Home / Uncategorized / Are cyberthreats really a threat?

Are cyberthreats really a threat?

After a typical SIBOS evening – oh, Sake – woke up to
a typical SIBOS morning with coffee from Franco, HSBC’s resident barista
coffee maker.



Then into the first session of the day about cyberwars – are
they a real threat? 

Ably chaired by Paul Taylor, Technology and Telecoms Editor
with the Financial Times, the panle comprised:

  • David Bannatyne, Executive GM, Banking &
    Payments Systems, National Australia Bank;
  • Mark Clancy, MD, Technology Risk Management,
    DTCC; and
  • Srood Sherif, Group Chief Information Officer,
    National Bank of Abu Dhabi;

    the debate went something like this (not quotes, but my

    Bannatyne: we’re at risk 24 hours a day, no longer from 9
    till 5.

    Clancy: it’s a risk that needs to be managed and comes from
    four constituencies that can be summarised in the acronym CHEW – Criminals, Hactivists,
    Espionage and War.

    Sherif: the issue is not just getting at our information but
    the market for the information you get – it’s far more insidious these days.  Gangs sell to other gangs.  Further issues can be politically
    motivated.  For example we had a hacker
    group in Saudi who claimed they had gained access to financial information in
    Israeli accounts, and so the Israeli hackers attacked the Saudi and related
    banks, like ours. We get attacks thousands of times a day.

    Clancy: We had many Distributed Denial of Services (DDoS)
    attacks in Q4 in the USA.  The CEO of PNC
    Bank said that they were pummelled for 36 hours nonstop and the effect is that
    people can reach out and attack you from the other side of the planet and cause
    a significant impact.  We also used to
    see DDoS attacks from consumer systems, but the attacks more recently are from
    colocation centres, which have higher bandwidth and are therefore far more

    Bannatyne: we’ve seen attacks from things that are not even
    computers today.  For example, things
    like the air conditioning units can be seeded with threats today as they have
    connectivity to systems.  We also don’t
    have proprietary platforms anymore. 
    Think of all the iPhones in this room that have internet connectivity
    for example.  They are all potential
    threats to the system, and we have more connectivity today than we’ve ever had
    before. This massive connectivity creates massive exposures and risks, but you
    have to manage those.   We monitor for
    phishing 24 hours a day and in Australia it’s far easier than say, in the USA,
    as we have just four banks so if you send out a phishing email you have a 25%
    chance of hitting the customer with the right bank.

    Clancy:  It’s like
    football, where the ball represents information.  Your team can only win if you have the ball
    and score, and we are now very conscious that we need to have that ball and
    keep it.

    Bannatyne: the trouble is that there’s more than one ball.


    Sherif: In 2007 we were sharing five threats a month in the
    US bank community whereas, today, it’s around five attacks a day.

    Bannatyne: the issue is that law enforcement is based upon
    geographic location, but these attacks are not coming from our geography.  We get attacked at 3 o’clock in the morning
    from Russia, and the Australian system cannot deal with that.  We’re also moving from two factor to three
    factor authentication, using voice verification on top of text message for one
    time passwords.  This is to add to our
    SMS One Time Passwords (OTP).  SMS OTP
    was introduced in 2004, but recently has been compromised by criminals gathering
    enough information about people using social engineering and phishing, and then
    taking over the person’s telephone number. 
    So when we text the phone it gets diverted to the man in the middle but
    it was a good system for eight years which, in today’s world, is pretty
    good.  And we have fixed it by using a
    fraud analytic to study the behaviour of response to the text message OTP along
    with adding voice verification,  so it’s
    not completely broken.

    Sherif: there’s a tension between security and access.  Customers don’t like added security measures,
    such as OTP tokens, but we have to explain that it’s for their protection and
    communicate that better.  It’s also a
    service based view.  For example, as I
    checked in to the hotel here I got a call from my bank saying that the card was
    being used in japan and am I really there. 
    This was at the checkin desk in real-time and that reassured me that the
    service is good.

    (note: my bank just blocked
    the card after I echekd in so I had to call the bank at my cost)

    Clancy: the issue here however is that the more you have to
    pay to minimise fraud and deliver good service, the higher the transaction cost
    to the customer.  And for us, the issue
    is that you can see a missile when it’s fired against you.  You can track where it came from. In
    cyberspace you cannot,  you have no idea
    who launched the missile or from where.

    Bannatyne: the issue about cost is more to do with who pays
    when there’s a compromise.  Historically,
    it has been the banks but the weakness is the customer, and so the question of
    who pays will change.  We will see more
    instances in the future where the customer pays.

    Clancy: it’s a matter of customer education.  Customers know that to walk down a small,
    dark alley in a bad part of town at night is risky, but if it’s a wide road on
    a sunny day it’s probably ok.  We need to
    provide those skills for their online bank usage, so that they can make this risk
    assessment themselves and stay on the sunny side of the street.

    Bannatyne: you don’t pay people anymore, you just pay bank
    account data, so that’s another part of the risk chain.

    The panel then opened
    to questions and one was about sanctions, AML and fraud which garnered this
    response from David Bannatyne

    We have saved our customers $1.5 million in the last 18 months
    because we see suspicious transactions being made to certain counterparties.  For example, dodgy investment schemes that
    promise 25% returns or more, that we know are scams from the bank target
    details where the payment is being made. 
    As a result, we stop the payment and call the customer to say you’re
    making a $25,000 payment to this bank account and are you aware it’s a dodgy
    scheme.  We expect you’ve been cold
    called by these guys offering a good return on a biotech or similar investment
    and you will lose this money if you go ahead. 
    That’s a great conversation to have with a customer because we are demonstrating
    value add and, as a result, this scheme now asks people who they bank
    with.  That’s because they want to know
    if its with NAB.  If the answer is yes,
    they say to them that we’re a bad bank and notoriously slow in making
    payments.  Not surprising really.

    A good panel debate and now off to the plenary ….

    About Chris M Skinner

    Chris M Skinner
    Chris Skinner is best known as an independent commentator on the financial markets through his blog, the Finanser.com, as author of the bestselling book Digital Bank, and Chair of the European networking forum the Financial Services Club. He has been voted one of the most influential people in banking by The Financial Brand (as well as one of the best blogs), a FinTech Titan (Next Bank), one of the Fintech Leaders you need to follow (City AM, Deluxe and Jax Finance), as well as one of the Top 40 most influential people in financial technology by the Wall Street Journal’s Financial News. To learn more click here...

    Check Also


    The Monetary Authority of Singapore: keeping up with the Bank

    Yesterday I blogged about the flagship lead of the Bank of England to support innovation …

    One comment

    1. “CHEW – Criminals, Hactivists, Espionage and War”
      Shouldn’t it be CHEWIE?
      Criminals, Hactvists, Espionage, War, Incompetence, Employees?

    Click on a tab to select how you'd like to leave your comment

    Leave a Reply

    Your email address will not be published. Required fields are marked *