Are cyberthreats really a threat?

After a typical SIBOS evening – oh, Sake – woke up to
a typical SIBOS morning with coffee from Franco, HSBC’s resident barista
coffee maker.

Yowza!

Then into the first session of the day about cyberwars – are
they a real threat? 

Ably chaired by Paul Taylor, Technology and Telecoms Editor
with the Financial Times, the panle comprised:

• David Bannatyne, Executive GM, Banking &
  Payments Systems, National Australia Bank;
• Mark Clancy, MD, Technology Risk Management,
  DTCC; and
• Srood Sherif, Group Chief Information Officer,
  National Bank of Abu Dhabi;

the debate went something like this (not quotes, but my
highlights):

Bannatyne: we’re at risk 24 hours a day, no longer from 9
till 5.

Clancy: it’s a risk that needs to be managed and comes from
four constituencies that can be summarised in the acronym CHEW – Criminals, Hactivists,
Espionage and War.

Sherif: the issue is not just getting at our information but
the market for the information you get – it’s far more insidious these days.  Gangs sell to other gangs.  Further issues can be politically
motivated.  For example we had a hacker
group in Saudi who claimed they had gained access to financial information in
Israeli accounts, and so the Israeli hackers attacked the Saudi and related
banks, like ours. We get attacks thousands of times a day.

Clancy: We had many Distributed Denial of Services (DDoS)
attacks in Q4 in the USA.  The CEO of PNC
Bank said that they were pummelled for 36 hours nonstop and the effect is that
people can reach out and attack you from the other side of the planet and cause
a significant impact.  We also used to
see DDoS attacks from consumer systems, but the attacks more recently are from
colocation centres, which have higher bandwidth and are therefore far more
onerous.

Bannatyne: we’ve seen attacks from things that are not even
computers today.  For example, things
like the air conditioning units can be seeded with threats today as they have
connectivity to systems.  We also don’t
have proprietary platforms anymore. 
Think of all the iPhones in this room that have internet connectivity
for example.  They are all potential
threats to the system, and we have more connectivity today than we’ve ever had
before. This massive connectivity creates massive exposures and risks, but you
have to manage those.   We monitor for
phishing 24 hours a day and in Australia it’s far easier than say, in the USA,
as we have just four banks so if you send out a phishing email you have a 25%
chance of hitting the customer with the right bank.

Clancy:  It’s like
football, where the ball represents information.  Your team can only win if you have the ball
and score, and we are now very conscious that we need to have that ball and
keep it.

Bannatyne: the trouble is that there’s more than one ball.

Sherif: In 2007 we were sharing five threats a month in the
US bank community whereas, today, it’s around five attacks a day.

Bannatyne: the issue is that law enforcement is based upon
geographic location, but these attacks are not coming from our geography.  We get attacked at 3 o’clock in the morning
from Russia, and the Australian system cannot deal with that.  We’re also moving from two factor to three
factor authentication, using voice verification on top of text message for one
time passwords.  This is to add to our
SMS One Time Passwords (OTP).  SMS OTP
was introduced in 2004, but recently has been compromised by criminals gathering
enough information about people using social engineering and phishing, and then
taking over the person’s telephone number. 
So when we text the phone it gets diverted to the man in the middle but
it was a good system for eight years which, in today’s world, is pretty
good.  And we have fixed it by using a
fraud analytic to study the behaviour of response to the text message OTP along
with adding voice verification,  so it’s
not completely broken.

Sherif: there’s a tension between security and access.  Customers don’t like added security measures,
such as OTP tokens, but we have to explain that it’s for their protection and
communicate that better.  It’s also a
service based view.  For example, as I
checked in to the hotel here I got a call from my bank saying that the card was
being used in japan and am I really there. 
This was at the checkin desk in real-time and that reassured me that the
service is good.

(note: my bank just blocked
the card after I echekd in so I had to call the bank at my cost)

Clancy: the issue here however is that the more you have to
pay to minimise fraud and deliver good service, the higher the transaction cost
to the customer.  And for us, the issue
is that you can see a missile when it’s fired against you.  You can track where it came from. In
cyberspace you cannot,  you have no idea
who launched the missile or from where.

Bannatyne: the issue about cost is more to do with who pays
when there’s a compromise.  Historically,
it has been the banks but the weakness is the customer, and so the question of
who pays will change.  We will see more
instances in the future where the customer pays.

Clancy: it’s a matter of customer education.  Customers know that to walk down a small,
dark alley in a bad part of town at night is risky, but if it’s a wide road on
a sunny day it’s probably ok.  We need to
provide those skills for their online bank usage, so that they can make this risk
assessment themselves and stay on the sunny side of the street.

Bannatyne: you don’t pay people anymore, you just pay bank
account data, so that’s another part of the risk chain.

The panel then opened
to questions and one was about sanctions, AML and fraud which garnered this
response from David Bannatyne

We have saved our customers $1.5 million in the last 18 months
because we see suspicious transactions being made to certain counterparties.  For example, dodgy investment schemes that
promise 25% returns or more, that we know are scams from the bank target
details where the payment is being made. 
As a result, we stop the payment and call the customer to say you’re
making a $25,000 payment to this bank account and are you aware it’s a dodgy
scheme.  We expect you’ve been cold
called by these guys offering a good return on a biotech or similar investment
and you will lose this money if you go ahead. 
That’s a great conversation to have with a customer because we are demonstrating
value add and, as a result, this scheme now asks people who they bank
with.  That’s because they want to know
if its with NAB.  If the answer is yes,
they say to them that we’re a bad bank and notoriously slow in making
payments.  Not surprising really.

A good panel debate and now off to the plenary ….