On February 15, the Council of the European Union approved a package of risk reduction measures in the banking sector, including the principles of sustainable regulation and control of banking institutions. According to Eugen Teodorovici, Romania’s Minister of Finance and chairperson of the Council this year, these measures aim to guarantee that the banking sector holds sufficient amounts of capital for reliable lending to individuals and businesses. After the legal and linguistic details are finalised, the package is expected to be approved by the European Parliament, thus reducing turbulence in the industry.
Lack of industry-specific measures
However, these measures provide no cure-all solution, since the package only sets the framework, and does not eliminate the industry-specific risks, including cyber risks. In May 2018, the European Central Bank presented its standard for the financial sector cyber-attacks resilience assessment. Procedure involves the simulation of the EU banking industry critical systems attack aftereffects. This move by the ECB was a response to a number of major cyber incidents, including an attack on the SWIFT system, as well as on the mobile services of the three largest banks in the Netherlands.
This set of measures also includes interaction with “red teams”, groups of cybersecurity experts who conduct resilience testing on systems used by companies in the financial sector. Noteworthy is that the TIBER-EU platform (European Framework for Threat Intelligence-based Ethical Red Teaming) is the first framework for special testing covering the whole Europe and it is expected that the new approach will take the financial sector protection to a new level.
At the same time, it is obvious that the adoption of any general principles and standards — let alone non-binding ones — cannot be equated with the point of reference of their real action. There is always a time lag between the creation of the project and its direct implementation, which can take more than one year in the case of large-scale initiatives similar to TIBER-EU. The ECB, for example, took more than half a year only to publish in December 2018 the revisions to the standards adopted in May.
The American company ThreatMetrix, which specializes in providing business services in the field of online fraud prevention and customer expertise increase, notes that cyber security in the banking sector has made a dramatic step forward over the past decade thanks to the rapid development and introduction of technological innovations in the industry.
Nevertheless, it would be inappropriate to rest on the laurels for several reasons. Today, a number of threats in cyberspace promise to remain relevant throughout 2019. For example, according to Cyber threats to Financial Institutions in 2019: Review and Forecasts by Kaspersky Lab, one of the anti-virus market leaders, more attacks on supply chains are expected this year with the aim of gaining access to data from large financial institutions through relatively small companies supplying them with software and other services. Traditional cybercrimes against banks will remain though, however, experts predict a focus shift from points of sale towards systems that accept online payments.
Social engineering is also indicated among the threats cited by the authors of the report, which is acknowledged as another common tool for fraudsters. By using data leaks, cybercriminals seek to seize the information necessary for funds transferring, performed via ordinary bank employees and customers whose credulity can leave banks sideways.
“We have seen a dramatic rise in social engineering attacks, a more analogue approach to hit the banks where it hurts and as a result, customers have now become the new weakest point,” said Mike Nathan, senior director of ThreatMetrix for EMEA. “The UK was the initial target, but they have now begun to move to mainland Europe for easier pickings, UK customers are becoming more aware of these scams”, the expert added.
In this regard, Russia also keeps a close eye on social engineering tools coming into hands of banking fraudsters, and is actively discussing ways to counter it. On the margins of the Russian Investment Forum held last week in Sochi, representatives of several banks in the country highlighted this threat.
“The upsurge in social engineering is noticed by all banks – compared to 2017, the number of such cases increased by 15-20% in 2018. On average, the scale of fraudulent operations via social engineering is small, but due to the fact that there are many such customers, the total amounts are large,” said Stanislav Pavlunin, Vice-President and Director of security at Pochta Bank.
The importance of banks’ involvement in the protection of clients from this form of cybercrime is also recognized by Credit Bank of Moscow, one of the top three largest private banks in Russia. According to the Director for Information Security of the Bank, Vyacheslav Kasimov, the noted increase by 20% is nothing more than natural fluctuations, which, however, does not make the threat less relevant. “However, given that such fraud does not involve a gross “theft” of a client’s phone number and does not constitute a high-tech crime, social engineering can always be deflected by fraud monitoring, and it really works,” Kasimov said.
Sberbank of Russia added to the discussion too. earlier, the bank’s clients reported in their social networks to have fallen prey to fraudsters who made calls from the numbers of Sberbank itself. Despite the fact that the bank did not get any verification concerning mass calls of fraudsters on its behalf, Sberbank turned to Roskomnadzor (the Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Communications) with a request to check the websites that provide services for changing the phone number when calling and sending SMS-messages. This announcement was made by Deputy Chairman of the Board of Sberbank Stanislav Kuznetsov on the sidelines of the Sochi Investment Forum.
In their own hands
Whatever strategy is chosen by banks to ensure their cyber security, whether it is defensive (setting barriers directly on the approaches to the bank’s funds and depositors) or more offensive (such as blocking websites and servers used by fraudsters as a bridgehead for attacks), the key point remains: the banking institutions must be willing to take the initiative in their own hands. They mustn’t wait for some guidelines to be drawn up by national or international bodies.
Security (including asset security) is a condition that must always be properly maintained at the moment, here and now.