The real challenge for the banking system is how to protect
their firewalls from attack by hacktivists, goverworms and cybercriminals and,
conversely, how to deliver easy access to online banking for their clients and
It’s a real dilemma.
On the one hand, everyone wants mobile access to his or her
account balances and to make payments; on the other, no-one wants to consider
the issue of haemorrhaging losses if they don’t protect their account properly.
This is also a challenge in terms of building business as,
for example, many people do not use mobile banking for exactly this reason:
they worry about haemorrhaging losses.
So there are two distinct focal points here for information
security within a bank:
- protecting the banks information from attack;
- allowing the bank’s customers to access the
information they need when they need it.
Looking at the first part, hacktivists are not really the issue here.
A massive Distributed Denial of Service (DDoS) attack from the anonymous collective is concerning, but bringing down a website does not bring down the system.
MasterCard and Visa made this clear when they were attacked last year, and so it's an inconvenience rather than a concern.
However, a targeted hack is a concern, and there are many instances of banks
failing to deal with this properly. Last year,
for example, hackers got access to some of Citibank’s customer data, with at least $2.7 million lost by 3,400 customers. That’s small beans and is manageable, but
shows the vulnerability.
The insider threat is even greater, with employees who can
gain millions by selling access to bank data.
An instance of this was also seen last year, with Bank of America losing
over $10 million thanks to a staffer giving away account details to an identity
Again, it’s small beans but when there’s a crack in the
firewall, it can soon grown into a fissure, chasm or canyon.
That was well illustrated by Sumitomo Bank who lost almost $350
million in a keylogger scam.
You would think that this bank would
therefore have gotten its act together after such a near fatal disaster. No.
This is the very same banking operation that was fined £3.5 million by
the Financial Services Authority in May for serious IT governance failings.
Regardless, as I keep saying, banks are data
guardians, information providers and knowledge developers. Or they should be.
This means that the way in which you guard against data
failings from external attack is by having the obvious data protections:
firewalls, secure sign-on, dual authentication with triangulation of access,
real-time business events monitoring and so on.
What I mean by this is that banks should be moving towards
much improved real-time tracking and business intelligence about their information
flows, and this will alert them to any security breach.
After all, most banks know that they will be breached. In fact, they know they cannot stop a breach.
It will happen. The real question then
is how you deal with it and how fast.
That’s the key.
This is why complex event monitoring of business
intelligence flows with real-time alerts is a key focal point. The ability for a bank to keep its finger on
the pulse of every transaction across its global operations will be the key to
protecting against internal and external threats.
And if real-time business monitoring can solve the first
issue, an external or internal security breach, what do you do about the second
area: ensuring ease-of-access securely.
Again, it seems simple and yet so many fail.
I was astounded to read a report for example, that stated
the mobile banking apps from world leading banks like Wells Fargo, PayPal,
Chase and others were failing the viaForensics security tests.
At the time, August 2011, a quarter of all mobile bank apps failed basic security tests.
According to Neil O’Farrell, executive director of the Identity Theft Council: “There were more breached
records last year than U.S. population than U.S. residents last year and more
cases of identity theft than just about all other crimes combined”. He went on to say that: “Eight out of ten
mobile banking apps have security flaws, but Apple and the banks don’t want you
to know that.”
Whether true of not, there are obvious flaws in mobile
security right now, and yet there shouldn’t be.
As Business Week points out,
mobile banking is more secure than online banking … or it should be, when done right.
As most users always know where there mobile is and have it
with them, unlike their wallet or credit card, it means that they are far more
likely to know when it is lost or stolen.
Equally, as mentioned, triangulation or more secure
techniques mean that you can use the mobile telephone number and the geolocation
proximity of the phone, text messages and apps, alongside a card and PIN, to
make sure that the person who says they are trying to access the account is
actually the person who should access the account.
The bottom-line of securing banking is that banks will never
be able to keep ahead of the criminal.
That’s the criminal’s job: to continually test and try to break the
security of the bank.
This means that the bank must therefore always be one step
behind those who want to create cracks in their firewalls.
That means continual renewal of information security policies,
systems and infrastructures, and making sure that the bank keeps up with the best
practices in securing their customer’s data.
Some banks do this brilliantly.
Just make sure you’re with the ones that do.
This is the last entry in a series about Hacktivism: