So I just had a meeting with a couple of heavyweights in the cybersecurity field.
These guys are bank defenders, and very good at their jobs.
Their mission: to keep cyberattacks to an acceptable level.
Acceptable is a few basis points of total credit, let’s say under 0.7%.
But it’s getting harder every day, when attacks come from all levels.
They therefore issue tokens, keys and software to make sure that customers are protected.
The only thing is that the tokens, keys and software aren’t liked by most customers as they are unwieldy, difficult to use and hard to remember.
Why is that?
Because most bank systems were built for the branch era, when the internet was just a wee idea in the back of someone’s head.
Now that all this crap is out there offering remote access that’s convenient, it’s creating a real headache for everyone.
So the result is an overlay of bulky security processes that no-one likes, but the sticking plaster works (albeit with effort).
Then we get into a dialogue about how security has changed as, just a few years ago, 80% of the threat was from physical attack and 20% virtual; now it’s switcheroo’d with 80% remote and 20% direct, ignoring the internal attacks of course.
This is well illustrated by the latest stats from Symantec, who announced that there were over 5.5 billion malicious attacks on systems last year – an increase of 81% – with over 403 million different versions of 'malware' out there.
Times are hard.
We got into a chat about the fact that, with so many events that could compromise out there, how do you protect the bank.
They said that they knew the bank would get compromised on an irregular basis – you cannot predict every attack – but it depends on what the attack is and how you handle it.
A denial of service attack that brings down the website is far easier to deal with than one that compromises customer data or funds.
Equally, the key for the bank is not the compromise risk but the reputational risk: get hacked once, and no-one hears about it is far more desirable than get hacked and customers know about it. Even worse, if you get hacked more than once and customers know about it.
So it’s all about minimising risk, managing compromises and ensuring everything is kept at a nice level below the eyeline of the client.
I finished the chat by asking why it was that we no longer hear much about identity theft anymore, as that was a big topic just a few years ago.
“Oh that”, they said, “that’s those darned yanks stirring up the pot”.
“There is no such thing as identity theft”, they said.
“The yanks call everything identity theft, whether it’s a card not present card issue for a singular transaction or an account takeover”.
“So we only refer to account takeover as identity theft, which is when someone gets hold of the bank access of a customer and uses that for their own purposes.”
“And that’s where the issue arises”, they said.
“Well, if we have a totally new customer to the bank, never seen before, we have three groups who start to look at the customer onboarding: risk, compliance and security:
- Risk are typically looking at whether the person is bankable and appropriate to the account offer (credit and market risk);
- Compliance are looking to ensure that all the regulatory tick boxes are ticked (AML, KYC); and
- Security are trying to ensure that the person is not setting off security alarms when they are onboarded (fraud, cybercrime, terrorism, etc).”
“And the challenge is to make sure that all three groups work in tandem, as often the cogs can be out of kilter.”
I guess that tells you why cybercrime, bank security and all the layers of keys, tokens and passwords, AML and KYC processes are so darned annoying but necessary.
C’est la vie.
Roll on biometrics.