By Alexander Jones, International Banker
During the first weekend in February this year, Bangladesh Bank became the victim of one of the biggest cyber-heists of all time. Criminals managed to hack into the central bank’s security system, falsely masquerade as official banking authorities, and illegally transfer $101 million of funds from its account at the Federal Reserve Bank of New York to accounts in third countries. $20 million was sent to (and eventually recovered from) Sri Lanka, while the remainder went to accounts in the Philippines, before reportedly disappearing into the country’s casinos. If it wasn’t for the criminals’ misspelling of one of the beneficiaries of the illegal funds, then it is likely that the $20 million in Sri Lanka would also have remained unrecovered.
The attack against Bangladesh Bank is just one of many examples of cybercrime that have plagued the global banking system over the last few years. The term itself relates to a broad range of offenses that involve compromising a company’s information technology (IT) system, and in the specific case of banking, a compromise that is invariably done for financial benefits. Today, the amount of money being taken in cyber-heists, both in banking and elsewhere, has reached staggering levels. One estimate put this amount at $3 trillion overall for 2015, while a report from the market-intelligence company Cybersecurity Ventures expects it to double by 2021.
In the specific case of banking, Asia has arguably been the most vulnerable region to date. In addition to Bangladesh, a slew of high-profile attacks of financial institutions have recently occurred in Japan, the Philippines, Taiwan, Thailand and Vietnam, which in turn has resulted in billions of dollars in lost banking revenue across the continent. One estimate suggests that cybercrime cost Asian companies a massive $81 billion last year alone—a figure that constitutes more than a quarter of the global total of $315 billion, and which exceeds the US and European Union figures by about $20 billion. In addition, a survey from LogRhythm found that up to 90 percent of banks and companies in the Asia-Pacific region have reported some form of attack this year, up from 76 percent reported in 2015. The most common of such attacks have included the theft of remittance payments, and more direct attacks on banks’ technology infrastructures.
While some suggest that the political issues in the region have driven much of the criminal activity, such as the territorial dispute in the South China Sea, others point to a combination of factors that have made Asia particularly exposed. Among them are the comparatively primitive cybersecurity systems currently in place at many Asian banks; the lack of awareness and investment in cybercrime defence (it took two days for Bangladesh Bank officials to realise they had been swindled); and the fact that Asia is particularly exposed to a unique form of cybercrime in which the conversion of funds into real money takes place much quicker than in the US and Europe, where more advanced defence systems are now largely in effect.
Although Asia appears to be a particularly vulnerable region at present, cybercrime is now a truly global problem for banks. This is perhaps best illustrated by the Carbanak gang, who managed to steal around $1 billion from 100 banks across 30 countries worldwide. According to global cybersecurity company Kaspersky Lab, the robbery involved hacking into each target bank’s systems and networks, before pretending to be legitimate operators once inside. Coupled with the rapid speed at which they moved from bank to bank, this ability to mimic legitimate banking conduct made them difficult for authorities to detect.
The methods that Carbanak used to break into the systems involved using customised “malware” (malicious software) to infect banks’ computer systems and quickly withdraw information and/or money, and “spear phishing”, in which the hackers sent malware-ridden emails to bank employees that allowed them to seize control of the computers upon infection. The criminals were then able to search the bank’s networks to see where and how they could access important financial data, before withdrawing funds by using payment transfers or by setting up fake bank accounts and using remote commands to ATMs.
The problem can also be exploited to a greater extent by hackers due to the woefully inadequate level of awareness amongst banking leaders that cybercrimes are taking place at their banks, even after they have been committed. A survey from KPMG in May found that 12 percent of bank CEOs did not know if their banks had been hacked, while the number rises dramatically to 47 percent for banking executive vice presidents and managing directors, and to an alarming 72 percent for senior vice presidents and directors.
That being said, the Bank Director’s 2016 Risk Practices Survey shows that 77 percent of bank executives and board members consider cybersecurity to be their most concerning issue for the second year running. As hackers are constantly becoming more sophisticated in their methods, taking preventative cybersecurity measures will continue to move up banks’ priority lists. Indeed, Europol expects things to get worse before they begin to improve. The European Union’s main law enforcement agency recently identified eight separate cybercrime trends of which everyone should be made aware. The two most threatening to the banking industry were identified as ransomware, which involves the use of malicious programs to obtain confidential data related to the bank’s customers using online banking and payment systems, and payment fraud, involving malware attacks on ATMs and credit cards.
