Financial institutions can thwart intrusions with a two-pronged strategy of brute-force work and cutting-edge tools.
A robber goes into a bank with a note and steals a few thousand dollars. An insurance company covers the loss and business goes on as usual. A hacker goes into a bank with a malicious script, and it’s a completely different story. The loss could total tens of millions of dollars and the bank could go out of business.
The financial services industry was attacked more than any other industry in 2016–65% more than the average organization
Indeed, Gottfried Leibbrandt, CEO of the Society for Worldwide Interbank Financial Telecommunication, or SWIFT, warned last year that hackers could soon bring down a very large financial institution. Speaking to the European Financial Services Conference in Brussels, he said recent cyberattacks on banks in Bangladesh, Vietnam, and Ecuador are just the beginning. “Banks that are compromised like this can be put out of business,” he noted. “In the recent cases, thieves were able to move just some of those banks’ overseas assets. As a result, for the banks concerned, the events haven’t been existential. The point is that they could have been.”
If hackers don’t bring down a bank, it won’t be for lack of trying. The financial services industry was attacked more than any other industry in 2016–65% more than the average organization — and the hit from a successful attack can be huge. In 2015, in one of the biggest cyberheists in history, hackers transferred $81 million out of the Bangladesh central bank’s New York Fed account to a bank account in the Philippines. They then withdrew it and laundered it through a local casino in an all-night baccarat binge. Bangladesh recovered $15 million. The rest, like the hackers, vanished.
“I liken security to football. When you watch a football game, you notice the jaw-dropping plays. But the teams that win are the ones that are really good at blocking and tackling.
— Justin Smith, Chief Security Officer, Pivotal
The financial industry is fighting back — with money of their own. The US banking industry’s cybersecurity spending is now the largest and fastest-growing in the private sector, predicted to reach $68 billion by 2020. JPMorgan Chase, Bank of America, Citigroup, and Wells Fargo spend $1.5 billion annually combined.
But, to stop hackers, it’s vital that this money be spent strategically. “Our problem is when you set a mousetrap, they build a better mouse,” said Jean-Francois Legault, global head of cybersecurity operations at JP Morgan. Shiny new security technologies are attractive — and often effective — but to defend themselves successfully, banks must deploy a two-pronged approach. They should implement next-generation techs, yes, but they should also work on their fundamentals.
“I liken security to football,” says Justin Smith, Pivotal’s chief security officer. “When you watch a football game, you notice the jaw-dropping plays. But the teams that win are the ones that are really good at blocking and tackling.”
The same goes for cybersecurity. If a bank is not good at the basics, then all the cutting-edge tech in the world could be for naught. Case in point: JPMorgan Chase spent $250 million on cybersecurity in 2014; that same year, it suffered the largest breach ever of an American bank — a breach that might have been stopped if Chase had installed a basic security patch to an overlooked server.
For a long time, financial institutions neglected grunt work like fixing misconfigured and out-of-date software. And, not surprisingly, hackers pounced. Banks were taking months to update their software and hackers used that window to exploit known vulnerabilities in code. Lately, banks are doing better. They’re revamping their process to shorten the time from when a patch is made available to when it’s put into their systems. “Challenging every delay and making that a key performance indicator is really important,” Smith says. “You want to shrink delays down to almost zero.”
Automation can help here. That same technology that’s been updating your laptop and phone software for years is now being deployed by financial institutions. Another basic step banks can take is information sharing. It doesn’t sound revolutionary, because it’s not. But for years it has been resisted. What bank wants to admit a breach? Now, though, financial institutions are recognizing that, with proper privacy rules in place, the same sharing that speeds the evolution of hacking techniques — cyberthieves share methodologies, knowledge, tools, what works and what doesn’t — can bolster bank defenses.
“If banks can start to safely share information among themselves, that’s a game-changer,” Smith says. “If you can get some kind of crowd effect of anomalous behavior, you can actually detect risks and threats a lot faster.”
The Next Frontiers in Cyber Defense
Now we get to those cutting-edge cyber defenses. Machine learning can crunch masses of data to find patterns and fingerprints in a blizzard of attempted intrusions (Bank of Canada, for example, fends off one million cyberattacks per day) and that information can power an effective response.
“At banks a lot of personal information gets captured in log files,” Smith says. “You have terabytes of this data in repositories and, if it leaks out, that’s a very serious issue. But by applying machine learning to those log files, you can see if there is something there that shouldn’t be there. You can put alerts on logs, then go in and mask that data. Machine learning shows tremendous promise there.”
“You need to be ready to respond to multiple lines of attack with multiple lines of defense”
— Gottfried Leibbrandt, CEO of the Society for Worldwide Interbank Financial Telecommunication
Also showing a lot of promise for cybersecurity is behavioral recognition. Financial companies have recognized that biometrics aren’t foolproof and that fingerprints can be stolen. So they’re moving to the next step in cybersecurity: behavioral recognition.
National Westminster Bank in London tracks every move customers make on its website or mobile app — from amount of pressure a particular customer applies when he taps on his iPhone screen to the number of typos he tends to make. Basically, the bank is looking for behavior that doesn’t match past actions and watching for clues that users are not who they purport to be. IDC predicts that in 2017, behavioral analytics across compliance, fraud, and cyber detection and prevention will be in place at 15% of banks, helping them to avoid losses, regulatory fines, and sanctions.
Blockchain software is another emerging tool to fight cybercrime. Blockchain software can lead to delays in transaction times and frustration among customers, but it has the potential to eliminate online bank fraud in 100% of the transactions that occur on the chain by providing complete transaction history and security to all members of the chain. Even if a hacker is able to penetrate a network, blockchain ensures there are backup copies of the same record stored in another part of the world. But the technology remains in early stages of execution in the banking industry, and there are likely points of weakness yet to be discovered.
In May, SWIFT unveiled a new ecosystem approach to security. “Protecting individual perimeters is no longer the best cybersecurity approach for a bank,” Leibbrandt said at the 2017 SWIFT Business Forum. “Instead, you need to be ready to respond to multiple lines of attack with multiple lines of defense. It is the same with ecosystems, such as SWIFT’s.”
Though “ecosystem” is a pervasive buzzword throughout the tech landscape, an ecosystem approach is the key to keeping financial transactions safe. Countless new doors into banking networks crack open every day as payments and currencies continue to evolve in the digital realm. Many solutions — both new and proven — must work in tandem to stop the latest mouse from making its way inside.
Change is the only constant, so individuals, institutions, and businesses must be Built to Adapt. At Pivotal, we believe change should be expected, embraced, and incorporated continuously through development and innovation, because good software is never finished.
Can Banks Stop Cyber Criminals? was originally published in Built to Adapt on Medium, where people are continuing the conversation by highlighting and responding to this story.