By Emily Frost – International Banker
Cybercrime is one of the most critical growing threats facing the global-banking industry today, and it managed to claim another major victim recently. On the weekend of November 5th and 6th, 2016, Tesco Bank was subjected to a hack that saw £2.5 million siphoned off from 9,000 of its accounts in what some security experts are describing as the most serious attack to ever hit the United Kingdom’s banking sector. With the number of attacks having risen in 2016 to unprecedented levels, questions continue to arise as to just how far behind the likes of banks, central banks, corporates and even governments are in the fight against cyber-hacking.
The Tesco Bank attack is thought to have occurred through its online banking system, affecting 20,000 accounts in total. With banks generally being known to react more slowly to online threats that occur on the weekend, it perhaps explains the timing of the recent attack. The stolen money was then used to buy thousands of goods from worldwide retailers using the contactless mobile-phone payment method. Although next to nothing is known about the perpetrators of the attack, some customers have stated that their money was moved to companies in Brazil, the United States and Spain, suggesting that the gang members behind the attack may have operations in such countries.
Tesco Bank itself continues to remain tight-lipped over the incident, presumably as a criminal case is now officially in process, although it has sought to assure its customers that it is “taking every step” to protect customer accounts. The head of product management at Huntsman Security, Piers Wilson, recently suggested that the attack could have originated from a Tesco Bank insider, “where an employee has misused their access privileges to take cash from customer accounts”. Wilson also acknowledged the possibility that it has come from an external source, although suggested that card-skimming at cash machines was an unlikely factor.
Irrespective of the source of the attack, however, what appears to be particularly concerning for Tesco Bank and banks of a similar size is that for several months prior to the incident, hackers had already identified the bank as an easy target. Israeli cybersecurity firm Cyberint recently stated that it had discovered several discussions taking place by criminals in online forums on the “dark web”—the hidden, untraceable portion of the Internet that is an invariable hotbed of criminal activity. Forum users reportedly described Tesco Bank as a “cash milking cow” and “easy to cash out”, meaning that such parties were already trading the bank’s sensitive customer-account information and credit-card details, and that several accounts were already being defrauded prior to the November heist. Indeed, there is evidence that cybercriminals were organising an attack on Tesco as early as September 7.
Worse still, Tesco Bank ignored several red flags that its information-technology system was being targeted. According to Codified Security, a mobile-app testing company, its staff found several security weaknesses in the Tesco Bank app. Codified Security also claims that its repeated attempts to warn Tesco of the attempted security breaches were ignored. Some have pointed to the fact that Tesco Bank’s security model was clearly weaker than it should have been. After logging into an account, for instance, a user was able to transfer funds to an account in another bank without the need of a SMS (Short Message Service) confirmation.
The decade thus far is likely to go down as an era in which the global-banking system’s inadequate defence against cybercrime was increasingly exposed. The UK alone saw 75 reported cases of attacks against financial institutions in 2016—an astronomical rise from the mere five that were reported in 2014. Indeed, this new form of bank robbery has generated a raft of concerns across the world. From the $81 million heist of Bangladesh’s central bank account at the Federal Reserve Bank of New York in February to the LogRhythm survey that found an astonishing 90 percent of banks and companies in the Asia-Pacific region reported a cyberattack of some kind last year.
While banks are constantly upgrading their defence systems to combat this ever-mounting threat, the increasing number of attacks shows that they continue to be outsmarted. Codified Security’s chief executive Martin Alderson recently praised the security systems of the UK’s top-tier banks, such as Barclays and NatWest (National Westminster Bank). The second-tier banks, however, received a considerably less glowing assessment, with Mr. Alderson suggesting that they are “pressured to bring out a coherent mobile strategy because their customers are demanding it. But often I’m not sure they have the understanding of all the technical aspects to make them secure”. Indeed, reports estimate that Tesco Bank has spent £500 million on building its technology platform during the last seven years. Nevertheless, it has proven insufficient to prevent massive fraud.
As such, it appears that the more online products and services that are provided by banks, the more vulnerable they are to threats. Furthermore, it would seem that they are already several steps behind such criminal gangs, who can ostensibly use the far reaches of the Internet to organise large-scale criminal activity without being detected. The response to such crime, therefore, will need to be stepped up significantly during the coming years. In addition to improving the robustness of their security systems, banks will also need to report more attacks to regulators and perform stronger checks to ensure they know their customers. Now that we are firmly in the age in which the bank robber uses a broadband connection instead of a balaclava, banks will need to get smart sooner rather than later.