Ransomware threat tests banks’ resilience to cyber crime

The financial services industry may have better cyber defences than most but they can still be breached, as demonstrated by numerous high-profile cases.

These include Travelex, the UK foreign currency dealer, which was infected with ransomware on New Year’s Eve 2019, and forced to take its systems offline for weeks to prevent it spreading; and UniCredit, Italy’s largest lender, which had a file containing details of three million customers illegally copied in October that year.

Meanwhile, Capital One, the US banking and payment card giant, was fined $80m by the regulators in August 2020 for poor controls that allowed a hacker to steal the details of 106 million credit card customers and applicants in July 2019.

Range of threats

So who are the perpetrators and what should banks be doing to improve their cyber security and resilience?

Attacks come from a wide variety of ‘threat actors’, according to Jenny Menna, deputy chief information security officer (CISO) at US Bank. “Banks have always been targets for criminals. The old saying ‘Why do people rob banks? Because that’s where the money is’, was true in the stagecoach days and it is true today as we evolve into our digital interactions with customers,” she says. 

“Banks are also targeted by hackers and hacktivists of various stripes. And they face nation state attacks such as distributed-denial-of-service [DDoS] attacks in response to sanctions, or from state adversaries that are interested in everything from intellectual property to raising funds to support their regimes.”

Ransomware is one of the main evolving threats. Banks are good at warding off such attacks, but many of their suppliers and customers can be more vulnerable. “Ransomware has been around for a long time, but this is not old school ransomware, it’s more sophisticated and targeted,” says Ms Menna.

Should ransoms be paid? She is circumspect: “When we get asked that question, we refer people to their counsel and law enforcement. The guidance on that may have evolved.”

Phishing trips

Although criminals have used the Covid-19 pandemic to devise new ways of getting bank staff and customers to fall for phishing emails – fraudulent messages designed to get the recipient to reveal personal financial information – there has not been a significant increase in their success among large financial institutions like US Bank. Nor have large numbers of staff working from home resulted in any serious breaches.

“We already had a large work-from-home footprint at the bank and were able to carefully and quickly expand this,” says Ms Menna. “We have seen phishing lures related to the pandemic that target people’s fears and doubts, but they’re like lures related to the Super Bowl or other big events.”

There have been many “business email compromise” cases where a fraudster pretends to be a member of staff working from home during the pandemic and sends an email to a genuine staff member asking them to transfer funds. “These are not unusual or sophisticated frauds,” says Ms Menna. “They’re just leveraging Covid-19 to create a slightly different flavour.”

Building security into every part of the bank from the outset is essential. US Bank’s security risk and technology consulting team is staffed by business information security officers that partner with the IT departments and business lines to make this happen.

It is also essential for banks to run simulated attacks, to test security and resilience. “Unless you actually practise and exercise you are not going to know what you don’t know, so we have a strong multifaceted exercise programme,” says Ms Menna. “This includes ‘red-teaming’ our defenders with whatever the latest threat actor techniques are.”

Red-teaming is a wargaming concept, whereby an offensive ‘red team’ of bank staff launches a simulated attack against a defending ‘blue team’ to test the bank’s defences. Experienced external consultants – including ethical hackers – often join both sides to make the exercise more realistic.

To pay or not to pay? 

Sandro Bucchianeri, group chief security officer of Absa, South Africa’s third largest bank by Tier 1 capital, believes the fundamental nature of the cyber threats facing banks and their customers has not changed since the Covid-19 pandemic, though the methodology and frequency of some threats have. “The top three threats are the same as before: phishing, malware or ransomware, and data leakages,” he says.

“The common practice 99% of the time is to never pay a ransom because there is no guarantee you will get your data back, your network unlocked, or whatever the case may be. Plus, if you have a good back-up of your data, you can recover it that way.”

With so many bank staff working from home during the Covid-19 pandemic, Mr Bucchianeri and his team have been drilling them on the importance of security. “We make sure they know what the security procedures are, and how to protect data on their laptops by encrypting them, controlling access to them, making sure they have virtual private network access, and those kinds of things.”

As for the cyber security personnel themselves, managing them has not been that different from before. “We already had dispersed teams,” he says. “I am based in Cape Town, most of my staff are based in Johannesburg and we have held virtual meetings for a long time.”

Absa has created a series of short educational videos for staff and customers called “Into the breach”, fronted by comedian Alfred Adriaan, who delivers various security awareness messages in a humorous way.

A shift in emphasis has taken place in banking, as in other industries, from cyber security to the broader concept of cyber resilience. An effective cyber strategy is not only about businesses improving their cyber security to prevent and detect attacks but also about improving cyber resilience so they can respond to and recover from breaches quickly, and learn from the experience. Absa takes this broader approach, says Mr Bucchianeri. “My role as chief security officer is to look after three areas holistically: the physical security world, the cyber security world and the resilience world.”

Main challenges

Dr Igor Podebrad, group CISO of Commerzbank, says the three main cyber risks facing the German lender are: the high level of phishing attacks eroding the customer’s trust in the banking system; the challenge of DevOps (the set of practices that combines software development with IT operations) to deliver and run mature systems in a secure environment; and the rising complexity of supply chains, including cloud computing services, which increases the attack ‘surface’ and concentration risks.

“Although we have not seen an increase in the number of Covid-19-related cyber attacks against the bank, there has been an increase in attacks on individuals,” says Mr Podebrad. The key to ensuring cyber security for Commerzbank during the pandemic has been “close, transparent communication and awareness measures with customers, as well as with all employees, management, regulators and other banks”, he adds.

