Countering emerging cyber threats in the banking sector

The threat of cybercrime on the global banking and financial services industry is apparent with a tectonic increase in cases over the past few years. These attacks have become highly targeted, and cyber criminals seem to have hit the jackpot by deploying sophisticated techniques for illicit financial gains. From hacking the bank accounts of companies, governments and consumers and demanding heavy ransoms to decrypt the data, they seem to be one step ahead in the game.

The disruptive force of technology has proved to be a double-edged sword, with the quantum of cyber-attacks intensifying with time in the banking sector. For instance, ‘Zeus Trojan’, a type of malware wreaked havoc on the internet about a decade back, stealing the banking credentials of users. ‘Cryptolocker’, a type of ransomware was then discovered which could encrypt critical files on the system and demand a ransom (typically in Bitcoins) in exchange for the decryption key. More recently, a lethal ransomware known as ‘Mamba’ has caused panic across the world. This is because instead of the just encrypting critical files, ‘Mamba’ encrypts the entire hard disk drive, including the bootloader.

Phishing, another form of attack led by social engineering, is targeting consumers who may fall prey to a fake but ‘genuine-looking’ bank website, and eventually offer credentials to a hacker. The hacker would then use the credentials to log into the original bank account and transfer funds fraudulently. Distributed denial of service (DDoS) attacks using devices connected to internet such as CCTV cameras and mobile phones have also enabled them to potentially deny internet access to an entire country.

Historically, telex (also known as TT or Telegraphic Transfer) has been the legacy electronic method used to send overseas payment instructions taking place between financial institutions. While it was a popular means, there were loopholes in the security systems. The need to have an easier as well as a secure system emerged, which would be simple and safe and maintain integrity of the data exchanged. Telex was eventually replaced by a newer and more reliable method, created by non-profit organizations known as Society for Worldwide Interbank Financial Telecommunication (SWIFT) in 1977. SWIFT gained instant popularity and by 1979, it was already handling more than 1.2 lakh messages per day. Today, SWIFT’s messaging services are used extensively by more than 11,000 financial institutions in over 200 countries.

In recent times, cyber criminals have shifted their focus to targeting critical banking infrastructure. Created with the intent to provide security and reliability to banks, the repercussions of successfully breaching SWIFT systems could be hazardous. Unlike banking Trojans and ransomware, where each hack would yield thousands of dollars, each SWIFT hack could potentially cost banks millions of dollars. Media reports have suggested such cases in Asia as well as Europe. Keeping aside the reported cases, there is a fair probability that more attacks may have occurred but would have gone unreported due to possible reputational damage feared by the institutions.

Typically, hackers would send fraudulent payment instructions impersonating the operator of a financial institution. They would then manipulate or wipe off some data to mask any trail so the hack becomes untraceable. The usual approach taken by cyber criminals to breach any account would encompass the following stages:

Stage 1: Attackers would compromise the bank’s environment using various techniques such as exploiting vulnerabilities of the internet facing servers or systems; or harvest an employee’s credentials by sending a spear-phishing email. Typically, the hackers identify and target these employees from their social media profiles.

Stage 2: Once inside the bank’s network, the attackers tend to extract credentials that have the authority to create, approve and submit payment messages from the authorized local systems, to the global network.

Stage 3: Attackers then submit fraudulent messages by impersonating the operators. These fraudulent messages would contain transaction requests to fake entities.

Stage 4: A malware is used to compromise a third-party application used by the customer to read user generated reports of the global payment confirmations. Its purpose is to manipulate local records of messages.

Stage 5: Finally, attackers hide evidence by clearing the system event logs, deleting the malware and removing traces of the fraudulent instructions.

To proactively manage the vulnerabilities that could be exploited by hackers, patches and updates have been rolled out by SWIFT. However, as the compromise often involves internal systems, such steps may not necessarily solve all the problems for an organization.

Additionally, the Reserve Bank of India (RBI) has released a set of guidelines to manage the risks associated with such attacks. RBI’s circular last year covered several notable suggestions, ranging from arrangements for continuous surveillance, creation of a cyber security policy that is distinct from the broader IT policy and an immediate assessment of gaps in preparedness to be reported to the regulator. To diminish future risks and fortify safety mechanisms, institutions using global payment services should conduct a complete security review of their IT infrastructure. Lastly, a proactive forensic analysis of all the systems may be beneficial to ascertain if there has already been a breach or compromise.

Amit Jaju is executive director, fraud investigation and dispute services, EY India