Financial services security changes with the times

Banks are targetted by cybercriminals because the potential value of their assets makes it worth the time, money and risk of trying to overcome their defences
Banks are targetted by cybercriminals because the potential value of their assets makes it worth the time, money and risk of trying to overcome their defences
Amichai Shulman, Imperva
Amichai Shulman, Imperva
Adam Bosnian, Cyber-Ark
Adam Bosnian, Cyber-Ark
Mickey Boodaei, Trusteer
Mickey Boodaei, Trusteer

No matter how strong the vault, there will always be someone willing to try their luck, and force their way in.

It’s not only in the movies where high-value locations, such as casinos, jewellers, art galleries and banks are the targets of thieves. These places have strong security because they are so attractive to criminals. The prize makes it worth the risk.

So it is with information security

Banks are targetted by cybercrime gangs because the potential value of their assets makes it worth the time, money and, indeed, risk of trying to overcome their defences. As one security expert puts it, “it is a constant game of cat and mouse”. As the banks improve their defences, so the criminals find new, and often ingenious, ways to bypass them.

"It is about stealing information to make money, and financial information is one of the easiest ways to [do this]"
Greg Day, McAfee

Banks in the Western economies are very well defended. In many ways, our money is safer from theft than it ever has been, as we no longer need to carry, transact with, or deposit cash. But the banks’ largely successful attempts to protect electronic money flows – and the core IT systems that deliver them – has diverted the criminals’ attention to softer targets.

Phishing for sole swimmers

As a result, criminals are targetting individuals, primarily through phishing, but also through malware designed to capture information such as account details or passwords. Cybercrime gangs have become involved in fraud against online retailers, often using stolen or cloned credit card details.

Concerns remain that criminals are targetting smaller financial services firms, which might be less well protected than the large banks, as well as the organisations that make up the banks’ supply chains.

Nor are the banks themselves completely safe. Hackers are seeking out back doors into financial systems, looking for technical vulnerabilities to exploit on the one hand, and insiders, who might be motivated to hand over sensitive information, on the other. In some countries where European banks have outsourced customer service or data processing, fully qualified sets of personal data can change hands for as little as £3.50 (US$5).

“The fact that the financial services industry has higher security won’t deter hackers”, says Amichai Shulman, CTO of security vendor Imperva. “It is the expected gain against the expected effort. Financial services does provide higher expected gains.”

Companies such as Imperva provide protection for applications running on the websites of financial services firms – a tempting target despite the technical difficulties of a hack. It is, however, also the simpler threats that put the sector at risk.

Who do you think you are?

According to IT security firm, McAfee, identity theft remains one of the most concerning areas of cybercrime. The company’s recent Critical Infrastructure Report found that banks remain vulnerable.

“It is about stealing information to make money, and financial information is one of the easiest ways to make money”, says Greg Day, McAfee’s principal security analyst for EMEA. “So financial services are the obvious target.”

"The fact that the financial services industry has higher security won’t deter hackers"
Amichai Shulman, Imperva

There is no single way that the industry is vulnerable, however. Attacks against financial services firms, and their customers, take on several forms.

“The question for criminals is do they attack the user? Their security protection won’t be as good as that of an organisation that understands security”, says Day. “The challenge is the density of success: you have to reach a lot of people to make any money. If you get into the financial services firm itself, it is the holding hub for that data. But the security controls will be much better”, he adds.

If attacks against individuals are feasible but often of little value, direct attacks against a bank’s perimeter security appear to have little chance of success, at least in the developed economies. As a result, Day suggests that insider attacks remain high up on the agenda for banking CISOs.

The recent economic troubles have undoubtedly led to incidents where disgruntled staff − or those in financial difficulties − have attempted to steal, or have stolen, data.

Banks are not obliged to disclose data losses in Europe, but security vendors point to increased spending on ‘classic’ identity and access management tools, as well as data usage controls, as evidence that finance firms are aware of the risks.

Forthcoming regulatory changes – such as tougher sanctions, including jail terms – from the UK Information Commissioner’s Office for ‘reckless’ disclosure of personal data, is also spurring banks to invest more in data control and auditing.

Regulation, regulation, regulation

Legislation such as the US’ Gramm-Leach-Bliley Act or the EU’s Data Protection Directive set out general rules governing the use of personal data. Stricter regulation of financial firms is playing a part in tightening up on data protection and information security procedures.

In particular, the UK’s Financial Services Authority has been prepared to hand down significant fines for data breaches. HSBC was fined £3.2m last summer – the largest fine ever handed out by the FSA for a breach. The regulator is currently investigating the Skipton Building Society over a breach that allowed 3000 savers to see details of the society’s other members.

