The purpose of this article is to study the information security in the banking industry. This entails investigating information security measures, their implementation and effectiveness, as well as the challenges faced in implementing such measures.
Apart from looking specifically into the retail banking sector, information security is assessed from the management standpoint. Hence, this study offers insight into the non-technological side of Information security Management.
It is found that mobile devices practices are streamlined into the banking practices which has a large number of threats in BFIs.
Keywords: Information, Information Security, security, mobile devices, cyber-threats
Every organization has a mission. In this digital era, as organizations use automated information technology (IT) systems to process their information for better support of their missions. Financial institutions have long been a favorite target of criminals.
However, today’s “bank robbers” are looking for more than just cash and need never set foot inside a brick-and-mortar establishment to get what they are looking for. Technology has changed the game and added more threats for the Banking and Financial Institutions (BFIs).
Even as BFIs organizations grapple with shrinking profit margins, growing consumer expectations, and a challenging regulatory environment, many are realizing the harmful impact posed by cyber threats. Today’s banking industry primarily based on the information.
Information technology plays vital lifeblood for any organization, in which the banking and financial service industries are one of the most information prone areas on these days. The IT security and risk issue also thunder the overwhelming use of IT in the business arena.
The world of IT security is an ever-changing environment. Many banks could not aggregate IT risk exposures and identify concentrations quickly and accurately at the bank group level, across business lines and between legal entities (Basel Committee on Banking Supervision, 2013). The world of IT security is an ever-changing environment.
From the early Morris worms and Monkey.B viruses to modern hacker tools like Back Orifice and Metasploit, IT security professionals must always be on the lookout for the latest threat to their networks. Today’s banking is heading towards mobile devices. People are using mobile devices for accessing their banking accounts either through internet banking channel or directly through mobile banking.
Cyber attacks have far-reaching economic consequences beyond the financial, reputation, and legal ramifications for an individual firm. A security breach at a financial institution can pose a substantial danger to market confidence and the nation’s financial stability.
The implications are so significant that the U.S. Director of National Intelligence has ranked cybercrime as the top national security threat, “higher than that of terrorism, espionage, and weapons of mass destruction(PwC, 2014).”Regulators around the globe are also awakening to the systemic danger posed by cyber crimes against the BFIs industry.
Metasploit and other hacker applications have made it very simple to attack vulnerable network resources. These applications chain several attacks together simultaneously taking advantage of unpatched or misconfigured systems and network devices.
According to Cisco(Cisco 2010 Annual Security Report, 2010), one new threat vector IT security must worry about is mobile devices. With the rapid proliferation of tablets, smartphones, and netbooks hackers have begun finding ways to exploit these devices which exist outside of the network yet have access to sensitive corporate data. Global Head of the fraud prevention division at Kaspersky Lab Mr. Ross Hogan (Hogan, 2015) said: “We’re a decade into mobile access to sensitive information and fraudsters have tricks up their sleeves.”
Mobile devices are getting more powerful and user-friendly so that people are storing more sensitive data on them, and one very right practice is that no one has security on these devices. This puts people at significant risk, and it shows a mobile landslide. More than 3.73 million strains of malware target mobile devices today, many of them Trojans like Svpeng(Ablon, 2015).
Most target the Android mobile operating system points out Lillian Ablon, who is a researcher at the Rand Corporation in Santa Monica. The two main attack vectors are through fraudulent text messages and malicious apps in Google Play, she said. Hackers focus on Android because Apple’s walled-garden approach is hard to get malicious apps through and because Android has a higher market share.
If anyone is an actor who wants to go after a system, s/he will play the probability game and go after what there’s more of in the world. The goal of these actors in the black markets is to make money for the least amount of effort with the highest probability of success. That means going after the weakest systems and those that have the largest market share.
Today, with most of a BFI sensitive information being stored electronically, more systems and databases in use, and the Internet—and subsequently mobile computing—exponentially growing data transmissions, it’s never been easier for sensitive information to fall into the wrong hands. Beyond protecting data, such as customer records, clearing and trading information, or confidential documents, BFI has the strong challenge of safeguarding their systems and networks as well as the financial assets they hold.
That means the banking and financial industries face a more significant number of threats than most other sectors. The recent scam of Bank of Bangladesh 100-million scam is one of the most dangerous and high-value cyber-attack in BFIs. The cyberterrorism needs to be combated with the assistance among different stakeholders with BFIs. Some of the most significant challenges of attacks that BFIs are facing are given below (Lockheed Martin Corporation, 2015):
Advanced Persistent Threats (APT) APTs use undetected, continuous computer hacking processes to gain access to a high-value organization’s network. Phishing emails or other tricks to fool employees into downloading malware are a common practice. When the unauthorized person gains access, they often go undetected for an extended period—quietly stealing data, committing fraud, destroying an institution’s economic stability or undermining its reputation.
