Next time you watch a bank heist movie, we would urge you to keep a pinch of salt handy. In real life, there won’t be any kicking-in of doors, fast getaway cars or Denzel Washington-lookalike hostage negotiators.
There will, however, be enough havoc wrecked that customers will lose money and banks will again reevaluate their security measures.
As Deloitte say in their cybersecurity report: ‘It’s not just “if” your organization will be breached, but “when.’
And with financial services being No.1 in the list of potentials on a hacker’s list, it isn’t surprising that the Financial Services Authority is taking it all very seriously.
It has made cyber security priority for the 56,000 financial services firms it regulates. These range from the largest banks to the smallest advisers. In fact, they have created a specialist team within the Specialist Supervision division, to lead on this work.
At a recent cyber security summit, Nausicaa Delfas, Director of Specialist Supervision stressed on what the FCA considered basic failings. One of them was poor perimeter defences with unpatched, or end-of-life systems next and of course, the biggest concern for cyber security experts- just a plain lack of security awareness within an organisation.
However, according to Danny Maher, CTO at HANDD, most breaches occur because although at least 50 percent of the financial institutions will have a cyber security policy, there would be no-one to actually see to its implementation.
‘We find that it is most often a lack of data classification coupled with a lack of understanding access that lead to compromised security. Financial institutions hold a large amount of data and unless they can tell the most important high risk items apart from the lowest risk ones, safeguarding will continue to be an issue.’
The two most recent cases of cyber attack on banks have involved currency being siphoned off to the tune of hundreds of millions and, atleast in one case, was a serious state-sponsored event.
News is now emerging that North Korea was behind the attack on the Bangladeshi Bank where hackers made off with $81 million during the course of an afternoon’s access and were only thwarted from stealing the amount they were after- $1 billion, because of a typo . A lack of firewalls at the bank as well as lax security measures were blamed but the fact that the stolen amount was so large, makes the case stand out from the rest.
In fact, the Gemalto Breach Level Index Report suggests that although the number of breaches went down in 2016 from 22.5 percent (214 from 276 in 2015) accounting for 11.9 percent of the total, the number of records lost or stolen in these attacks rocketed from just 1.1 million in 2015 to 13.3 million in 2016. Basically, the amount of data stolen in each attack went up by a colossal 1,070 percent.
Furthermore, the security situation within financial institutions is so chronic that only 4 percent of breached data was encrypted.
Authorities investigating the Bangladeshi Bank heist suggest that malware was installed by the hackers on the bank’s network to stop employees from discovering the fraudulent transactions quickly. There were atleast two other banks targeted in the attack and hackers were able to install malware months before the attempt. For breaches of such magnitude to occur and not being spotted for weeks again, shows the extent of the problem.
However, the most recent attempt was even more brazen. A Brazilian bank’s customers logging onto their website were rerouted to perfect fakes. Not just that, customers who would have used their bank cards the afternoon of the hack, would have had their details stolen by these phishing websites.
All PoS, ATM and online transactions were redirected to the hackers’ own servers, enabling them to collect credit card details of anyone who used their card.
Dmitry Bestuzhev, a Kaspersky researchers who analyzed the attack in real-time told Wired: ‘Absolutely all of the bank’s online operations were under the attackers’ control for five to six hours,
This translates to the chilling fact that from the hackers’ point of view the DNS attack meant that you become the bank. Everything belongs to you now.’ And the bank isn’t a small player in the Brazilian financial market either, with hundreds of branches and assets worth billions. The fact that the DNS registration of the banks were targeted, like in 2013 with The New York Times, and the more recent Mirai Botnet attack makes the situation even more critical.
Kevin Bocek, Chief Cyber-Security Strategist, Venafi commented: ‘Cybercriminals can now steal money by taking advantage of the one security measure every Internet user has been trained to trust: the green padlock in web browsers.
‘These padlocks are supposed to signify a trusted digital certificate is in use, but now bad actors can obtain them for free. This attack is part of a much larger problem that jeopardizes the system of trust behind all digital commerce. Security professionals don’t understand the scale and scope of this problem and they don’t have the tools they need to control it.’
In their Breach Level Index report, a fresher approach to cyber security is advocated. So it starts with not thinking of the perimeter-level security as the Holy Grail and baking in security compliance into the business ethos. Breach acceptance and finally plugging the breach form the other two pillars financial organisations should be focussing on.
As Maher, CTO HANDD signs off: ‘ Security should drive compliance, and it shouldn’t be the other way around.’
Until then, nobody is safe.