Analytics Brief: Thwarting cyber crime on banks
Recent reports document an incident in which hackers stole $81 million from a Bangladesh central bank account at the Federal Reserve Bank of New York. And a banking institution in a country in the Middle East reportedly experienced a recent data leak impacting corporate and customer data.
The act of robbing banks has evolved considerably through the ages. Bank robbers no longer hold up brick-and-mortar bank buildings with guns drawn and their faces masked and then quickly jump onto horses or into idling getaway cars with an anxious accomplice at the wheel. Today’s version of a bank robbery involves an individual, likely many miles away from the target banking institution, slinking away behind the cloak of the Internet.
What experts have to say
Even during a recent discussion about hacks occurring at banks, yet another banking institution experienced a hack. Hackers are seemingly getting the upper hand and winning the war on cybersecurity. Is stopping them possible? Cybersecurity and financial services experts tackled this question and others in a recent Analytics Brief:
- Should banks be on high alert for copycat perpetrators?
- What can banks do to fortify their security for countering and mitigating these kinds of cyber attacks?
- Could attacks be identified sooner to minimize the impact?
- What if cyber attackers employed the help of an employee?
- What does the future of a bank heist look like?
- Should banks place tighter restrictions and controls on large wire transfers?
Internationally recognized cybersecurity leader, technologist, speaker, blogger and author – CSO at Security Mentor, Inc.
We have only just begun to see similar and new forms of online crime against banks, says Lohrmann. We will continue to see both insider threats and external cyber attacks against banks and other financial institutions. Many banks are already taking steps to fortify their security. And after five recent breaches at the Federal Deposit Insurance Corporation (FDIC), it has detailed some actions banks need to do take:
- First, recognize that the bad guys will constantly be looking for new ways to target people, processes and technology. What works today may not work tomorrow, so never rest easy.
- Second, conduct end-to-end risk assessments, using a variety of internal and external—trusted—resources.
- Third, test, test and test again. Run regular and ongoing exercises to ensure that security incidents are detected and resolved quickly.
Threats from insiders are a huge problem for every organization, including banks. The most sophisticated cyber threats often gain intelligence or operational actions from current or former employees. This reality underlines the importance of separation of duties and for least-privilege processes to be closely followed. As far as the future, a shift toward online crime and bank heists and away from physical bank robberies with guns has already begun. This trend will only accelerate in coming years.
Restrictions and controls on large wire transfers need to be continually updated. In addition, here are some of the items that the FDIC is employing:
- Revising a policy prohibiting the use of mobile media devices for the majority of FDIC employees—as of early April 2016, if FDIC employees connect removable media to his or her computer, it is blocked
- Creating a new incident-tracking system and creating an incident-response coordinator position that serves as the main point of contact for IT security incidents at the FDIC
- Monitoring printed materials in high-risk areas
- Starting a chief information office and operations-wide review of all policy documents to ensure they reflect current cybersecurity oversight policies
- Revising the data breach management guide to incorporate new guidance and address reporting and incident-escalation procedures
Again, the element of surprise and unpredictable changes—including people, process and technology—in cyber defense actions offer a key element in successfully protecting banks and other enterprises with sensitive data.
A cybersecurity expert and president and CEO at Berkeley Varitronics Systems, Inc.
Bank fraud is fundamentally about money, says Schober, but realizing that money is not always the primary driving factor is important to keep in mind. Many hackers have large egos and like to brag about their exploits including which banks they were able to compromise. When a large breach in a particular sector takes place, other hackers generally try to quickly replicate that success but at other locations. We saw this scenario occur two years ago in the retail sector when a major merchandise retailer was breached followed by several hacks of a similar nature involving several other major retailers and a restaurant chain.
Cybersecurity-conscious banks are standardizing multifactor authentication across all login gateways. This additional layer of security minimizes account hacks so that when a customer logs into an online bank account, the customer receives a text message by mobile device to validate those login credentials. This technique is extremely effective; the chance that the thief has access to both a potential victim’s mobile phone and login credentials is highly unlikely.