- Insider and Internal Threats. Any employee, contractor, supplier, or business partner who has authorized yet uncontrolled access to systems and sensitive information all have the opportunity to do permanent harm to a company. This threat has grown more substantial by the increased use of personal devices in the workplace, personal email, and cloud-based and USB storage devices. Intentionally or unintentionally, insiders can undermine systems, open them to malicious intrusion, and engage in fraud, theft, or market manipulation.
- Denial of Service Attacks. These threats are defined as “any attack intended to compromise the availability of networks and systems” and are of concern to financial corporations operating consumer facing websites or trading systems. Such attacks flood a network with phony connection requests, making it unavailable to process legitimate user requests.
- Account Takeovers. Cyber criminals have quickly discovered how to exploit financial and market systems that interface with the Internet. Operating system users, rather than the systems themselves, earn criminals access to existing bank or credit card accounts or financial systems and allow them to carry out unauthorized transactions.
- Third-Party-Payment Processor Breaches. Sophisticated cyber criminals are also targeting the computer networks of large payment processors, resulting in the loss of a huge sum of money and the compromise of personal information of millions of individuals or banks.
- Supply Chain Infiltration. In recent years, trusted suppliers of technical, computer and security equipment, software and hardware have been targeted by cybercriminals seeking to gain physical and functional access to financial institutions. Cyber criminals are continuously devising new ways to infiltrate financial institutions, from posing as vendor employees to delivering infected equipment. Some recent attacks involved hardware installed in bank branch systems to enable transactions to be manipulated via mobile networks.
- Mobile Banking Breaches. Meeting customer demands for greater mobile banking capability has opened financial institutions up to another cyber threat. Cyber criminals have quickly figured out how to exploit the vulnerabilities in mobile technology by using malicious websites, text messages, or mobile applications to gain access to a user’s credentials and account information.
- Payment Card Skimming. A skimmer fitted to the outside or inside of an ATM or supermarkets enables a criminal to collect card numbers and personal identification number (PIN) codes. The stolen data is usually sold or used to make fake cards to withdraw money from the compromised accounts. As companies continue to roll out—and consumers embrace—new electronic, wireless payment systems, criminals are quickly adapting. Hackers have already designed Bluetooth-enabled wireless skimmers to download data when in range of the wireless network instantly.
Attackers and defenders are continually playing cat and mouse game. Defenders try to stay ahead of attackers’ methods, and attackers are always coming up with new ways to strike. This back and forth will only continue. An employee will also continue to be the weak link. No matter how secure a network, device, system, or organization is from a technical point of view, an internal employee can often be exploited, manipulated, and taken advantage of.
However, people and businesses can take steps to better protect themselves against cyber-attacks. To see where they are vulnerable and where to focus security efforts, organizations should undergo a penetration test (or “pen test”) of their networks and systems. The BFI that conduct pen testing often also provide physical assessments to determine where the weak spots are in terms of building security.
Organizations should be ready to respond to a cyber-attack and have a remediation and resilience plan in place. No one should be blind-sided. The accepted general wisdom is that it’s a matter of when, not if, an attack will occur. Although cyber adversaries’ capabilities are at an all-time high, combating this challenge is a top priority of the BFIs and the entire government and law enforcement agencies.
There should be a partnership among all the stakeholders to combating such an act of cyber crimes within the industry, academia, law enforcement agencies, and across all of government will also lead to a dramatic improvement in the ability to combat this threat.
Author: Debesh Pd Lohani
Ablon, L. (2015, October 19). The Cipher Brief. Retrieved from https://www.thecipherbrief.com: https://www.thecipherbrief.com/article/social-engineering
Basel Committee on Banking Supervision. (2013). Principles for useful risk data aggregation and risk reporting. Basel, Switzerland: Bank for International Settlements (BIS).
Cisco 2010 Annual Security Report. (2010). Cisco 2010 Annual Security Report. Retrieved from Cisco 2010 Annual Security Report: http://www.cisco.com/c/dam/en/us/products/collateral/security/security_annual_report_2010.pdf
Hogan, R. (2015, July). http://usa.kaspersky.com/about-us/press-center/press-releases/2015/kaspersky-lab-financial-fraud-report-threat-businesses-would-pr. Retrieved from Financial Fraud: The Impact on Corporate Spend: http://usa.kaspersky.com/about-us/press-center/press-releases/2015/kaspersky-lab-financial-fraud-report-threat-businesses-would-pr
Lockheed Martin Corporation. (2015). Combatting the Biggest Cyber Threats to the Financial Services Industry. Bethesda: Lockheed Martin Corporation.
PwC. (2014, July 27). Threats to the Financial Services Sector. Retrieved from Combatting the Biggest Cyber Threats to the Financial Services Industry: https://www.pwc.com/en_GX/gx/financial-services/publications/assets/pwc-gecs-2014-threats-to-thefinancial-services-sector.pdf