Chris Skinner's blog

Shaping the future of finance

So how should a bank protect itself from hacktivists and cybercrime?

Chris Skinner Author Avatar
by

The real challenge for the banking system is how to protect
their firewalls from attack by hacktivists, goverworms and cybercriminals and,
conversely, how to deliver easy access to online banking for their clients and
customers.

It’s a real dilemma.

On the one hand, everyone wants mobile access to his or her
account balances and to make payments; on the other, no-one wants to consider
the issue of haemorrhaging losses if they don’t protect their account properly.

This is also a challenge in terms of building business as,
for example, many people do not use mobile banking for exactly this reason:
they worry about haemorrhaging losses.

So there are two distinct focal points here for information
security within a bank:

  1. protecting the banks information from attack;
    and
  2. allowing the bank’s customers to access the
    information they need when they need it.

Looking at the first part, hacktivists are not really the issue here.

A massive Distributed Denial of Service (DDoS) attack from the anonymous collective is concerning, but bringing down a website does not bring down the system.

MasterCard and Visa made this clear when they were attacked last year, and so it's an inconvenience rather than a concern.

However, a targeted hack is a concern, and there are many instances of banks
failing to deal with this properly.  Last year,
for example, hackers got access to some of Citibank’s customer data, with at least $2.7 million lost by 3,400 customers.  That’s small beans and is manageable, but
shows the vulnerability.

The insider threat is even greater, with employees who can
gain millions by selling access to bank data. 
An instance of this was also seen last year, with Bank of America losing
over $10 million thanks to a staffer giving away account details to an identity
theft ring
.

Again, it’s small beans but when there’s a crack in the
firewall, it can soon grown into a fissure, chasm or canyon.

That was well illustrated by Sumitomo Bank who lost almost $350
million in a keylogger scam

You would think that this bank would
therefore have gotten its act together after such a near fatal disaster.  No. 
This is the very same banking operation that was fined £3.5 million by
the Financial Services Authority in May for serious IT governance failings.

Oh dear.

Regardless, as I keep saying, banks are data
guardians, information providers and knowledge developers.  Or they should be.

This means that the way in which you guard against data
failings from external attack is by having the obvious data protections:
firewalls, secure sign-on, dual authentication with triangulation of access,
real-time business events monitoring and so on.

What I mean by this is that banks should be moving towards
much improved real-time tracking and business intelligence about their information
flows, and this will alert them to any security breach.

After all, most banks know that they will be breached.  In fact, they know they cannot stop a breach.
It will happen.  The real question then
is how you deal with it and how fast.

That’s the key.

This is why complex event monitoring of business
intelligence flows with real-time alerts is a key focal point.  The ability for a bank to keep its finger on
the pulse of every transaction across its global operations will be the key to
protecting against internal and external threats.

And if real-time business monitoring can solve the first
issue, an external or internal security breach, what do you do about the second
area: ensuring ease-of-access securely.

Again, it seems simple and yet so many fail.

I was astounded to read a report for example, that stated
the mobile banking apps from world leading banks like Wells Fargo, PayPal,
Chase and others were failing the viaForensics security tests
At the time, August 2011, a quarter of all mobile bank apps failed basic security tests.

According to Neil O’Farrell, executive director of the Identity Theft Council: “There were more breached
records last year than U.S. population than U.S. residents last year and more
cases of identity theft than just about all other crimes combined”.  He went on to say that: “Eight out of ten
mobile banking apps have security flaws, but Apple and the banks don’t want you
to know that.”

Whether true of not, there are obvious flaws in mobile
security right now, and yet there shouldn’t be. 
As Business Week points out,
mobile banking is more secure than online banking … or it should be, when done right.

As most users always know where there mobile is and have it
with them, unlike their wallet or credit card, it means that they are far more
likely to know when it is lost or stolen. 

Equally, as mentioned, triangulation or more secure
techniques mean that you can use the mobile telephone number and the geolocation
proximity of the phone, text messages and apps, alongside a card and PIN, to
make sure that the person who says they are trying to access the account is
actually the person who should access the account.

The bottom-line of securing banking is that banks will never
be able to keep ahead of the criminal. 
That’s the criminal’s job: to continually test and try to break the
security of the bank.

This means that the bank must therefore always be one step
behind those who want to create cracks in their firewalls. 

That means continual renewal of information security policies,
systems and infrastructures, and making sure that the bank keeps up with the best
practices in securing their customer’s data.

Some banks do this brilliantly.

Some don’t.

Just make sure you’re with the ones that do.

 

This is the last entry in a series about Hacktivism:

Chris Skinner Author Avatar

Chris M Skinner

Chris Skinner is best known as an independent commentator on the financial markets through his blog, TheFinanser.com, as author of the bestselling book Digital Bank, and Chair of the European networking forum the Financial Services Club. He has been voted one of the most influential people in banking by The Financial Brand (as well as one of the best blogs), a FinTech Titan (Next Bank), one of the Fintech Leaders you need to follow (City AM, Deluxe and Jax Finance), as well as one of the Top 40 most influential people in financial technology by the Wall Street Journal's Financial News. To learn more click here...

Intelligent Money: Our Future Is Where We Do Not Think About Money, As Our Money Thinks For Us

What is the future?

Learn more

Learn more about Chris

About Chris Skinner

The Past, Present And Future Of Banking, Finance And Technology

Fintech expert Chris Skinner: countries need digital transformation to remain competitive

Join me on Linkedin

Follow Me on X!

Hire Chris Skinner for dinners, workshops and more

Learn directly from from one of the most influential people in technology, gain insights from the world's most innovative companies, and build a global network.

Chris’s latest book

Order now

Chris Skinner’s ‘Intelligent Money’ Book Launch Event

Top 50 Global Thought Leaders and Influencers on Finance 2024

Global Awards

Lifetime Achievement Award

Global 100 - 2024 Winner

Chris Skinner - Financial Markets Advisor of the Year - The Finanser - UK 2023

Best Financial Markets Advisor of the Year 2023

30 Best Regtech Blogs and Websites 2023

Kids creating the future bank | TEDxAthens

Captain Cake and the Candy Crew

Captain Cake Winner of a Golden Mom’s Choice Award

TWO-TIME WINNER OF A MOM’S CHOICE GOLD AWARD!

Alex at the Financial Services

Gaping Void's Hugh MacLeod worked with the Finanser