Another major focal point of the debate last week was around
information security, something that I presented around in-depth. My tenet is that banks should place themselves
firmly at the heart of information security and offer customers a secure data
The bankers' reaction to this is: doesn’t that make us a target for hackers,
and yes, that’s the exact point. Banks should
beat the hackers at their own game and make bold claims like: we guarantee your money and your data is 100%
safe with us. After all, if banks don’t
do this, who will?
The answer came from another respondent in the financial audience
from a major global bank: we are not
positioned to do this, we do banking. You
should leave secure data management to people who know how to do this, like
Google and Facebook and PayPal.
Oh dear. Let’s just
give the whole game away to someone else shall we?
Anyways, I won’t bang on about that too much, as I’ve done
so already, but it’s a very short-sighted banker who thinks that by letting others
securely manage data whilst they just focus upon managing money is a long-term
But it is a serious issue, with €1.5 billion stolen in just
the European Union in 2011 through card fraud, 60% through Card Not Present (CNP)
fraud, according to the European Commission.
So what can banks do about it?
This question was answered firmly by Tavlaş Tolga, Vice President
of internet and Mobile Banking for Yapi Kredi Bank, the Turkish subsidiary of
Unicredit Bank (ed: another Turkish Bank?).
Tavlaş picked out a few key instructional videos to use in
The first I loved. It’s
an advert for being safe online that was promoted in Belgium through the SafeInternetBanking.be campaign that shows Dave, an extremely gifted clairvoyant, freaking out
innocent victims in a demonstration of David Copperfield levels of mind
Well worth a watch (and a steal maybe).
The second came from Trend Micro that shows cybercrime
activity in the mobile world, and is less entertaining but equally
I liked both videos, as they show our insecurities, but what
are the solutions to insecurity?
All things that have dissipated when even the Federal
Reserve can be hacked.
It was this point that got the heckles up of my banking friend,
who asked me: how can we claim to be
bulletproof, when even the Federal Reserve isn’t?
I couldn’t help but think maybe he’s right, but he’s not.
After all, the point of banks is to be secure and the
Federal Reserve is more like a Government Agency than a bank.
Note that the Fed is actually a hybrid of the
two, as it’s a Central Bank run by the Government of the United States as a
Private Entity, not as a government department.
So I hark back to more competitive commercial entities like
the New York Stock Exchange and still remember Steve Rubinow, EVP and CIO at
NYSE Euronext, talking at a conference a few years ago about the US Department of Defence being attacked by the Chinese (was it
really?) and compromised, along with other government departments, but their
systems deflected such hacktivism.
So it can be done, can’t it?
Either way, the Europeans have responded by created a new
division called EC3, the European Cybercrime Centre at Europol., and Paul Gillen, Head of Cyber Operations, provided a bit more background about their remit and charter.
The EU has had some form of activity to focus upon
cybercrime for years, but this is now a consolidated unit explicitly mandated to
tackle the areas of cybercrime:
- committed by organised groups to generate large criminal
profits such as online fraud;
- which causes serious harm to the victim such as online child
sexual exploitation; or
- which affects critical infrastructure and information
systems in the European Union;
… and launched on 1st January 2013.
The unit was created in recognition of the fast rise of new forms
of crime, and the ease with which it virally circulates. For example, 2011 saw Android mobile threats
grow from zero to 450,000 distinct attacks in just one year, according to Trend
Micro who partner with EC3.
The fact is that we will always have criminals after where
the money is and, today, the money is in the data.
That brings me back to banks having to step up to the secure
data challenge and it will disappoint me immensely if they don’t.
Now I could make this blog a lot longer by getting into
issues of identity management, hacktivism, anonymous, wikileaks and more, but I’m
going to leave it there for the moment as I have a day job to get back to.