In April 2017, the Russian cyber-security firm Kaspersky Lab identified a criminal hacker group operating under the names BlueNoroff and Lazarus. Probably hailing from North Korea, this group targets public and private financial institutions around the world – from Costa Rica to Thailand, India, Gabon and Poland.
Early this year, the website of the Polish Financial Supervision Authority (Komisji Nadzoru Finansowego or KNF) was used to distribute malware to visitors. Soon after, Mexico’s Financial Supervision Authority (the Comisión Nacional Bancaria y de Valores) was targeted using the same methods. While there is no evidence that funds have been misappropriated, other international institutions are experiencing similar attacks, which are likely to become more frequent in the future.
The banking sector under fire
According to Financier Worldwide magazine, more than half of the world’s largest 50 banks have been victims of cyber-attacks over the past ten years, losing a total of more than US $1 billion (although some consider this figure is higher). One of these was the Bangladesh central bank, which lost US $81 million to hackers in 2016 – another attack attributed to Lazarus.
Most cyber-attacks involve two methods: spear phishing and installing malware.
Spear phishing is the practice of sending fraudulent emails to selected recipients with the aim of gaining control over their computers. Cyber-criminals pretend to be colleagues or clients of the banks concerned, and ask recipients to provide confidential information.
Installing malware (malicious software), the second method, can be used in conjunction with spear phishing. This technique is more often used to control the machines of bank customers: when they enter their login details on a bank’s website, the malicious program records this information. Hackers are then free to access the victim’s personal banking pages. One program that steals bank login information is GameOver Zeus, which was based on the infamous Zeus program and identified in 2011.
In autumn 2016, Tesco Bank was targeted by an operation of this kind. Hackers successfully stole more than £2 million (approximately €2.4 million) from the accounts of 9,000 users.
According to an article by CSO, more than half of all cyber-attacks target financial services and e-commerce websites. And the threat is growing: incidents affecting the banking sector increased by 40% between 2014 and 2015, costing an estimated US $3 trillion, a figure likely to double by 2021. Banks are aware of these risks: 65% of bank directors have said that cyber-security will have a greater impact on their activities over the next two years.
Why are banks such good targets?
Criminals (and cyber-criminals) go where the money is. Banks are therefore a perfect target.
Banks have adapted to the digitalisation of society by developing unique products such as online banking systems, international financial transactions and digital payment methods (based on the PayPal method, for example). Given the increased use of these applications on smartphones and connected objects in general, hackers have a much wider playing field. The more dematerialised transactions take place, the more hacking opportunities are created.
In addition, banks, especially investment banks, have large databases containing extremely sensitive information. If stolen, these databases can be easily sold. Considering that financial institutions detect malicious attacks after eight months on average, they run major risks in terms of financial and reputational damage.
What solutions exist?
Given the increase in hacking attempts, the British financial sector has invested heavily in cyber-protection over the past few years. With budgets of up to £700 million per year (over €830 million), banking institutions are upgrading their information security systems – for example, by installing innovative software to track potential hackers. End-user security is also regularly reinforced. For instance, financial transactions can now be confirmed with automatic text messages, and cheques authenticated with unique QR codes.
Cooperation has always been a useful tool in tackling crime, and cyber-space is no exception to this rule. For example, the United Arab Emirates Banks Federation released a shared cyber-security platform on 1 May 2017 for all 49 UAE banks. This platform, which seeks to minimise attacks targeting creditors, enables banks to share information that can be used to thwart hacking attempts.
The United Kingdom has gone one step further, developing public-private initiatives in the financial sector. Examples include the UK National Computer Emergency Response Team (CERT) and the Cyber-Security Information Sharing Partnership (CISP), both of which are currently part of the National Cyber-Security Centre (NCSC).
Banks have long invested in infrastructure security, both real and virtual. But hackers never rest: they are always looking for new ways to get around obstacles and earn even greater rewards. This is probably why they are increasingly targeting investment banks. Despite their size, these institutions are perhaps less accustomed to dealing with these issues.