Note: This story got combined into a broader American Banker piece about recent DDoS attacks at banks that ran today (3/13/13)
For bankers, the cyber security conversation has shifted over the past decade — going from how best to keep criminals out of sensitive information, to how to detect thieves once there has been a breach.
That debate has intensified around recent reports that malicious programmers with ties to the Chinese military have stolen data from hundreds of American enterprises, including financial services companies, over the past several years.
Just this week, JPMorgan Chase admitted that its online banking suffered an outage on Tuesday afternoon as a result of a denial of service attack. On the same day, the U.S. Director of National Intelligence James Clapper told the Senate Intelligence Committee that soon unsophisticated online attacks could have “significant outcomes” potentially affecting a wide range of companies and networks.
Hackers “are certainly more sophisticated, it’s certainly not the 14-year-old sitting on his dad’s PC writing a virus,” says Mike Whitt, BBVA Compass’ chief information security officer. “This is a business for these guys, and it’s really a business that runs in kind of parallel to the legitimate market, so the actors can be anyone from organized crime, or even terrorist organizations, even state-sponsored attacks.”
Banks have an especially tough job because they are certainly not security companies, he adds.
“I am limited in the amount of resources that I have, whereas you look at the attacker, the attacker is somewhat unlimited in those resources,” says Whitt. “Because most of the money that they are using is through ill-gotten gain, and the resources they are using are mostly criminal… If I need hardware, I have to go through a process, getting it approved. If one of these bad guys need a couple more PCs, they find PCs that are on the internet and they take them over, own them, and then they have additional hardware resources.”
Indeed, IT employees at banks are dealing with malicious coders at all ends.
Banks are being targeted by both distributed denial-of-service attacks (DDoS), in which botnets bombard a financial services company’s website in order to shut it down and disrupt services to customers, and invasive malware that infects customers’ sometimes insecure devices and compromises their accounts.
“Often DDoS attacks can be a diversion,” says Dave Ostertag, a computer security expert and a global investigation manager with Verizon. At the same time, “you might have some type of SQL injection attack, or someone looking for a vulnerable [IP communication sent between computers both inside and outside a bank] that they can attack while everyone is paying attention to the DDoS.”
He adds that some hackers are simply raising the technologically bar in the fight with banks. “When you characterize the activity that is going on, it’s kind of like a kid that just got a new toy, and some of the areas that [banks] are branching out into are techniques that, if done incorrectly, could [help cybercriminals] be successful in getting access directly to a bank,” says Ostertag.
There are prescriptions banks can follow in order to block some fraudulent money transfers, such as running all of a bank’s ACH payments a on a single, dedicated computer that isn’t handling any of a bank’s employee email or web traffic.
Banks often don’t know whether their systems are responsible for losing customers’ money, or whether the small businesses they holds money for are compromising their own accounts.
“There is a huge argument there over: Do you absorb the losses for the businesses?” says Ostertag. “Most of the banks aren’t.”
He says there is a cottage business of IT security professionals focusing on the forensics behind some of these attacks. “Did [a bank customer] have adequate security in place? And if they didn’t: What led to this breach that allows this ACH transaction to be conducted?” says Ostertag.
In addition, Sergio Fidalgo BBVA Compass’ chief information officer, says his bank hedges against instances of high-tech theft by inserting people and processes into transactions.
“There is not a single point of failure in which we rely on from a security perspective,” he says. “It’s not just about detecting, preventing and fighting the attacks… we have procedures that have to be strictly met when we talk about money leaving the bank.”
Human beings, however, can only catch so much, says Barak Eilam, president of Israeli tech vendor NICE Systems’ American operations.
Earlier this year, NICE launched a suite of services that employ biometric technology to screen calls and recognize bad guys’ voices in the case of such a scam.
Eilam stresses that though computers can only do so much, they certainly pare down what could be indomitable threats to banks by flagging suspicious activity.
“Because of banks’ scale, complexity, and sophistication… this is where technology comes in place,” Eilam says. “Technology helps.”
Even then, people will always be susceptible to social engineering attacks in which hackers pick up just enough information about a person to fool a bank employee into moving a victim’s money, or worse.