News of the Carbanak attacks on banks around the world made headlines last year. How serious was the threat? Was UBS affected?
Alain Beuchat: At UBS, we were aware of the situation long before it was made public, and of course we took the issue very seriously and started our investigations immediately. To date we have not identified any suspicious traffic and have no indication that we have been affected. But like other banks we remain diligent, and are constantly processing all new threat intelligence.
Bruce Nikkel: On the surface of it, Carbanak represents an increase in the sophistication of cyber attacks on banks. But if you look more closely, it really relies on standard techniques. The gang used social engineering – specifically spear-phishing – to get employees to click on infected attachments in emails. They then used several vulnerabilities to install their malware. What really sets Carbanak apart from other attacks is not its technological sophistication, but the patience and discipline of the attackers. These are highly intelligent and knowledgeable professionals, no doubt about it, and hence very dangerous.
Was the Carbanak hack over-hyped, then?
Beuchat: I think we have to be very careful about statements like that. One of the worst mistakes we can make in cyber security is to underestimate our adversary. Yes, the media needs a good story. And yes, cyber security vendors need to sell products. But there is no doubt the cyber criminals are getting better and more sophisticated, and that banks – and all organizations really – are faced with more serious threats than ever before. There was fraud in the financial industry before digitalization. But with digitalization the means to perpetrate fraud, and its potential for damage, have increased dramatically. Up to now, banks in my opinion have generally risen to the challenge.
Nikkel: That’s right. A Carbanak notwithstanding, it is harder to hack into banks than ever before. That is one reason we are seeing financially oriented cyber criminals focusing more on retailers, and especially on credit cards with only magnetic stripes and no chip. This I think is interesting because it highlights an important principle of cyber security. It is trivial to copy the information on a credit card magnetic stripe: you can buy a reader for 100 euros that will do the job. So the kind of fraud involved in stealing this information, and passwords, is highly scalable. Criminals can easily steal 10,000 passwords from 10,000 kilometers away and use them for malicious or criminal intent. If the credit cards or online systems in question use a chip or two-factor authentication, however, then the pin code or password alone is less valuable. You must also steal the card or token itself. That doesn’t scale. So the principle is: you may not be able to design a hack-proof system, but the harder you make it for the criminals, the safer you are. They are always looking for the easiest targets.
“Criminals are always looking for the soft spots.”
So are you saying the infrastructure in the financial industry is actually secure?
Beuchat: Again, I would be careful with blanket statements. Digital systems today, including the Internet and other digital communications channels, are clearly not as secure as we would like them to be. We need to get better at writing secure code, at securing our hardware and networks, and so staying ahead of the bad guys. That said, we have I think been able to build rather secure systems in banks. The vast majority of attacks we and other banks face are based on social engineering and stolen login credentials, very human slip-ups.
Nikkel: It goes back to what we said before: criminals are always looking for the soft spots. It is complicated and expensive to write an effective e-banking Trojan and actually get money out of the bank. You need a large organization, and you need expertise from the programming down to the money mules who channel the funds to you. It’s cheaper, and unfortunately still easier, to trick people using less technical social engineering techniques to steal the money. So that is where criminals are moving. But as Alain rightly points out, that doesn’t mean we can get complacent. The cyber criminals are getting much more sophisticated, and are pouring more resources into their efforts as the potential rewards grow.
How can the industry respond to this growing sophistication? What are the trends you are seeing among banks?
Beuchat: One big change over the past few years has been the way we share information. We’ve learned in the industry that we need to work together. It is not possible for one organization to protect itself by itself anymore. The threat is common, and we need a common response. In the face of increased attacks, banks have really started talking to each other, sharing information on the nature of the attacks. There is also closer cooperation with law enforcement. This has made a very large and important difference. It has helped the industry be much safer than it otherwise would have been.
Nikkel: The best defense is to frustrate them. Even for sophisticated attackers, the rule of concentrating on the easier targets holds. It’s a business decision if nothing else. That’s why we are seeing an increased focus among banks and others on detection and response, on figuring out what you should do after you’ve been breached. This is a big change over the last decade. In the past, the focus was primarily on perimeter security. But now we have much more complexity in our networks and there is much more that needs to be defended. So while we continue to secure our perimeter, instead of solely relying on these defenses, we also assume we will be targeted in other areas, and plan accordingly. It’s a prudent approach.
If you had one message to give to other banks regarding protecting against cyber crime, what would it be?
Beuchat: That cyber crime should not be treated just as a tech issue, but should be seen in terms of overall business risk. Keep in mind that what we are dealing with here is fraud, data theft or acts of sabotage. The cyber part is simply the enabler. My area of UBS, the Group Information Security Office, is part of the Group Risk Officer area. We look at cyber security from a big-picture risk perspective, and our operating model includes all the relevant functions in the bank, not just IT. An important part of this is raising awareness among staff. Our education efforts target the whole bank, though we separate it into two levels. Certain trainings are intended for all staff, and then we have additional trainings, for example for front-facing staff, who are more exposed to fraud attempts. We also get our vendors involved.
Nikkel: I agree. We need a holistic approach that involves all parts of the organization. To take an example, we have people from our media department who monitor social media and news sites for potential criminal activity targeting UBS. They aren’t a part of IT security, but their work involves the digital realm, so we should be talking to them. We should also be talking to the people responsible for intellectual property, who deal with such issues as brand infringement or fraudulent domain registration. Again this isn’t IT, but it does take place online. Finally, you must do your homework in-house. At UBS we have a 10-member cyber crime forensics team, which I lead. We have a cyber threat management program which constantly reviews all our infrastructure and carries out upgrades when needed. We have an SOC – a Security Operations Center – which is tasked with protecting, monitoring, blocking and detecting infrastructure threats. And as Alain mentioned, we also collaborate with other banks and law enforcement. All this lets us stay one step ahead.
“Cyber crime should be seen in terms of overall business risk.”
So no need to worry, then? Our systems are safe?
Beuchat: As I’ve said, we must never underestimate the threats. On the other hand, I don’t think alarmism is called for. Of course, we always have to worry about a black swan appearing. It can happen. And so it is prudent to be diligent and prepare.
Nikkel: I always tell colleagues they should be careful when listening to the media and security vendors. There is often a lot of hype and alarmism, and it is not always as bad as the headlines seem to indicate. Those of us who work in cyber security, and who see this stuff on a daily basis, are certainly very sensitive to the dangers. But we also see how much the industry has done and can do. So I would say we are concerned, but not worried.
Alain Beuchat is the Group Information Security Officer at UBS. He and his team, which is part of the UBS Group Risk Officer area, are primarily focused on adapting the bank’s cyber security defense and data protection framework to the evolving threats being seen in the industry. Alain has more than 20 years of experience in the domains of IT risk management and information security. This experience has been gained primarily in the financial and telecommunications industry. He has occupied several positions including Chief Information Security Officer (CISO), security consultant and security engineer.
Bruce Nikkel is the director of Cyber Crime/IT Investigation & Forensics at UBS, which investigates cyber criminal activity targeting staff, clients, and IT infrastructure. His team conducts internal IT forensic investigations, and manages the investigation of external cyber criminal activity impacting the bank. Nikkel has worked for the bank’s IT Security and Risk departments since 1997. He is on Europol’s EC3 advisory group on Financial Services and an editor for Digital Investigation Journal. He holds a PhD in network forensics and has published research papers in the field of digital forensics.