Cyber crime is a critical issue for global transaction services, with banks and their clients increasingly under attack. As cyber criminals evolve ever more sophisticated techniques, banks have a new tool in their arsenal: information sharing. But just how successful is it?
Cyber crime is rising and the types of threats are increasingly pernicious. While global transaction services have so far been able to defend themselves against serious attacks, their focus is now turning to another weapon they can use in the war against cyber criminals: information sharing.
Editor's choice
“The bad guys have multiple targets who do not talk to each other,” says John Lyons, chief executive of the newly launched International Cyber Security Protection Alliance (ICSPA), adding that if banks do not share information more widely, they will be exploited by cyber criminals who “feed on the banks' unwillingness to talk to each other".
Banking executives have typically been reluctant to comment on cyber security, as admitting weaknesses could dent the trust of their customers. Either that, or claiming that their systems are secure could be perceived as a challenge by the cyber criminal community.
Data pool
Now, however, the attitude has changed to one of openness and willingness to pool data. In terms of the industry sharing information on cyber crime, “it’s the best it has ever been”, says Sean Croston, who oversees security, risk and infrastructure for the client access group at JPMorgan Treasury Services.
The rise in crime is in part due to the changing nature of the business; more transactions are done online and the points at which the services can be attacked have increased, whether it is through an online treasury portal or mobile authentication, for example.
It is the high-value accounts of corporations that are now being targeted by criminals motivated by financial gain. Detecting such attacks has become even more difficult as the perpetrators are becoming more sophisticated in their organisation and are using increasingly advanced tools. “The technology being developed is more sophisticated and more readily available,” says Mr Croston.
He adds that in the past criminals may have attempted all parts of a cyber operation themselves. These days, however, there is a division of labour and each part can be outsourced to specialists. The malicious code can be written by someone outside the criminal gang and the software can be bought for a few hundred dollars. In terms of cashing out the crime, networks of money mules are recruited by seemingly legitimate businesses that dupe them into transferring the stolen funds via their own accounts into the hands of criminals.
A sophisticated approach
There has been a move away from the scatter-gun approach of targeting consumers and their individual bank accounts in phishing attacks, where the scammer masquerades as the bank to acquire sensitive user information. Now there are more sophisticated spear phishing attacks that are highly targeted and use social engineering techniques to trick those with the credentials to move large sums of money into installing malware onto their computers. Once the computer is infected the program can detect bank account and log-in information.
This is the modern-day cyber equivalent of a bank job, with criminals conducting detailed surveillance on a company before they strike. The sums involved can be huge, as was the case in late 2010 when Condé Nast reportedly transferred $8m to a spear phisher that was impersonating one of the company’s suppliers.
Uri Rivner, head of new technologies, identity protection and verification at security firm RSA, says that the industry is well-equipped to deal with phishing and there has also been a lot of investment to prevent fraud in e-commerce.
Idealogical motives?
However, new types of cyber crime are now emerging that are not necessarily financially motivated. Incidents that focus on attacking the bank’s network have become a problem, such as denial-of-service attacks whereby customers cannot access services such as checking their account balance or making payments.
So-called 'hactivist' groups, such as Anonymous and LulzSec, have become visible for this kind of attack in recent months; disabling the websites of major companies or government agencies either for fun or to make an ideological point. In December 2010, for example, Anonymous targeted the websites of Visa, MasterCard and PayPal to avenge their refusal to accept payments to support WikiLeaks. Such attacks are high-profile and disruptive; more recently LulzSec claimed the credit for disrupting the US Central Intelligence Agency's website.
In some cases this kind of disruption, through distributed denial-of-service attacks, has been attributed to nation states, although it is often difficult to assess whether such attacks were state-sponsored or were the work of an individual working alone from their bedroom.
South Korea attacks
In March 2011, a number of governmental websites were targeted in South Korea in distributed denial-of-service attacks whereby the websites were overloaded with information causing them to cease to function. While being unable to access a website may be inconvenient, more serious was the attack on the National Agricultural Co-operative Federation, known locally as Nonghyup, the following month.
The bank’s network was attacked, paralysing its systems for two days. Customers were unable to withdraw cash at ATMs, check their accounts online or make payments. Approximately 5 million credit card accounts were affected, with reports that some data could be permanently lost. At first the bank’s IT department was blamed for the attack, which was launched from a contractor’s laptop. Since then, however, Seoul prosecutors have been reported as saying that North Korea was to blame and had hacked into the bank’s system to take control of the zombie laptop.
The attacks in South Korea were unusual in that they were highly sophisticated but were done with no obvious gain. A report by McAfee argues that the attack is “analogous to bringing a Lamborghini to a go-cart race”, and suggests that such attacks were done to test the response capabilities of South Korea.
