The Threat of the Internet to Banking: The Monsters Lurking in the Shadows

Joris Flipse, Wandy Kalk

November 2018

The Biggest Threats

Financial institutions, especially banks, acquire a lot of sensitive information to provide services to their clients. Secure information systems and technology are crucial for these institutions to operate. The International Monetary Fund (IMF) says that the financial sector is therefore more prone to cyber-attacks than any other sector [5]. There are many people that would like to exploit this information for their own benefit. Some of the threats that banks face are:

Unsecure third party services

Many banks employ third party services to better serve their customers. Often this requires the vendors of the services to have at least limited access to the information system. If the third party vendors do not have proper cyber security measures in place, cybercriminals could exploit this to infiltrate into the information system. In the end, it could be the bank that suffers.

Spoofing

A recently new threat is spoofing. Cybercriminals mirror the website of a bank and hope that users will then wrongly assume it is the official website of their bank, since the outlay and functions seem identical. Unsuspected users will enter their login information, unintentionally handing over access codes to the hackers. The hackers can later use their login credentials to gain access to their private information. An even more concerning development in spoofing techniques, is that hackers are even able to target users that visit the official website of the bank.

The manipulation of data

Sometimes hackers don’t enter the information system to steal data, but they go in and manipulate data. This kind of attack is very hard to detect since altered data might look very similar to the original data. Also, banks might not even be aware of a breach since nothing has been stolen. Manipulated data could cost the banks millions of dollars.

Malware

The malware risk is linked to the network connection. The network enables sensitive information to pass between the bank and an end of user device, like a smartphone. If there is malware on the end user device, this malware could attack the network of the bank through the connection. Without a solid cyber security in place, the sensitive data of banks are sitting ducks for a cyber-attack [6].

Why should banks be afraid?

A successful cyber-attack causes a bank major damage. In the United States alone, attacks on SWIFT accounted for $1.8 billion in losses in 2017 for banks [7]. But the costs of a cyber heist do not just confine to the direct financial costs of money theft. The sensitive records that were compromised have to be recovered and better secured. Next to the data recovery and additional security costs, the loss of information could rack up larger bills due to potential fines, penalties and litigation [8]. In short, the true costs of a cyber-attack cut much deeper. In total, banks in the United States lost $16.8 billion due to cybercriminals in 2017 [7]. Other costly collateral effects of a cyber-attack are the loss of reputation and damaged brand identity.

According to a consumer sentiment study conducted by the Ponemon institute, data breaches are in the top three of incidents that have a negative impact on reputation alongside poor customer service and environmental incidents [7]. After a data breach the public could lose faith in the abilities of the bank to safeguard their money and data. Subsequently, the individuals might decide to leave. In the worst-case scenario, a bank doesn’t solely lose customers immediately after a cyber-attack but it also loses its ability to gain new ones in the future. This means that a breach affects both the current as well as the future profitability of a bank. Apart from the costs caused by loss of business, the bank will also need to spend funds to restore its reputation. This could include investments in additional cyber security or money spend to address the negative media coverage [8].

What Firepower are the Banks relying on?

Due to the major damages of a breach, cyber security has become one of banks’ main priorities. The Bank Director’s 2016 Risk Practices Survey indicated that more than 75% of the bank executives and board members viewed cyber security as their top risk concern [9]. Currently, many banks are embarking on a journey to implement a three lines of defence model to protect themselves against cyber risk. The first line of the defence model encompasses teams or business units that try to manage and understand the cyber risks. These business units will have to thoroughly evaluate whether what the bank is doing to control the cyber risk is enough.

Furthermore, they will need to expose current but also potential future cyber threats and what the impact is of cyber risk. They will be investigating each line of business separately and carefully. The second line risk managers take stock of the cyber vulnerabilities, the exposure and the risks. Based on this comprehensive picture, they will then compute metrics upon which they will base decision-making and which will help to establish risk/return trade-offs with respect to cyber security. The main role of the third and final line of defence is to assess

independently the firm’s risk and corresponding metrics. Third line teams will audit the risk governance approach of the first and second line to enhance its effectiveness. Lastly, these three lines of defence are supervised by a board of directors. They will ultimately decide the bank’s approach to cyber security [10]. The idea behind the three-lines defence model is that if each bank gets these fundamentals in place when it comes to cyber risk, the industry as a whole should be more resilient, protected and better equipped to handle cyber-attacks.

