A fresh move by leading banks in the UK to change account data for around one million customers could place such data at risk from hackers, the Financial Conduct Authority has warned.
Leading banks in the UK are separating core services like savings accounts from investment banking, but the transition may expose certain data to hackers.
Bloomberg has quoted an anonymous source at the Financial Conduct Authority to state that the authority is concerned about the security of customer data arising out of a proposed changing of account numbers by leading banks in the country.
The source told Bloomberg that the FCA has let such banks know about its concerns, and has warned them about the potential cyber risks that may arise as a result of the change. The move is aimed at securing customer deposits by ring-fencing them and separating them from riskier accounts like investment banking.
Leading banks like HSBC Holdings Plc, Barclays, Lloyds, and RBS have begun informing customers about their intent to move their accounts and that this may also involve changing their account numbers or six-digit sort codes. The banks are also communicating with their customers and informing them about emerging risks, like people pretending to call from banks and asking them to share their personal information.
‘In creating a new system that houses personal data, you’re opening up security holes. The impact of an indiscriminate attack can be substantial,’ said James Tedman, managing director in London at ACA Aponix to Bloomberg.
He added that even though the leading banks are aware of such risks, they must urge extreme caution as attacks may come from ‘well-financed and sophisticated criminal groups’ rather than 15-year-olds in their bedroom.
So far this year, leading banks in the UK had had to weather many a storm, be it cyber attacks sponsored by North Korea or Russia, or regular phishing and DDoS attacks conducted by professional hackers.
Researchers at cyber security firm Trustwave even discovered a new attack technique that involved hackers leveraging the overdraft facility offered by banks to open accounts and steal millions from unsuspecting banks. According to the researchers, the hackers managed to steal between $3 million and $10 million in every heist, with the average amount around $5 million.
Researchers at security firm Barracuda also discovered that hackers are impersonating ‘secure messages’ from banks to inject malicious codes on their victims’ devices so as to obtain sensitive personal and financial information about customers. The emails appear very genuine and by creating them, hackers are exploiting the trust between banks and their customers to infect more and more devices.
Hackers behind the phishing campaign are attaching Word documents to their emails and are asking recipients to download such attachments to view secure and confidential messages from their banks. The emails also contain logos of real banks and feature literature used by such banks in their emails to customers.
Aside from these threats, banks have another major problem to deal with: the GDPR. The upcoming pan-European regulation will make it prohibitively expensive for banks and other organisations if they do not comply with its requirements.
Chris McMillan, a partner at consultancy firm Oliver Wyman , told FT that leading banks are now expressing serious concerns over their ability to adapt to the upcoming legislation. ‘Banks are struggling with legacy systems. From our discussions with chief technology officers at banks, they are concerned the technical challenge may be impossible given there is only a year to go,’ he said.
In such a scenario, banks need to strengthen their systems and cyber security policies to strengthen the security around customer data as soon as possible. As such, they have a duty to educate customers about identifying real and fake email accounts, not sharing personal information via phone calls, texts, or email messages at any cost and to view offers and new changes only at genuine websites run by banks.