The Bank of England (BoE) is warning that cyber-attacks by rogue states could corrupt the records of high street banks and other financial institutions – possibly over a period of months.
The risk is probably too big for individual banks to address on their own, a senior BoE official said this week.
The security services have warned about the risk of cyber-attacks by China and Russia, and the BoE has urged banks to strengthen defences and backup readiness to avoid disrupting one of the world’s leading financial centres.
Banks have focused mainly on stopping service outages, but falsified account and transaction records are an even bigger danger.
Under their current cyber posture, damage to bank record data would be difficult to unpick, as it would hard to say which records were accurate and which had been corrupted. Undertaking a system restore could end up restoring bad data.
Financial institutions have spent too much time and resource focusing on IT dangers that would (further) damage brand reputation, BoE says, rather than co-operating on systemic threats.
For example, the BoE believes banks are too reliant on a small number of cloud providers for key IT services.
It’s also keeping a close watch on Facebook – which plans to launch a digital currency and payment service for users this year.
Given FBs well-earned reputation for terrible data security, BoE is keeping a close eye if it rapidly gains market share in UK banking services.
Where the money is
Banks are a prime target for cyber criminals. With cyber-conflict between governments hotting up, it’s not hard to imagine why state-sponsored hacking groups would turn their attention to them.
Banks are critical infrastructure, they’re also where everyone’s money is kept. Banks release money for buying the things we need, and keep track of who owes what to whom. Damaging their records could inflict huge uncertainty and disruption.
The range of threats against their systems is rapidly evolving, even while the number of attacks spikes upward.
Despite some sharply negative market reaction to high-profile hacks, and big investments in the latest cyber kit, the financial services industry still accounts for 35% of all data breaches.
With all the negative publicity around the IT outages big banks continue to struggle with, improving cybersecurity is an industry priority. But the sector’s security worries keep getting worse.
Breaches in financial services are on the rise
The number of successful attacks on UK financial services firms rose by 480 per cent last year – up to 145 from just 25 in 2017.
Retail banking saw the biggest increase, rising to 25 in 2018 from just one in 2017.
Seven UK banks were forced to shut down their systems last year after attacks that cost hundreds of thousands of pounds to fix.
Some of the biggest names were affected including RBS, Santander and Barclays.
A changing threat landscape
State-backed hacking groups and cybercriminals are perfecting new tools to get at the customer data held by banks. The arsenal of tools is expanding, and they’re looking for new targets.
According analysis by Kaspersky, both groups are still very focused on banks, but are also identifying vulnerabilities in the systems of fintech companies, cryptocurrency exchanges, point-of-sale terminals, and ATMs.
Fintechs and crypto exchanges are thought to be vulnerable because their systems are new and ‘immature’ in cybersecurity terms.
Whether the objective is damage and disruption, or simple greed, familiar attack vectors in banking continue to be effective:
Kaspersky says more than a third of phishing campaigns are aimed at banking customers. Banks and other financial institutions hold our money and provide us with credit. Cybercriminals rely on this trust relationship to fool customers into revealing login credentials, payment card details, and other personal data.
Whenever there’s a large-scale data breach, much of the hijacked personal information finds its way onto the dark web. Its then traded and appended to other data acquired from other breaches. Once all the dots have been connected, cybercriminals can clone the identity of individuals and take over their financial accounts. Whenever a customer creates a new bank account online, banks need to confirm they are who claim to be.
Synthetic identity theft (or synthetic fraud) happens when attackers build a fake identity using various pieces of real and fictitious information — such as a National Insurance Number, date of birth, address, phone number and email. The immediate victim is the bank or lender, but the person whose credentials have been mis-used will have to deal with the impact of the fraud.
Authorised Push Payment Scams
An APP scam is where a customer is tricked into making a financial transaction with a fraudster posing as someone else. The attack uses social engineering tactics as well as email. The victim will typically receive an invoice for a service they use which they unwittingly pay. The new ‘Faster Payments’ system has actually facilitated this kind of scam – as crooks receive the cash quickly, then disappear.
Closing the data vault
Human error enables more banking breaches than it should. But even the best scams have telltale signs that are detectable when people have been taught to spot them.
As banks try and to get to grips with an expanding array of cyber enemies, they can build more resilience into their defence posture with effective security training, and creating a culture of security awareness.
Banks and cyber-thieves are locked in a long-term battle where the rules of engagement change from week to week.
Until someone creates a virtual safe-deposit box that finally makes networks impenetrable, treating cyber risk as a daily management challenge – and enlisting employees to help – is the safest route to secure systems.
Want to learn more about empowering employees with security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.