Whether or not this approach will be enough to protect banks in the future is debatable. Only deflecting attackers today is no longer enough, banks will need to stay ahead of the game. Cybercriminals are constantly developing new, nefarious techniques to achieve their objective. Before the Bangladesh heist, Swift was considered to be unbreachable. The program used military grade security systems and multi-factor authentication to dispatch encrypted messages, most of the money transactions, to member banks around the world. Yet, without any warning hackers were able to take one of Swift defining features, global reach, and turn it into a vulnerability [2]. Banks are simply at a major disadvantage. They need to defend themselves against all possibilities, whereas hackers are able to focus all their attention and resources on searching for a single weak spot that can be exploited as a point of entry [4]. By analogy, banks can put all their effort into building strong and thick steel front door, but if they leave the window open, they are still in trouble.

Fundamental Problem: The Malicious Insider

Another important issue with respect to cyber security is that, despite being very much aware of the cyber risk posed by outsiders, organisations often neglect the internal threat. Contrarily, an important facet of a cyber-attack is often the bad actors within one’s own organisation. This is especially problematic since countermeasures implemented for outside threats are often not able to combat attacks or breaches from within.

Admittedly, malicious insiders have been a problem for banks for decades but the internal threat is even greater today. In the old days, there used to be a the strict control that applied to money but this has not been extended to the value of data. In a bank many employees are granted access to sensitive information systems [4]. Consequently, the system has become more vulnerable, since each employee could be a potential entry point for hackers. It is a little bit overdramatic to assume that all employees potentially harbour malicious intent and most likely most of your workers don’t. However, it only takes one or two rotten apples to wreak havoc [11]. This could be employees who fear unemployment, feel mistreated or simply see an opportunity to cash in. In some cases, the inside man might even not be aware of its role. An employee might become an accomplice simply by clicking on an unsolicited or suspicious link. Not all staff members are always fully engaged on cyber matters [12].

Supervision and Regulation

Apart from inflicting damages to individual firms, recent concerns are that cyber-attacks could pose a real systemic threat as well. If hackers disrupt larger financial systems, they could potentially halt entire markets, disorder financial transactions and, worst of all, undermine trust and stability in the financial sector [10]. If they succeed to launch such an attack, the damages to economies might be far worse than anyone could imagine.

The rise of cybercrime in the financial sector and the concerns about systemic cyber risk has thereby elevated cyber risk to a higher place on the political agenda. This resulted in the strengthening of regulation and supervision by official sector initiatives to address the cyber risks. For example, the G7 finance ministers and governors of the central bank set of “Fundamental Elements of Cyber security for the Financial Sector”. The aim of these fundamentals was to help banks better tailor their cyber security. In addition, the Financial Stability Board’s work plan of 2017 included the need to monitor cyber risk. Moreover, some countries implemented national policies to strengthen the cyber security in critical sectors [13].

Almost all of the implemented requirements by official initiatives follow a framework involving the following categories: governance, identification, protection, detection, response and recovery. These include, among other things, requirements on risk ownership and accountability, periodic evaluation and monitoring of cyber security, and recovery plans. But the ever evolving nature of cyber threats poses a problem with respect to regulation and security. Due to its fickle nature, regulation that provides a good and proper structure to cope with cyber risk today, might be rapidly outdated and ineffective in the future. If the requirements are excessively stringent and rigid, it could even be counterproductive [13].

Concluding remarks

Cybercriminals create detailed plans of attack to find a way into a bank’s security system and will patiently wait for the perfect opportunity to strike. They evolve every day, making their cyber-attacks increasingly sophisticated and harder to deflect. So the answer to the main question “are the banks ready to face the monsters lurking in the shadows?” is a definite no.

