It was certainly dramatic.
In February of 2015, Moscow-based cyber security firm Kaspersky announced it had uncovered a hacker ring it said had stolen up to one billion US dollars from banks around the world. Using fraudulent e-mails that tricked bank employees into installing malware, the criminals were able to secretly navigate the network and record employee actions. Once they learned enough about a bank’s systems and processes, they began to siphon off money.
News of the Carbanak malware, as Kaspersky dubbed it, came on the heels of several other recent high-profile hacks. In November of 2014, attackers penetrated Sony Pictures, stealing internal e-mails, unreleased movies and the details of over 4,000 past and present employees. A few months before, JP Morgan said hackers had stolen the names, addresses, phone numbers and e-mail addresses of 83 million account holders, one of the biggest data breaches in history. In 2013, US retailer Target was hit by a hack in which criminals made off with 40 million credit card numbers and passwords. There have been many other similar incidents.
While cyber crime is a problem for all industries, attacks on the financial system are particularly visceral. “Is my money safe in the bank?” is not a question anyone wants to have to ask themselves. But is the situation really as bad as the headlines? Do we all need to go back to stashing our cash under the mattress?
The answer, of course, is no. While the Carbanak hack was frightening because money was stolen directly from banks, success was not due to a sophisticated technological exploit but to human error: had employees not clicked on the links in the fraudulent e-mails, the spyware would never have entered the network. The JP Morgan breach was likely an opportunistic exploit of a lone, obscure server someone had forgotten to secure. At Target, hackers gained access using login credentials stolen from one of its heating and air-conditioning suppliers, whose security precautions were lax.
This is not to say that cyber criminals do not pose a real and present danger to the financial industry. The situation is, however, more complex – and more nuanced – than the headlines would indicate. By getting the basics right and remaining vigilant, banks can go a long way to keeping themselves secure.
Know the fraud …
A good place to start is understanding the specific risks banks face. Cyber risks tend to be different for different industries. In aviation, with its huge, complex contracts, industrial espionage is of particular concern. In entertainment, it is file sharing and copyright infringement. The advertising industry frets about click fraud, while the pharmaceutical industry, with its advanced formulas for new drugs, places higher emphasis on protecting intellectual property.
In financial services, the risks are primarily associated with the movement of money. That makes hacking approaches involving trickery and fraud, including social engineering and identity theft, a major concern. Phishing or vishing can give criminal hackers the information they need to impersonate clients and arrange fraudulent payments (see box below). Fraudulent websites can fool people into revealing their e-banking credentials and malicious e-mails can trick employees into unknowingly installing malware on a network.
Financial services firms are of course also exposed to technical exploits, whether industry-specific like e-banking Trojans, or more general weaknesses like the recent shell shock and heartbleed bugs. Data theft and dedicated denial of service attacks (DDOS) are also an increasing concern. But in general, it is identity- and password-related theft that is the most worrisome for banks, as it represents the easiest means for hackers to move money in the wrong direction.
… and the fraudsters
Over the years, the actors in cyber crime have been changing. In the past, most hacking was done by talented, if twisted, individuals. The motivation was more likely to be fame or fun than financial gain. Today there are professional crime syndicates specializing in specific industries. A Russian organized crime gang that was broken up several years ago had dozens of people working for it, and was run like a professional IT organization complete with systems designers, programmers, test and production environments, and even support staff.
As well as carrying out attacks themselves, modern hackers are just as likely to work as outsourcers. Today it is possible to buy malware from hackers complete with service level agreements. If virus programs provide a signature to the malware, the crooks will adapt the program for the client in order to get around it, all included in the price. As a result, traditional organized criminal gangs, although they have no idea about technology, can purchase its illicit capabilities. Many in the industry therefore make a distinction between “cyber crime” and “cyber-facilitated crime.” Criminals can leverage such “crime as a service” (CaaS) to carry out their activities.
Start with the basics
This is certainly a frightening prospect. So what can banks do? Security experts say there are a number of things that financial services companies should be looking at to respond to the cyber threat.