When looking at successful cyber attacks in hindsight, more could always have been done to thwart the attack. However, algorithms that carefully analyze patterns of data flow for real-time threat monitoring are being implemented more often these days than they were previously. This approach is highly proactive. In this instance, the banking software apparently had a vulnerability that the thieves exploited quickly. When a typical vulnerability is discovered, all systems require security patches so they do not fall prey to the same attack. Like a spy penetrating and leaving the enemy base before the alarm sounds, many hackers slip in and out just before these security patches can be applied to all segments of the network.
We put spending limits and flags on our credit cards; why not do the same on large wire transfers too? If a certain transfer exceeds a certain threshold dollar amount, multiple stages of approval and signatures should be required to properly authorize and validate each transaction.
Director of Innovation at Consult Hyperion and internationally recognized thought leader in digital money and digital identity
I imagine you are all familiar with the story of the Hatton Garden burglary in London, UK, says Birch. A group of elderly criminals with long police records staged the biggest burglary in British history by tunneling through concrete into the vaults of a safe deposit company in London’s Hatton Garden district. They got caught and sent to jail. The heist was old-school style.
But if you want to see how modern bank robbers are adjusting to the times, you need to check out what’s been going on in Bangladesh, where the governor of the central bank resigned following the theft of an enormous sum of money from their reserves. Basically, crooks got into the central bank system and had access to the Society for Worldwide Interbank Financial Telecommunication (SWIFT) gateway. They sent messages instructing the Federal Reserve Bank of New York to transfer funds from the Bank of Bangladesh account to some casinos in the Philippines.
Should that action have been a red light? Is policing to where you send your money really a bank’s job? If I tell Barclays to send $10 somewhere, then they should just do it. If I tell Barclays to send $10 million somewhere, then should they still just do it? Does it make any difference whether it’s a retail bank or the central bank? After all, the Fed had received a perfectly legitimate request from the bank in Bangladesh, and I shouldn’t think it sees it as part of their job to tell the bank to where they may or may not send its money. This approach seems cut and dried to me. If a bank gets an instruction to transfer, and that instruction has the appropriate digital signature, then the bank should execute the instruction. Clear. End of story.
Is telling my bank to send money to somewhere, even if that somewhere is the Dunkin’ Donuts at the main railway station in Minsk, the same as me sending my bitcoins from my wallet? The bank should just do it, and if I’m sending it to crooks, that’s my problem. But, is that what we really want? In the coming world of instant payments, isn’t that approach too easy for the fraudsters? Do we want Grandma to be able to lose the house by pressing the wrong button after a dodgy email? Whatever the bitcoin fans say, we don’t really want frictionless payments at all, do we?
Cybersecuirty and Risk Management Consultant Shahid Shah is CEO at Nespective Communications
Banks should be on high alert for copycats, says Shah, but even more important are nonbank entities whose threat surfaces look similar. Credit unions, thrifts, central bank policy shops, investment houses and many other firms that aren’t traditionally banks will also be potential victims because they may have lower defenses.
Traditional firewall, intrusion-detection mechanisms, packet inspectors and so on will continue to be necessary, but the most important requirement will be cognition-enhanced behavioral analytics tools to seek out anomalous patterns and prevent out-of-the-normal transactions. Just like our credit card systems know to put a hold on transactions that seem like we didn’t make them, our banking systems will have to know what an account holder’s normal usage is so that abnormal usage is flagged appropriately.
Insider threat is growing. Whether an insider threat or not exists, the heist would have looked very similar. If cognition-enhanced user and account behavioral analytics capabilities were in place, though, even insider attacks have a chance of being detected because they will be out of the ordinary for most users.
Banks should place limits on large wire transfers but not the same amount every day. Hackers love rules, and if the rule is known they will just break up their heists into smaller units. For example, if they are aware of a $1 million limit but they want to steal $10 million, they’ll simply break it up into multiple heists. Instead, the limits should be based on the day of the week, the month of the year, significant events, holidays and other rules applied per account and specific to the behavior of institutions and how they conduct business. The restrictions should be based on common usage of a particular account, not globally.
What you can do
Cyber criminals become increasingly savvy all the time, and staying ahead of potential threats is imperative. Gottfried Leibbrandt, chief executive at SWIFT, has a plan to go on the offensive against cyber criminals that may be a step in the right direction.
Register for IBM i2 Summit to learn more on how innovative and advanced human-led intelligence analysis solutions can help us outthink physical, fraudulent and cyber threats.