Defending a bank against cyber-criminals

This is the concluding part of three-part series exploring the rise and power of cyber-criminalsanatomy of cyber-attacks targeting banks; and defending a bank against cyber-criminals.

Today banks are under threat from increasingly audacious and highly networked cyber-criminals attacking from within; exemplified by Feb 2016 attempted theft of $951 million at Bangladesh Bank’s account with Federal Reserve Bank of New York (source) and May 2016 attempted theft of about $1 million at Vietnam’s Tien Phong Bank (source, source).

Countering these threats requires banks to strengthen security, especially perimeter and access control. At the same time, financial regulators in Europe are pushing banks to open up payment services infrastructure while competition from FinTech’s is challenging existing revenue models of many banks. On the face of it cyber-criminals, regulators, and new entrants appear to be pulling banks in different directions requiring a delicate balancing act between opposing imperatives. However, a closer look at how to tackle cyber-crime reveals a set of priorities that are also key to addressing the other two challenges - simplify internal IT landscape, innovate customer authentication, and focus on data analytics.

Banks that will internally align their IT, security, compliance, and go-to-market strategies across their orginazation will not only save on costs but will also enjoy a distinct competitive advantage.

Figure 1: Conflicting imperatives facing banks today and the way out (Innopay, 2016)

Keys to success

Traditional risk management approach requires banks to perform periodic risk assessments; design, implement, and monitor controls; and hope that cyber-criminals walk through the well defended front-door. While essential for maintaining a good baseline of security, this approach is often inefficient, particularly if done to excess, and may foster a false sense of security. Also, this approach is nearly always ineffective against persistent adversaries. To effectively block cyber-criminals, banks need to address three key priorities:

  1. Simplify internal IT landscape
  2. Innovate customer authentication
  3. Focus on data analytics

1. Simplify internal IT landscape

The notion of internal complexity as a security barrier is dead, instead today internal complexity is a barrier to effective defense. Complexity has a double cost - criminals get a wider choice of targets to attack while at the same time security gets spread thin in trying to defend a larger attack surface. Also, as seen in the 2013-2015 Anunak/Carbanak case and other cyber-crime cases, attackers leverage their understanding of banking internal systems across multiple targets. For banks, because of essentially functionally similar systems, every compromise of any bank anywhere in the world potentially bares yet another exploitable vulnerability.

To be prepared to defend against any known/unknown cyber-attack, banks have to start with seriously thinking about eliminating internal complexity. Although it is straightforward to appreciate that a simplified IT landscape directly translates to reduced IT costs and could potentially facilitate or ease transition to PSD2 and Instant Payments, because of entrenched legacy this is perhaps the most perplexing of the three priorities and one that needs strong commitment. 

2. Innovate customer authentication

Authentication is the most important customer service of a bank. However, most often banks see authentication as a hygiene factor to be balanced against convenience and cost. With smart-phone penetration reaching over 60%(source) in Western Europe (over 75% in some countries), the time is ripe to fundamentally transform how we think about customer authentication – instead of seeking a balance we can now significantly improve security, convenience, and costs at the same time.

Embedding Mobile App based customer authentication into external facing as well as (simplified) internal systems for access to customer data and for processing of transactions will shield banks from (large scale) internal as well as external compromises. Further, the possibilities for enriching customer experience are limitless – mobile onboarding, virtual branches, emotion sensing, not taxing customer memory, just to name a few.

For banks, this is also one of the ways to retain customer trust and stay relevant in the face of competition from FinTech’s.

3. Focus on data analytics

Banks generally have sophisticated fraud detection systems refined over time based on experienced fraud. These systems are good at detecting known fraud but have a learning curve (human and/or machine) before becoming effective against new fraud. As long as attackers lacked the capability to cash large sums, this was not a problem. However, as seen in recent cyber-crime cases, large-value cash-outs with possible insider involvement are the new reality.

Banks also have multiple security monitoring systems. These systems are good at alerting physical, network, infrastructure, and middleware security violations but are easily susceptible to generating large workloads of false alerts.

Further, because of complexity of integration, security monitoring systems and fraud detection systems operate in their own silos. Cyber-criminals, on the other hand, use all possible vectors in the same attack – sophisticated social engineering, advanced hacking, physical intrusion, and whatever it takes to get the job done.

To regain the upper hand, banks need to start with developing unified security analytics capabilities that are independent of data source and detection use cases. Next, so as to be able to detect unknown attacks, banks need to leverage data science to make sense of the data with no a-priori knowledge or assumption about the data.

Vikas' view

Vikas' view on comprehensive cyber-security rests on four key pillars:

  1. Know: Build actionable understanding of the external cyber-crime environment combined with a working appreciation of the internal landscape.
    “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” – Sun Tzu
  2.  Protect: Design and implement efficient controls to protect effectively against known attacks.
    “The supreme art of war is to subdue the enemy without fighting.”  – Sun Tzu
  3. Detect: Design and implement appropriate tools to learn to identify and foil known and unknown attacks as they commence.
    “Now this foreknowledge cannot be elicited from spirits; it cannot be obtained inductively from experience, nor by any deductive calculation.” – Sun Tzu
  4.  Respond: Implement and exercise procedures to take action in response to detected cyber-security incidents; be prepared to respond vigorously.
    “Bring your enemies to justice for their crimes.” – Sun Tzu

Sourcepermission: Blog Vikas Munshi