How to Avoid Poor Banking Tech Security Taking You Hostage
There were many sessions on security at Sibos 2019, but the ones with the most impact were the ones on Financial Crime Mitigation (FCM). Security covers several diverse areas, some of which are quite surprising.The damage which can be done by poor personal security on a connected mobile (see the spectacular example below) can be colossal. Moreover, security breaches can result in severe reputational damage as well as financial losses.
The cybercriminals are always busy. Vladimir Levin, a primary criminal hacker, managed to penetrate the banking network of a major bank and transferred around $10 million into his bank accounts in the UK, Germany, Finland, Holland, Israel and other places in 1995.
Last year Canada’s fourth and fifth largest banks confirmed that “fraudsters” stole the personal and financial information of their customers. Between the two banks, an estimated 90,000 customers were affected. It is through these data breaches that cyber criminals are able to get hold of vast quantities of information, which can be used to facilitate identity theft, social engineering fraud and authorized push payments scams where personal data is used to gain a customer’s trust, or facilitate the takeover of customer accounts.
Eric Michaud, CEO and founder at RiftRecon, spoke recently about his experiences tracking down criminal hackers. Amongst other revelations, included fascinating detail about the inner workings of the cryptocurrency companies, he provided worrying details about lax security in the banking industry.
The Scale of the Problem is Huge
The global cost of cybercrime has now reached as much as $600 billion — about 0.8 per cent of global GDP — according to a new report. The analysis comes as McAfee and American think tank the Center for Strategic and International Studies released a study “The Economic Impact of Cybercrime—No Slowing Down,” which assesses the gravity of what some observers are calling a “pandemic.” The reality is that cybercrime has been industrialized.
“When you look at the cost of cybercrime in relation to the worldwide internet economy — $4.2 trillion in 2016 — cybercrime can be viewed as a 14 per cent tax on growth,” McAfee said about the study.
Also, the new threats are here to stay. Since 2014, an international cybercriminal group has been targeting banks around the world and has made off with well over $300m by compromising the banks’ systems with malware and using the information they have mined. The outfit was caught by Kaspersky Lab according to the NYT.
The gang, which included Russian, Chinese and European individuals, is not sponsored by a nation-state but are cybercriminals who specialize in targeting banks. The targeted financial institutions are located in Russia, Japan, US and Europe. The gang, called Carbanak by the researchers, start their attacks with spear-phishing emails to bank employees, who are instructed to open an attachment which contains malware. The hackers use activated malware to infiltrate the bank’s networks and do extensive reconnaissance.
They then masquerade as employees, and steal money in ways that they hope will not raise the alarm. For example, by impersonating the employees, the criminals would inflate an account’s balance, then transfer the extra money to an outside account. The legitimate owner of the account and the bank would usually not notice immediately what happened, because the genuine funds were still there.
Another method they use, according to Michaud, is to instruct ATMs to dispense cash to an associate of the gang at a predetermined time. One Kaspersky client lost $7.3 million through ATM withdrawals alone.
However, no bank has come forward and publicly acknowledged a breach.
Michaud said: “The average time to detect a breach is about 200 days. When the bank discovered the breach, the criminals had already got their spoils out. And they’re still there. Yes, 300 days later, you might not believe it, but it’s true.”
He continued: “I was called in a while ago to help fill out the security program of a cryptocurrency exchange. They had detected some phishing emails.
“They have developers all over the world, such as the Philippines, Thailand and India but they have no clue really, who these people are. They are in the industry they write code so they must be valuable in some way. They decided not to use us. However, we also decided to pull away because they were asking weird questions. It seemed like the CEO did not know what he was doing. In addition, he had a record of accomplishment of supposedly knowing what he was doing on LinkedIn. However, the questions were just not right.
“Months later, we got a call. Their currency holdings were wiped out in an hour. Criminal hackers found all the executives’ phone numbers on social media and enough information on the names of their pets and other things from password breaches from LinkedIn and other services, where your password reset was probably going to be the one for your phone.
“And so, they were using SMS as their two-factor authentication. So for password recovery for your email, your phone is your identity, because that’s where everything goes. And so the CEO and the CFO got nailed, then all the other executives at the same time, their numbers got ported, within two minutes it’s imported to a new SIM card, and then all of their passwords got reset to another phone number.”
“It turned out the CEO was storing his private keys for his cryptocurrency in his phone with passwords. The hackers then went to the CFO who did similar stuff, and then the comptroller got nailed. The criminals then wired all of the money out into the network, and then all of a sudden, they pulled down all their email systems. Everything went down. And all that money lost just because someone can change your phone number.”
As criminal enterprises become more industrialized in their approach, banks need to keep up with them. However, the experiences that Eric Michaud had, provides us with one important lesson – very few banks on there own – including some of the biggest that are hacked regularly – have the in-house talent any more to keep it safe.
As Temenos is focused only on financial services, our business model is built around out-investing the competition in research and development (R&D) – across our focused product set – and recycling this development effort into packaged, regular, and easily upgradeable releases for banks. Temenos spends 25% of its turnover on R&D.
A recent Ovum report recognizes this, highlighting that ‘Temenos is a more specialist provider in Financial Crime Mitigation, with a strong market position for KYC/AML/watch-list-screening capabilities.’
Temenos banking solutions are available via a cloud-based delivery model. Cloud offers a scalable, manageable technology model that not only reduces IT hardware, maintenance and development costs, and provides a highly secure environment.
The ability to outsource the delivery of banking technology as a cloud-based service means new entrant banks have access to a highly secure, always-on, industry-leading core banking technology. They no longer require significant internal IT resources and expensive infrastructure of their own. The future of security in the banking industry almost certainly resides in our expertise in the cloud.