With cyber-threats now proving to be a hugely disruptive problem for banks around the world, it seems that they will have to seriously raise their defence capabilities, and quickly. That’s the opinion of Deutsche Bank’s former director of global technology production in Australia, John Baird, who in September admitted that cybersecurity was now approaching a critical moment. “You can’t put cybersecurity on the backburner any longer. The number of attacks is increasing, and we have to start lifting the education of the users to compensate”. Such sentiment has been echoed by many other banking leaders, including Craig Young, the chief technology officer of the global financial-payments network SWIFT, which has noted the increase in the number and complexity of the attacks and also recommends the pressing need for collaboration among banks in order to effectively counter such threats.
Indeed, SWIFT has been among the most vocal to warn about the growing spectre of cybercrime, which is somewhat unsurprising given the widespread use of the network by hackers to withdraw money from banks, as well as the sheer number of online attacks that its customers have had to face this year. Banks as diversely located as in Vietnam and Ecuador, as well as the aforementioned Bangladesh Bank, have all had their SWIFT payment systems nefariously infiltrated. In each case, hackers managed to obtain the banks’ SWIFT access codes and send fraudulent fund transfer requests, while SWIFT itself was left unaware of the data breach until well after the attacks had occurred. The company has responded strongly to the threat, however, with the organisation’s CEO, Gottfried Leibbrandt, asserting earlier in the year that those lenders with insufficient cyber-defence systems could end up having to be excluded from SWIFT’s payment network. On several occasions this year, SWIFT has also highlighted the need for banks to be more open to sharing information upon being hacked as a way to maintain the integrity of the global payments network, one which processes approximately 25 million daily messages pertaining to the global transfers of billions of dollars.
Moreover, it is not just the smaller lenders with less sophisticated security systems that are deemed to be an easy target for attackers—quite the opposite. Last year, for instance, about 80 million JPMorgan Chase accounts were compromised, with hackers managing to obtain customer identity and contact information. Because of this and other attacks, therefore, the biggest banks have responded—JPMorgan doubled cybersecurity spending last year to $500 million; Goldman Sachs invested $35 million into iboss Cybersecurity; and Citibank’s venture-capital unit has invested substantial amounts in cloud-security companies. In identifying the common threat to their revenues, the biggest banks have also decided to team up to combat this growing threat. An alliance of the US’s eight largest banks has formed in order to share information about potential online attacks to their security systems. The group will operate as part of the 7,000-strong Financial Services Information Sharing and Analysis Center, which was created to help member organisations share cybercrime data. In recognition of the fact that the biggest lenders are more likely to be targets of cyberattacks than smaller banks, the top eight have formed a sub-group, in which they can simulate potential cyber-hacking scenarios.
While the threat from cybercriminals is still deemed to be growing at present, it should be mentioned that global law enforcement has had some success this year. Steve Wilson, head of the European Cybercrime Centre, recently highlighted some of the progress that has been made in this area, with improved collaboration between industry and law enforcement being of particular note, as well as the arrest of several major cybercriminal syndicates associated with cyber-intrusions and payment-card fraud, among other crimes. September also saw New York Governor Andrew Cuomo announce the proposal of state regulation that would require banks to implement and maintain a cybersecurity programme. The proposal includes the appointment of a chief information security officer, the requirement of official certification to indicate that a minimum level of adequacy of a bank’s security controls has been achieved, and providing notice of a security breach to the New York Department of Financial Services within 72 hours. Companies would also have to conduct regular testing of their systems, as well as provide specific cybersecurity training for staff.
As such, much effort is being put in by many parties in order to try and neutralise this problem. However, if it is enough to completely constrain the threats that banks face today internationally seems unlikely. While banks in New York may be able to bolster their defences, financial institutions in less-developed areas of the world are likely to continue being particularly vulnerable to cybercrime. With such criminals having the advantage of being able to be located anywhere in the world in order to execute attacks, moreover, it would appear that the logical counter-measures that need to be adopted are likely to require a globally collaborative effort among banking-industry members.