The security of the banking and financial system is increasingly being put to the test, with cyberattacks increasing in number and sophistication. Between protective solutions and new legislation, is the industry ready to fight on all fronts?
Last February, several Dutch financial institutions announced that they had been targeted by a distributed denial of service (or DDoS) attack that paralyzed most of their banking services. At the same time, a report published by the Central Bank of Russia revealed that since 2016, hackers had stolen nearly €5 million using the interbank communication network Swift.
Even more impressive: In 2016, cybercriminals were able to make off with a record $81 million from the Central Bank of Bangladesh. And the list of "cyber bank robberies" is even longer...
Banks: A choice target that needs top-level protection
In recent years, the banking industry has become a target of choice for cybercrime. That's no surprise, according to the Chief Information Security Officer (CISO) of a major French bank, who prefers to remain anonymous: "Using the Internet as a 'fund transfer network' naturally exposes the banking industry more than other sectors. And it whets the appetite of the new wave of robbers."
Due to this very high risk situation, in 2013, the largest French banks were classified as Vitally Important Organizations (OIVs) under the Military Planning Law (about which more below).
Human, software, or hardware: Hackers can seize on any weak point
According to the adage that Most IT problems are located between the keyboard and the chair, cybercriminals have particularly targeted bank employees, as seen in the Carbanak case in 2015. A group of criminals was able to infiltrate the workstations of employees at roughly a hundred banks in more than 30 countries, including France, through personalized emails (known as "spear phishing"). These emails enabled the hackers to crack into financial institutions' IT systems by installing backdoors. These access points, unbeknownst to the user, allow secret entry into the victim's workstation or software, making it possible to monitor its activities or take control of it.
Hackers seem to be endlessly inventive, and their methods vary. "Jackpotting", for example, involves emptying out ATMs with just a USB key and a computer. In 2017, eight machines at two Russian banks were robbed clean this way in just one night, with the loot estimated at $800,000. It nearly happened again in France, in early 2018, when a hacker was caught in the act of infiltrating a Caisse d’Épargne ATM. He had already stolen more than €20,000.
ATMs may also be the target of malware (malicious software). The most famous ones, like Alice and Ripper, can be installed over the network that the machine is connected to, or directly onto its operating system using a USB port. The famed cybercrime group Cobalt has stolen an unknown amount of funds by this method since 2013 from a dozen European countries.
Another method used: Skimmers. These physical devices copy the information on users' bank cards (the former mimic the exterior of the machine, and the latter are inserted into the ATM's card reader).
Backdoors are the ones that banks are most worried about
Annick Baudet, Senior Account Manager at Stormshield
"Of all of these methods, it's unquestionably backdoors installed by cybercriminals that have banks the most worried", explains Annick Baudet, Senior Account Manager at Stormshield, "because this sort of method has the potential to open the door to their IT systems on a massive and persistent scale." Hence the need for banking institutions to have sophisticated protective mechanisms. These include dual firewalls: Using different technologies substantially increases the chances of detecting malicious flows of data. These solutions make it possible to isolate the bank's IT system, by placing mechanisms between it and the Internet to check that the data flows are compliant.
Standard regulations to protect the banking sector
Faced with this threat, institutions are taking action. In France, the Autorité des marchés financiers (AMF) and the Agence nationale de la sécurité des systèmes d'information (ANSSI) announced an expanded partnership in the field of protecting information systems in February. The ANSSI and Autorité de contrôle prudentiel et de résolution dans les secteurs de la banque et de l'assurance (ACPR) signed a similar agreement. These two agreements call for a regular exchange of information regarding incidents that affect information security systems, as well as collaboration in managing any information security crises that may arise.
Regulation is also being stepped up. Three significant legal texts are now mandatory:
- the second payment systems directive (PSD2), which entered into force in January 2018.
- the European General Data Protection Regulation (GDPR), which institutes security requirements for businesses beginning in May 2018.
- the Network and Information Security directive (NIS) of the European Union, which will require Member States to have national authorities with jurisdiction over cybersecurity and to strengthen the security of their essential service operations. After coming into effect this year on May 9, Member States will have six months to select their operators.
In addition to these various regulations there are texts already in effect, such as the PCI DSS standard (Payment Card Industry Data Security Standard) for bank card data protection, or others that are in the works, like the Customer Security Programme (CSP) supported by Swift.
Not to mention more "opportunistic" initiatives like FIDO (Fast Identity Online), a strong authentication protocol for online payments supported by major companies (Google, Microsoft, Amazon, Samsung, Lenovo, Gemalto, etc.) that want to make it the market standard in time for the arrival of PSD2 in Europe.
The LPM cleared the field
The Military Planning Law (LPM), passed in 2013, was an opportunity for France to gain ground over certain other countries by strengthening the information security of "Vitally Important Operators" (OIVs), organizations whose activities are essential to the population. Twelve business sectors were identified as such, including the banking sector. Special attention must be given to the security of these OIVs' IT systems. Between dual firewalls and qualified solutions, the ANSSI in early 2018 published a best practices guide for OIVs for setting up their protection solutions.
Security gaps and lack of human resources at banks
Within this ultra-regulatory environment, a study conducted by Accenture Security in 2016 revealed that nearly 10% of bank IT budgets were devoted to cybersecurity. However, according to the consulting giant, the subject is still far from being seen as a priority. This is particularly reflected in an in-house skills deficit, both for managing the security of sensitive applications or customer data, and for carrying out awareness actions and internal training.
"We are witnessing a genuine paradox: Even as information systems are increasingly complex, with operating loads that never stop growing, the banking industry, like many others, is paring back on in-house staff", observes Annick Baudet.
A delicate balance between maximum security and user experience
However, the entry into effect of PSD2, which is heralding the development of open banking (open access to third-party accounts), will require greater security measures. One of the challenges will be to ensure stronger authentication for customers, which is still simple enough to not drive them away, using ergonomic, efficient interfaces. "For banks, it's a challenge of scale, combined with other major issues like LPM. It's therefore essential for them, given the challenges, that they get assistance", concludes Annick Baudet.