Notwithstanding the efforts of the banks and official institutions, they seem to be constantly outpaced by cybercriminals. One could say that even if the banking industry invested hundreds of millions of dollars into cyber security and hired the brightest tech minds, it might never be enough. First of all, banks often neglect the internal threat. One can make the walls of the castle invincible, but this is of no use if the enemy is already inside. Also, outside hackers might find a way through the perimeter by manipulating insider through social engineering. But more importantly, cybercriminals have one major leg up on banks: they only need to focus their effort on breaking one weak point so they can circumvent the security system. Meanwhile, banks have to be ready for all possible scenarios since they do not have a clear picture about how cybercriminal are planning to strike and thus also not about how they can protect themselves. By innovating, combining human management and technology, and staying ahead of the cyber threats, banks might stand a fighting chance against hackers. However, even if a bank is able to secure 95% of the cyber risk, it is not enough!


Footnotes

[1] Kaspersky Lab. (2017). Chasing Lazarus: A Hunt for the Infamous Hackers to Prevent Large Bank Robberies. Retrieved on the 20th of November 2018 from https://www.kaspersky.com/about/press-releases/2017_chasing- lazarus-a-hunt-for-the-infamous-hackers-to-prevent-large-bank-robberies
[2] Hammer, J. (2018). The Billion-Dollar Bank Job. Retrieved on the 19th of November 2018 from https://www.nytimes.com/interactive/2018/05/03/magazine/money-issue-bangladesh-billion-dollar-bank- heist.html
[3] Raghavan, A.R. & Parthiban, L. (2014). The Effect of Cybercrime on a Bank’s Finances. International Journal of Current Research and Academic Review, 2(2), 173-178
[4] Thompson, C. (2018). Cyber crime in financial services: the big picture. Retrieved on the 19th of November 2018 from https://financeandriskblog.accenture.com/cyber-risk/cyber-crime-in-financial-services-the-big-picture
[5] Middleton, C. (2018). Cyber attack could cost bank half of its profits, warns IMF. Retrieved on the 7th of November 2018 from https://internetofbusiness.com/fintech-cyber-attack-could-cost-bank-half-of-its-profits- warns-imf/
[6] Jaslar, S. (n.d.). The 5 Biggest Threats to a Bank’s Cyber Security. Retrieved on the 19th of November 2018 from http://www.sqnbankingsystems.com/sqn-blog/the-5-biggest-threats-to-a-banks-cyber-security
[7]  Mirchandani, B. (2018). Laughing All The Way To The Bank: Cybercriminal Targeting U.S. FInancial Institutions. Retrieved on the 19th of November 2018 from https://www.forbes.com/sites/bhaktimirchandani/2018/08/28/laughing-all-the-way-to-the-bank-cybercriminals- targeting-us-financial-institutions/#154f75146e90
[8]  Eubanks, N. (2017). The True Cost of Cybercrime For Businesses.. Retrieved on the 19th of November 2018 from https://www.forbes.com/sites/theyec/2017/07/13/the-true-cost-of-cybercrime-for- businesses/#5cb756f04947
[9]  Fintech Finance. (n.d.). Banking Industry Still Lags on. Retrieved on the 3rd of November 2018 from https://www.fintech.finance/featured/banking-industry-still-lags-on-cybersecurity/
[10] EY. (2017). Cyber risk management across the lines of defense.
[11] Computer Economics. (2010). Malicious Insider Threats Greater than Most IT Executives Think. Retrieved on the 19th of November 2018 from https://www.computereconomics.com/article.cfm?id=1537
[12] Harwood-Jones, M. (2017). Cyber crime: The next systemic risk. Retrieved on the 19th of November 2018 from https://www.euromoney.com/article/b13xj9jr9gr66s/cyber-crime-the-next-systemic-risk
[13] Crisanto, J.C. & Prenio, J. (2017). Regulatory approaches to enhance banks’ cyber-security frameworks. Bank for International Settlements.

References


    a

    A


    Joris Flipse

    MSc Finance at VU Amsterdam

    Wandy Kalk

    MSc Economics and MSc Econometrics and OR at VU Amsterdam