Semih Dilmen, chief information risk officer at Akbank, one of Turkey’s biggest banks, agrees that phishing, ransomware, DDoS, data leakage and defrauding customers are among the main threats, and stresses the risks posed by third-party suppliers.

“Poor management of security vulnerabilities inside these companies might also constitute a cyber threat for banks,” he says. Suppliers could be the weakest link in an otherwise robust security posture.

Sharing intelligence

Information sharing is an essential part of cyber security, and the more formalised and systematised the better. The Financial Services – Information Sharing Analysis Centre (FS-ISAC) is dedicated to sharing critical information among financial institutions. Created in 1999, it is an industry consortium headquartered in the US, with offices in the UK and Singapore and nearly 7000 member financial institutions and users in 70 countries.

“We started monitoring Covid-19 in January in Asia, and as it spread to Europe and then the Americas we were worried the cyber threat was going to explode because of so many people working from home,” says Teresa Walsh, FS-ISAC’s global head of intelligence. “In March, across the board, a lot of the phishing lures – the subject lines to get people to click on phishing emails – changed to Covid-19. Everything was about coronavirus. However, the level of threat did not increase straight away.

“Then, in April and May, we saw a rise in the levels of phishing reported by members, about 15% up on the previous months. Now, in June and July, it has decreased to previous levels.” Importantly, throughout the same period, there was no increase in breach rates in the financial sector due to phishing.

However, what has increased is fraud related to the US Coronavirus Aid, Relief and Economic Security Act, says Ms Walsh. This was passed in March to provide a $2200bn stimulus to the domestic economy, and is providing rich pickings for online fraudsters.

FS-ISAC facilitates information sharing and analysis through email, briefing calls and a portal. In April, it launched Intelligence Exchange, a new way for members to securely log in and use multiple applications. “The Intelligence Exchange had been planned for a while, but when the pandemic hit we decided to accelerate its launch,” says Ms Walsh. “It is comprised of several applications, including ‘Connect’ and ‘Share’.”

Connect is a secure chat capability for real-time communication between members, enabling industry collaboration with dedicated discussion threads based on topics and communities of interest, while Share is used for detailed threat intelligence sharing. It provides access to “actionable intelligence” that members can customise and embed in their institutional processes and environments, both manually and automatically.

Back-up protection

FS-ISAC also runs Sheltered Harbor, a not-for-profit subsidiary designed to protect customer account data if a catastrophic cyber attack or other event causes a firm’s systems to fail and data to be compromised.

Every night, participants transfer critical customer account data into a data vault that meets the Sheltered Harbor standards. Each institution carries out the back-up itself or chooses a service provider, using a vault of its own or that of a technology provider. Key requirements are that the vault must be separate from the institution’s IT infrastructure, including all other back-ups, and the data must be encrypted and unchangeable. If the institution suffers a cyber attack or IT failure the data is safe, and by activating a “resiliency plan” it can be quickly recovered from the vault to give customers access to their funds.

Sheltered Harbor has 130 participating financial institutions, which collectively hold 72% of all US deposit accounts and 71% of all US retail brokerage assets. “Our focus is on the ability of financial institutions to respond after a cyber breach and to maintain public confidence,” says Carlos Recalde, president and chief operating officer of Sheltered Harbor.

Dell Technologies is the first technology solution provider in the Sheltered Harbor alliance and is in the process of providing vaulting technology to a number of participants. “Participants can deploy our solution to vault their Sheltered Harbor data and keep it safe from attack,” says Jim Shook, director of the cyber security and compliance practice at Dell Technologies. “If there is a successful attack and their production data is encrypted or destroyed, the Sheltered Harbor data set in the vault enables them to quickly provide basic services to their customers.”

Government support

Governments around the world are helping banks and other organisations become more cyber resilient. The lead body in the EU is Enisa, which was created in 2004 as the European Network and Information Security Agency. Following the EU’s Cyber Security Act, which came into force in June 2019, Enisa was given a bigger role and renamed the European Union Agency for Cybersecurity, though it keeps its original acronym.

Its increased responsibilities include:

• setting up and running an EU cyber security certification framework for IT products (such as semiconductors); IT services (such as cloud); and IT processes (such as information security methods);
• helping EU bodies and member state public entities and private companies become more cyber resilient; and
• supporting the coordination of responses to large scale cyber attacks and crises, where two or more member states are affected.

“We started work on the certification framework last summer,” says Enisa executive director Juhan Lepassaar. “One of the first steps was to set up an ad hoc working group to develop common criteria based European candidate cyber security certification scheme, which builds on the existing schemes operating under the Senior Officials Group Information Systems Security Mutual Recognition Agreement.”

Critical co-operation

Coordination between businesses and government agencies, at national and EU level, is the key to better security and resilience. “It’s important that all sectors of the economy take their responsibilities seriously; Enisa cannot do it alone,” says Mr Lepassaar.

“Cyber security is not just a technology matter. It’s a core business issue, a question of whether your business will be operational or not in the future,” he adds. “We don’t want to see any fragmentation in how businesses manage their cyber security. We want to see co-operation on how they mitigate risks, how they respond to breaches and what tools are used. We want to push sectors to do more on cyber security, but in a way that is more co-operative, rather than everyone doing it in their own corner.”