So far evidence that the attacks were sponsored by the North Korean state has not been made publicly available, but experts argue that the North Korean government does have such capabilities. Such incidents highlight the need for the banking community to share information about cyber crime on an international scale.
Stealth attacks
There is a lot of noise and disruption around this type of denial-of-service attack, but what is perhaps more worrying are the attacks that go unnoticed.
Stealth attacks, where systems are compromised, can be undertaken by nation states or terrorist groups as a means of gathering intelligence that can be used at a later date. Mr Rivner notes that it is not just banks that are at risk; large corporations are targeted by groups looking to infiltrate and collect data.
Aside from warfare between nation states moving into the cyber sphere, stealth attacks are also being undertaken by criminals looking to steal intellectual property for their own gain or to sell it on. Banks are a particular target for terrorist or state-sponsored attacks because they are a critical part of the national infrastructure and play an important role in facilitating global trade.
The potential damage that such a strike could cause is frightening, with the greatest fear being a scenario where electronic money and traces of transactions are wiped out altogether, freezing trade and grinding an economy to a halt. While this is the worst-case scenario, cyber security teams cannot afford just to focus on one type of threat.
“As financial institutions we have to be prepared to defend all types of attack, we have to have it all covered. No cyber crime is good cyber crime,” says Mr Croston of JPMorgan. When asked which kind of threat is the most worrying, he replies: “It is hard to choose which one is scarier than any other, they are all scary.” He adds that the concern is with any weaknesses in the cyber defence systems, as these will be pounced on by criminals.
David Wall, a professor of criminology at Durham University in the UK, says: “The weakest link is individuals themselves.” While banks have increased the technological security of their systems, they are now having to focus on the procedures and policies around their staff.
Mr Rivner at RSA explains that the increasingly sophisticated attacks are not focused on hitting the bank’s network directly, as the perimeter defences are quite strong. He says of cyber criminals: “They don’t bother with the walls, they get through the gate in the wall.”
Soft underbelly
Steve Winterfeld, cyber technical lead at systems engineering company TASC, says: “Traditional banks were built like a fortress, with a hard exterior and a soft interior.” He notes that this kind of set-up is vulnerable in a network where criminals go after the soft interior of the employees. Those employees may not necessarily be disgruntled; in many cases they may feel that they are acting in the company’s best interests by sharing more information than they should do. Or a busy employee may fall for a scam that taps into human nature, tricking them into opening the door into the company’s internal systems.
For example, if a particular bank has announced redundancies, cyber criminals will pick up the news and launch a phishing campaign with an e-mail that has a document infected with malware that purports to hold details of which staff members will be laid off. “You can’t tell me that there is not one person who will open it,” says Mr Lyons of ICSPA.
Such attacks highlight the difficulty that banks have in controlling their internal policies and procedures, and making sure that their systems are checked to see they are effective.
This is the type of attack that has been seen in recent months and the real danger is when the employee or the bank fails to detect that an attack has been launched. Where they do notice an attack, it is becoming increasingly important that they share information with other banks.
Mr Rivner notes that it took a while for banks to share information when phishing scams first became apparent. However, once they identified the patterns and understood the problems, they saw the need to share information about phishing and coordinate a response to defend against such attacks. That is now beginning to occur with the new types of threats that banks are dealing with, such as hactivism or state-sponsored attacks, and banks are realising that it is critical to share information of incidents.
Information sharing
Initiatives to share information are becoming increasingly important as the attacks become more sophisticated and insidious. One such organisation that shares information is the US Financial Services Information Sharing and Analysis Center (FS-ISAC), launched in 1999.
Eric Guerrino, the organisation’s executive vice-president of operations, says the centre has more than 120 sources of information, including government agencies and intelligence sources in private industry, which are distributed to its membership base of US financial institutions. He notes that the organisation has seen a rise of attacks in recent months, hence the need for more sharing of data. Apparently banks are increasingly willing to share information; “they realise that we are all in this together,” says Mr Guerrino.
The FS-ISAC has a template that banks use to report an incident. They can describe the type of incident, for example a spear phishing attack, and give information such as the IP address, what systems were affected and whether the attack was successful. That information is anonymised and a security analyst checks it to ensure that the financial institution concerned cannot be identified.
The industry is working towards establishing international sharing systems whereby if one institution is under attack, other banks can be notified in real time about the nature of the threat. Such a goal requires a great deal of collaboration and is still a work in progress, but the industry has overcome its reluctance to talk and share information on such matters. As global transaction services increasingly move online, using the weapon of information sharing could be key in fighting the changing nature of cyber crime. Such information sharing is now seen as one of the key weapons in fighting cyber crime.
