By Chris Pogue, Head of Strategic Alliances, Nuix
When we think of bank robbers, our mind probably gravitates towards a certain kind of criminal. We perhaps think of the masked robbers, wearing a black and white striped shirt, black beanie, black trousers. Indeed, if you search Google for images of a bank robber, you will see this masked villain carrying a bag of cash over their shoulder tiptoeing out the door.
This form of robbery in many ways made a lot of sense, as banks were predominately where the money was, but in our digital age, the modern criminal can steal vast quantities of money armed with little more than a laptop and an internet connection. The cybertheft market is now believed to be worth in excess of a trillion dollars globally, and the prevalence has encouraged not only organised crime groups to enter the fray but also rogue nation-states. Who can forget, for instance, the cyberattack widely linked to the North Korean state on Bangladesh’s central bank in 2016 that saw the criminals make off with over $100 million?
It’s the type of crime that was popularised in the Netflix series Money Heist, in which a criminal gang targeted the Spanish Royal Mint to illegally print a few billion Euros worth of untraceable notes. It sounds like the stuff of Hollywood imagination, but a few years before the show aired the Carbanak hacking group compromised the IT systems of a hundred banks across 40 countries, making off with around a billion dollars in the process.
“Why bother with guns, hostages, and getaway headaches when you could steal as much or more from the comfort (and safety) of your sofa?” writes Gottfried Leibbrandt and Natasha de Teran in their recent book The Pay Off. These types of crimes are safer, more lucrative, and thanks to the challenges with attribution, apprehension and prosecution of computer-based crimes, a criminal’s odds of getting caught and spending time in jail are orders of magnitude less.
A new wave of attacks
This evolution in financial crime was underlined by a recent report from BAE Systems and Swift, which highlighted “ATM cash-outs”, which are a form of ATM hacking that allows huge quantities of banknotes to be released. It’s an approach that has been mastered by the BeagleBoyz crime group, who are themselves widely linked to North Korea. In the past few years, they have been responsible for a huge number of attacks that collectively have tried to steal around $2 billion.
These attacks are highly coordinated to overcome the inherent limitations on the amount of cash each individual machine can dispense, with some of the more ambitious attacks targeting cash machines in dozens of countries simultaneously. Indeed, the report highlights a recent attack that was conducted in 28 countries across just two hours, with a total of 12,000 withdrawals made in that timeframe.
As more and more of our payments are made digitally, these payment systems are also a highly lucrative target for attack. For instance, way back in 2013, we saw the retailer Target hacked, with criminals making off with the credit and debit card details of 40 million customers.
Phishing attacks have also been on the rise in recent years, and while we often associate these attacks with attempts to elicit vital information from individual customers, there has also been a surge in so-called “executive whaling” in recent years. This involves criminals sending fraudulent communications that appear as though they have come from the CEO or other senior individual to deceive employees into making large payments.
The COVID-19 crisis has also seen an increasing willingness to target insiders to gain access to critical value information. Indeed, an investigation by The Economist recently found that cybercriminals were offering up to eight-figure sums to tempt employees at Wells Fargo, Bank of America, and JPMorgan Chase to authorize illegal and fraudulent wire transfers.
All of which should be of considerable concern for financial services companies, especially given the significant growth in digital-only banking in recent years. Indeed, a recent study from Nanyang Technological University, Singapore highlights how poor cybersecurity may be significantly undermining the faith of consumers in digital banking.
Cyber threats have become one of the most pressing concerns across the financial services sector globally. There is a need not only for cyber resilience at the firm level but also at the sector level. A sector-level approach is essential as while large firms tend to have relatively robust cyber resilience, there are clear vulnerabilities in the supply chain with out-of-date infrastructure (broken window theory on full display) – a particularly attractive vulnerability to cybercriminals.
Despite this, there remains a consensus that spending on cybersecurity is insufficient, with the majority of what is spent being invested in protection rather than in areas such as detection, response, and recovery.
So, what can you do to ensure that your own organisations don’t fall foul of cyberattacks? The first thing is to ensure that it’s an issue that is taken seriously. This means not only that cybersecurity is baked into everything that you do as an organisation, but that training, risk assessment, and incident responses are devised for you and for your whole supply chain.
You can rest assured that cyber criminals, who are becoming more specialised and professional, are devoting considerable resources to breaking into your organisation, so it’s vital that similar rigour is applied to keeping them out, detecting them as quickly as possible when your prevention strategies fail and recovering from successful attacks.
Digital finance is here to stay, so it’s beholden on the financial services companies to get their house in order with regards to providing the kind of security that customers are demanding. Positively, the need to act is clearly recognised across the industry, so now the key is to ensure that concern translates into meaningful actions.