack was likely to be, however: “It is important to highlight that such a large-scale attack with important financial losses would hardly be possible without some insider help to the attackers. Banking system, compliance processes and fraud-prevention systems are usually bank-specific, and in order to bypass them (we can speak about successful bypass, as so many people have already lost their money) we need to have some insider knowledge. Nevertheless, we need to wait for the official investigation results before making any conclusions.”
Of course it’s no surprise that attackers are probing and testing digital banking systems, given the wide range of useful data to be obtained, (here’s four types for a start) and that’s before actually stealing any hard currency. However, the sheer range of attacks is growing exponentially, and worryingly Mr Bailey admitted that the FCA itself is not "over-endowed" with IT expertise on its board.
Unfortunately, many banks are guilty of making the same series of mistakes, which combine to lower their overall security stance significantly. One key error is to assume that your end users are not compromised already, which is highly likely.
A fascinating recent case in point was highlighted by the discovery of a banking Trojan on Google’s Adsense network. Cunningly the attackers were running poisoned Adware campaigns targeting the Chrome browser on Android devices. Once an ad was clicked on such a device the payload was downloaded and exploited a zero-day bug in Chrome to ensure the user gave full permissions to the Trojan. The campaign downloaded the banking Trojan called ‘Banker.AndroidOS.Svpeng’ on about 318,000 devices in two months according to Kaspersky researchers.
Google has now fixed the Chrome bug, but it seems likely criminals will use some of these elements again in the future, and the chances of end users defending against them successfully is relatively low.
From a banking security perspective though, strict monitoring for abnormal activities is a key defensive strategy, alongside a comprehensive risk analysis and assessment (including all areas of operation, not just the ‘sensitive’ transactional areas), and perhaps most importantly to ensure that any new cybersecurity solutions are compatible with your particular business environment and business needs - as Kolochenko summarises: “When you implement new security solutions, make sure that they are appropriate for your business environment, otherwise you are just harming your business. Remember, spending a lot on your IT security does not mean spending wisely.”