Home / Crime / So how should a bank protect itself from hacktivists and cybercrime?

So how should a bank protect itself from hacktivists and cybercrime?

The real challenge for the banking system is how to protect
their firewalls from attack by hacktivists, goverworms and cybercriminals and,
conversely, how to deliver easy access to online banking for their clients and
customers.

It’s a real dilemma.

On the one hand, everyone wants mobile access to his or her
account balances and to make payments; on the other, no-one wants to consider
the issue of haemorrhaging losses if they don’t protect their account properly.

This is also a challenge in terms of building business as,
for example, many people do not use mobile banking for exactly this reason:
they worry about haemorrhaging losses.

So there are two distinct focal points here for information
security within a bank:

  1. protecting the banks information from attack;
    and
  2. allowing the bank’s customers to access the
    information they need when they need it.

Looking at the first part, hacktivists are not really the issue here.

A massive Distributed Denial of Service (DDoS) attack from the anonymous collective is concerning, but bringing down a website does not bring down the system.

MasterCard and Visa made this clear when they were attacked last year, and so it's an inconvenience rather than a concern.

However, a targeted hack is a concern, and there are many instances of banks
failing to deal with this properly.  Last year,
for example, hackers got access to some of Citibank’s customer data, with at least $2.7 million lost by 3,400 customers.  That’s small beans and is manageable, but
shows the vulnerability.

The insider threat is even greater, with employees who can
gain millions by selling access to bank data. 
An instance of this was also seen last year, with Bank of America losing
over $10 million thanks to a staffer giving away account details to an identity
theft ring
.

Again, it’s small beans but when there’s a crack in the
firewall, it can soon grown into a fissure, chasm or canyon.

That was well illustrated by Sumitomo Bank who lost almost $350
million in a keylogger scam

You would think that this bank would
therefore have gotten its act together after such a near fatal disaster.  No. 
This is the very same banking operation that was fined £3.5 million by
the Financial Services Authority in May for serious IT governance failings.

Oh dear.

Regardless, as I keep saying, banks are data
guardians, information providers and knowledge developers.  Or they should be.

This means that the way in which you guard against data
failings from external attack is by having the obvious data protections:
firewalls, secure sign-on, dual authentication with triangulation of access,
real-time business events monitoring and so on.

What I mean by this is that banks should be moving towards
much improved real-time tracking and business intelligence about their information
flows, and this will alert them to any security breach.

After all, most banks know that they will be breached.  In fact, they know they cannot stop a breach.
It will happen.  The real question then
is how you deal with it and how fast.

That’s the key.

This is why complex event monitoring of business
intelligence flows with real-time alerts is a key focal point.  The ability for a bank to keep its finger on
the pulse of every transaction across its global operations will be the key to
protecting against internal and external threats.

And if real-time business monitoring can solve the first
issue, an external or internal security breach, what do you do about the second
area: ensuring ease-of-access securely.

Again, it seems simple and yet so many fail.

I was astounded to read a report for example, that stated
the mobile banking apps from world leading banks like Wells Fargo, PayPal,
Chase and others were failing the viaForensics security tests
At the time, August 2011, a quarter of all mobile bank apps failed basic security tests.

According to Neil O’Farrell, executive director of the Identity Theft Council: “There were more breached
records last year than U.S. population than U.S. residents last year and more
cases of identity theft than just about all other crimes combined”.  He went on to say that: “Eight out of ten
mobile banking apps have security flaws, but Apple and the banks don’t want you
to know that.”

Whether true of not, there are obvious flaws in mobile
security right now, and yet there shouldn’t be. 
As Business Week points out,
mobile banking is more secure than online banking … or it should be, when done right.

As most users always know where there mobile is and have it
with them, unlike their wallet or credit card, it means that they are far more
likely to know when it is lost or stolen. 

Equally, as mentioned, triangulation or more secure
techniques mean that you can use the mobile telephone number and the geolocation
proximity of the phone, text messages and apps, alongside a card and PIN, to
make sure that the person who says they are trying to access the account is
actually the person who should access the account.

The bottom-line of securing banking is that banks will never
be able to keep ahead of the criminal. 
That’s the criminal’s job: to continually test and try to break the
security of the bank.

This means that the bank must therefore always be one step
behind those who want to create cracks in their firewalls. 

That means continual renewal of information security policies,
systems and infrastructures, and making sure that the bank keeps up with the best
practices in securing their customer’s data.

Some banks do this brilliantly.

Some don’t.

Just make sure you’re with the ones that do.

 

This is the last entry in a series about Hacktivism:

About Chris M Skinner

Chris M Skinner
Chris Skinner is best known as an independent commentator on the financial markets through his blog, the Finanser.com, as author of the bestselling book Digital Bank, and Chair of the European networking forum the Financial Services Club. He has been voted one of the most influential people in banking by The Financial Brand (as well as one of the best blogs), a FinTech Titan (Next Bank), one of the Fintech Leaders you need to follow (City AM, Deluxe and Jax Finance), as well as one of the Top 40 most influential people in financial technology by the Wall Street Journal’s Financial News. To learn more click here...

Check Also

hack

It’s so easy to hack you, and here’s how

It was really interesting listening to Jamie Woodruff, The Ethical Hacker, talking about how he …

4 comments

  1. An interesting summary on what banks should protect and enable.
    An important point you mention is the continuous testing and verification against actual incidents to ensure that you have thought of every possible way to get to the values of a bank.

  2. Interesting article, except all those comments you attribute to me are simply incorrect. Not sure where you’re getting your information from – probably other writers who don’t check their facts.
    Neal O’Farrell
    Executive Director
    The Identity Theft Council

  3. Interesting Neal
    Your San Francisco Small Business Week speech got a lot of coverage saying you said this, which is where i got these statements from:
    http://www.phonearena.com/news/8-in-10-mobile-banking-apps-are-flawed-security-expert-suggests_id30483
    http://www.cultofmac.com/168143/why-hackers-target-small-businesses-who-use-macs-ipads-iphones/
    Do you want to give me a corrected statement?
    Chris

  4. It is unsettling to think that the banking apps have failed security tests. Quite frankly, there is only one bank that I think is taking the correct steps to monitor online activity and protect client information. However I still hoped that the others were doing what was necessary to keep their whole system secure.
    Banks should take this issue very seriously. They put in so many measures to prevent consumers from even withdrawing their own money without passing security checks. Why can’t they build a more secure system for mobile banking?

Click on a tab to select how you'd like to leave your comment

Leave a Reply

Your email address will not be published. Required fields are marked *