The good news is that the most effective cyber security measure is also the easiest in principle: make sure you get the basics right. That means beefing up the defenses that are available now, being diligent in keeping systems updated, keeping on top of vulnerabilities as they become known, making sure employees are properly trained on security techniques, and so on.
While such measures cannot guarantee safety, they certainly can make life more difficult for hackers. One of the key premises in the cyber security world is that hackers will always prefer the easier targets. Those who have not kept on top of the basics will therefore draw the most attention.
For this reason, banks should always prefer setups that make hacking more difficult. The classic example is two-factor authentication, using a password and a second level of authentication – for example through a card, token or SMS to a phone – to login. While it is relatively easy to steal passwords, it is much harder to steal a physical token or phone. For hackers, two-factor authentication therefore presents a significant hurdle. They will prefer targets that do not employ it.
Assume the worst
That said, security experts today also agree that no system is 100 percent safe. For this reason, the industry is putting increasing emphasis on threat analysis approaches, advising companies that they should assume their defenses will be breached and plan accordingly.
This may not sound comforting, but by assuming a breach, security planners can look for ways to increase the resilience of their systems. For example, it may be possible to design systems in such a way that, if intruders do break in, they are only able to navigate restricted parts of the network. Banks can also look for ways to make it difficult for intruders to get money out. If an e-banking system is compromised, but it is hard to make transfers to dubious accounts, the extent of the potential harm can be significantly reduced.
One weapon in the fight against cyber crime that has been gaining in importance is the sharing of information among industry participants. Groups like the Financial Services-Information Sharing and Analysis Center (FS-ISAC) in the US, and similar organizations in other jurisdictions, have been founded specifically to facilitate information exchange. If one organization is attacked by a new Trojan, others can quickly be informed of how to find and combat it. If a malicious website is discovered, law enforcement can be quickly informed and asked to take it down. This kind of communication, which has increased dramatically over the past five to ten years, has gone a long way to making banks safer.
“One important way to fight cyber crime is by sharing information.”
Getting better all the time
For this reason, there is likely to be even greater emphasis on threat intelligence in the future. This includes closer cooperation between banks and law enforcement. Increased public/private partnerships in the cyber security realm will help make the critical financial services infrastructure more robust, and enable institutions to react more quickly and decisively to attacks.
Other trends include an increased emphasis placed on security by technology vendors. In the past, software and hardware makers were under a lot of pressure to release their products as quickly as possible in order to stay ahead of the competition. Security issues have commonly been dealt with by issuing patches as needed. This is becoming less acceptable to clients and to society, who are demanding more secure products. The vendors have been listening.
There are also efforts underway to further strengthen infrastructure and defenses. Big data, for example, can be used to more quickly detect anomalous (and hence potentially dangerous) network traffic. Self-repairing and self-defending systems and networks may in future be able to respond automatically to attacks on their own.
The reality, then, is that banks really are safer from cyber crime than the headlines would make it appear. This may be one reason why financial services hackers have started focusing on retailers instead of banks. For now a company like Target is indeed the easier target. That said, the cyber threat remains very serious. But by doing the right things, and employing foresight and diligence, banks have an excellent chance of staying ahead of the hack.
The cyber tricksters
Social engineering, or trying to trick victims into revealing information about themselves that can be used to perpetrate fraud, is one of the most common and dangerous hacking methods facing the financial industry.
Most pernicious are approaches that involve impersonation. Here criminals have been known to be very creative. Take for example the hacker who accessed the mail account of a wealthy private client, learning that the client communicated payments via email. Using the client’s account, the hacker sent a mail to the client’s advisor requesting a large payment be made. Usually, the advisor in question would phone the client back to confirm the request was real. In this case, the hacker wrote that a phone call would not be possible – because the batteries in the client’s hearing aid had run down. Other common excuses to avoid call back verification include attending funerals, boarding long haul flights, or lost mobile phones. With careful social engineering, these tricks unfortunately have worked.