Banks are becoming increasingly worried about the threat of cyber-crime. Last month, the Bank of England launched a new framework to access the risk to financial systems, by replicating threats being used by criminals, called CBEST. Why are they so worried and what exactly are they worried about are questions that will be addressed.
Andrew Gracie, Executive Director, Special Resolution Unit, Bank of England, gave a speech recently where he stated that, “low-level attacks are now not isolated events but continuous.”
He, amongst others, fears that a large co-ordinated attack by computer hackers could cause the financial sector serious problems.
Other members of the banking industry have warned that the risk of criminals accessing the computer systems, changing details, transferring money and deleting accounts is very real and could cause huge repercussions across the whole financial world if a large bank was to be seriously attacked in this way.
On 12th November 2013, a group of banks rehearsed this type of scenario with an operation they called ‘Waking Shark 2’ where they simulated the UK financial sector coming under attack from a hostile nation-state. They were generally pleased with the outcome as the various institutions involved shared information efficiently enough to prevent a disaster. However, some commentators were not impressed. Experts in the IT world stated that these sorts of tests should be carried out more often and that they should prepare for more covert attacks. In 2012, computer security firm, Trustwave, conducted some research that showed that, on average, it took firms around 210 days to realise that they had been the victims of a cyber-attack. The frequency and variety of these attacks has frightened the banks into being more vigilant and prepared to deal with these threats.
Cyber-attacks on banks come in many forms. The main ones which were worrying banks last year were DDoS attacks, spear phishing, ransomware, mobile malware, insider threat, cyberwarfare and retailer breaches.
DDoS (distributed denial-of-service) Attacks
This type of attack involves criminals stopping a machine or network from working for the desired users. One of the uses for this technique is to shut down internet banking services and use the distraction and problems this creates to make information seeking calls to the already overstretched call centres.
By sending emails from the accounts of trusted members of staff or departments in a company, the ‘spear phishers’ can ask the employees and/or customers for their login details to access restricted areas of the network.
A piece of software is used to restrict access to a computer or network until a ransom is paid.
The increased use of mobile phone banking has added to the number of channels criminals can attack from and putting malware on mobile phones is a way they do it.
Cyber-threats don’t just come from external sources, they also come from employees or ex-employees of the banks. These people may have passwords and access to privileged information.
Banks are finding now that retailer transactions at the point of sale are vulnerable to attack, especially small retailers, because of weaker security systems. These channels are another way criminals can use to access the banks.
Increasingly, threats are coming from self-proclaimed ‘hacktivists’ and nation-states rather than criminals who want to steal money. It is these large co-ordinated attacks that cause banks the most concern.
When cyber-attackers use more than one method to attack a bank at the same time it is called a ‘cross-channel’ attack and these are becoming more frequent. Experts in the industry have suggested that analysing large amounts of data across the whole of the banking industry will help to weed out this type of tactic and that is what the Bank of England is attempting with its new framework which it hopes will be widely used across the industry.