Regulators, though, have to walk a fine line between being overly prescriptive, and so potentially hampering firms’ abilities to innovate or develop new security tools, and preventing organisations from taking undue risks with their customers’ data, or indeed money.

There is also the danger that if all breaches are punished, banks might be even more reluctant to talk about security failings or to give adequate warnings to their customers. “FSA fines are not just because something has gone wrong, there is always a risk of that”, says Nick Seaver, a partner in the security, privacy and resilience practice at Deloitte. “They [the large fines] are because of the way the breach has been dealt with afterwards.” In the case of HSBC, for example, the fine came after three serious breaches.

Other regulations, as well as the industry’s own initiatives, have certainly improved information security for consumers. PCI DSS, a standard governing credit card transaction processing, ran into criticism for the burdens it places on retailers and, in some cases, intermediary companies handling credit card data. The standard does have widespread support from the financial services industry, however, and is thought to have reduced the likelihood of breaches such as those that affected US card processor Card Systems in 2005, and retailer TJ Maxx in 2007.

Helping consumers to help themselves

The move towards two-factor authentication, based around CAP (Chip Authentication Programme) has dramatically reduced the amount of online banking fraud. Barclays, one of the UK banks using the system, has gone as far as to say it has suffered no fraud at all among customers using CAP.

Not all customers will use two-factor authentication, however, and there remain some risks, such as ‘man-in-the-middle’ attacks, where consumers’ data is intercepted and diverted before it reaches the bank. “Transaction data signing provides further protection [against man-in-the-middle attacks], but that’s not been adopted in the UK”, cautions Steve Brunswick, strategy manager at Thales’ information systems security division. “Statistics have shown a drop in online banking fraud, but fraud is moving to online shopping.”

"If the consumer does something silly, all the security in the world won’t help them, so a lot of effort goes to making sure the consumer"
Nick Seaver, Deloitte

There might be little banks can do if fraudsters decide to turn their attention to less well-protected targets, although some other fraud measures, such as transaction analysis and trend mapping, promise to pick up on banking and card fraud.

Some banks are also using security software on customers’ computers, in part to harvest information about attacks and to harden systems, or to support more proactive measures, such as taking down malware sites.

Trusteer, for example, provides consumer security software that also gathers intelligence. According to the vendor’s CEO, Mickey Boodaei, this provides the benefit to the banks of offering some protection, even for customers who do not install the application.

“The intelligence we gather from customers that use the software allows the technology to feed information into other services, such as taking down malware command-and-control centres or phishing websites”, says Boodaei. “That reduces the risk to the customers that don’t have the software.” The Trusteer CEO points out that where banks offer the software, customer take up is between 50% and 60%. “Fraud reduction provides the ROI”, he asserts.

Ultimately, though, financial services firms need publicity, in order to drive up user awareness. This is not merely to ensure that banking customers – and bank staff – use the security measures put before them. As criminal groups remain innovative, and prepared to try riskier methods to obtain information or money, ensuring users remain alert to unusual behaviour is likely to be the most enduring defence.

“If the consumer does something silly, all the security in the world won’t help them, so a lot of effort goes to making sure the consumer is educated”, says Deloitte’s Nick Seaver. “But in terms of spending, most of this is focussed inside the banks.”

“As long as the banks remain worried about information security, we are in a safe place.”


Machine-to-Machine Threats and Back-door Vulnerabilities

A growing concern among bank information security officers, and industry regulators, is the relatively weak level of security between banking applications.

Over the last few years, banks have taken steps to ensure that staff access to critical systems is controlled and monitored – and that staff understand the reasons for the restrictions.

This makes an inadvertent security breach, for example through sending unencrypted data or leaving passwords on display, less likely. If a staff member does something untoward, such as download large quantities of customer information, monitoring software will record this and alert the security team.

But now that it is harder for hackers to use humans to bypass security systems, they are turning their attention to “non heartbeat” super users.

Older banking systems, in particular, exchange data by logging on with user accounts. Often these automated accounts give extensive user privileges. But credentials are usually hard coded into the application and are rarely, if ever, changed.

According to Adam Bosnian, VP for products and strategy at Cyber-Ark, a vendor working on application security, the vulnerability stems from a time when hacking simply was not on software developers’ radars. Banks need to act now to address it, he says, especially as automated, privileged users will not show up on most monitoring systems.

“Hackers are now aware of this and are trying to find admin passwords and back doors that applications use”, he says. “Even if you have database monitoring, all it will tell you is that an application is logging in – or that it looks that way.”


What’s hot on Infosecurity Magazine?