Sunday Times: Is Online Banking Really Secure?

Quoted in this weekend's Sunday Times on the issues banks face in tackling cyber gangs.

Is online banking really secure?

With evident online security loopholes and hackers growing evermore adept at cyber safe-cracking, can the future of banking be secure?

When Tesco Bank fell victim to a cyber breach, hackers were quick to boast on the dark web about it being a cash cow and how they were cashing out £1,000 each week without anyone noticing.

Quite clearly, banks understand the imminent threat such events pose for their businesses. Yet they continue to happen – week in, week out.

What specific threats are considered “the norm” within the finance sector and how must banks respond if they are to have a secure future?

“In the past, the risk for thieves was often higher than the potential reward, but this has been turned on its head,” says Nigel Bolt, vice president and UK and Ireland country manager at Intel Security. The barrier to entry for cyber criminals is extremely low and, with the kind of cybercrime-as-a-service tools that can be used to rob a bank available online at low cost, almost anyone can try their hand at it.

“Today a bank’s biggest asset is not just the money it holds,” Mr Bolt warns, “but the data of its customers.” And it’s this data that is often the target of the online attacker, which is hardly surprising given that bank and debit card data for “live” accounts, where no theft has yet been reported, can fetch more than £100 a pop within the criminal underworld.

There is big money to be made, with the Intel 2016 Data Protection Benchmark Study revealing there are between 21 and 30 data loss incidents every day across the UK financial services industry alone.

When it comes to threat specifics, phishing is at the top of the banking danger list. This insider threat is exploited by the phishing tactics of criminals and terrorists alike. Alicia Kearns, director at Global Influence, warns that increasingly cyber terrorism is taking the form of spear phishing attacks against banks and financial services.

These target specific individuals, often using social media accounts and postings to gather intelligence to use in gaining the confidence of the employee. The win? “Sensitive data and cash,” says Ms Kearns. “Despite the disparity between the size and structure of different banks, they all have one shared weakness – their employees.”

Andersen Cheng, chief executive of Post-Quantum, explains that often the immediate victims of phishing are not even the ultimate target, but instead form the easiest route into an organisation. Serious criminals will take weeks or even months to plan and execute their attacks, he says.

“It’s a fact of life that with greater digitalisation there also comes greater risk,” says Martin Day, managing director of corporate and professional qualifications at the London Institute of Banking and Finance. While the nature of the threat may change, Mr Day concludes: “We must ensure that those working in the banks are equipped with the professional skills to anticipate these risks and act accordingly with the highest of ethical standards in mind.”