The case for the defence: the protracted process to prevent cyber crime

I recently had a meeting with a couple of heavyweights in the cyber security field. These guys are bank defenders and very good at their jobs. Their mission: to keep cyber attacks to an acceptable level. Acceptable is a few basis points of total credit, let's say less than 0.7%.

But it is getting harder every day, with attacks coming from all levels. Banks must therefore issue tokens, keys and software to make sure that customers are protected. The only thing is that the tokens, keys and software are not liked by most customers as they are unwieldy, difficult to use and hard to remember.

Slipping in through the net

The problem is that bank systems were built for the branch era, when the internet was just an idea in the back of someone’s head. Now that all this technology is out there offering remote access that is convenient, it is creating a real headache for everyone. So the result is an overlay of bulky security processes that no one likes, but are the sticking plaster that works (albeit with effort).

We get into a dialogue about how security has changed as, just a few years ago, 80% of the threat was from physical attack and 20% virtual; now it is the other way around, with 80% remote and 20% direct, ignoring the internal attacks of course. This is well illustrated by the latest statistics from internet security firm Symantec, who found that there were more than 5.5 billion malicious attacks on systems in 2011 – an increase of 81% compared to 2010 – with more than 403 million different versions of malware out there.

Times are hard. But, with so many events that could compromise, how do you protect the bank? The experts said that they knew the bank would get compromised on an irregular basis – you cannot predict every attack – but it depends on what the attack is and how you handle it.

A denial of service attack that brings down the website is far easier to deal with than one that compromises customer data or funds. Equally, the key for the bank is not the compromise risk but the reputational risk: getting hacked once, and having no one hear about it is far more desirable than getting hacked and having customers know about it.  Even worse is if you get hacked more than once and customers know about it. So it is all about minimising risk, managing compromises and ensuring that everything is kept at a nice level below the eye line of the client.

Myth of identity theft

I finished our chat by asking why it was that we no longer hear much about identity theft anymore, as that was a big topic just a few years ago. “Oh that”, they said, “that is just the media stirring up the pot.

"There is no such thing as identity theft. The media call everything identity theft, whether it’s a 'card not present' card issue for a singular transaction or an account takeover. So we only refer to account takeover as identity theft, which is when someone gets hold of the bank access of a customer and uses that for their own purposes. And that is where the issue arises." Really?

“Well, if we have a totally new customer to the bank, never seen before, we have three groups who start to look at the customer onboarding: risk, compliance and security. The risk department is typically looking at whether the person is bankable and appropriate to the account offer (credit and market risk). The compliance department is looking to ensure that all the regulatory tick boxes are ticked, and the security department is trying to ensure that the person is not setting off security alarms – fraud, cyber crime and terrorism, for example – when they are onboarded. And the challenge is to make sure that all three groups work in tandem, as often the cogs can be out of kilter,” they say.

I guess that tells you why cyber crime, bank security and all the layers of keys, tokens and passwords are so annoying but necessary. Roll on biometrics.

Chris Skinner is an independent financial commentator and chairman of London-based The Financial Services Club