Of all the industries that are the subject of daily attack by virtual terrorists, financial services have devoted the most private sector money and human resources to becoming more cyber resilient - because the money at issue and stakes at hand are staggering - yet they remain among the most vulnerable to cyberattack. As an example, in late 2013 an ATM in Kiev started dispensing cash at seemingly random times of the day, even though no one had apparently inserted a card or touched a button. The scope of this attack on more than 100 banks and other financial institutions in 30 nations made it one of the largest bank thefts ever at the time, conducted without the usual signs of robbery. Investigators uncovered evidence of $300 million in theft but believe the total amount stolen could easily have been triple that.
Hackers use software that is so sophisticated that they can keep track of how much money has been stolen from each bank account in each bank, and monitor it in real time. When each customer logs on to his or her breached account, the hackers use an algorithm so that the money they have stolen appears to have been added back into the account -- the account holder never knows that any money has actually been stolen. Purchases made by cybercriminals with a stolen credit or debit card are automatically struck from the ‘recent transactions’ list on online statements before they appear on a customer’s screen. Even the PDF copies of banking and credit card transactions sent to a customer’s printer can be modified before they come up on the screen.
Cyber criminals know the toll-free numbers of financial institutions all over the world. If your phone number is infected with malware, once you dial your bank’s customer service number, the rootkit detects that one of its targeted institutions is being phoned, and it intercepts and reroutes the call. Your call is then silently and invisibly rerouted to a call center operated by international organized crime. Given the broad use of foreign call centers by financial institutions, few people would question a foreign accent on the other end of the phone. Once you are connected, you are typically asked for your account number, mother’s maiden name, password, and other sensitive security information. Next you would be told that their computers have just gone down and they request you to call back another time.
There is a very good reason why banks have adopted the security procedures they have. One large global financial institution has reportedly experienced more than two billion such events each month, ranging from an employee receiving a malicious e-mail to user or system-generated alerts of attacks or glitches. That bank’s cybersecurity defenses filter that number down to 200,000 before a human team cuts the number down to 200 "real" events per month.
The SWIFT messaging network, with more than 11,000 user organizations, was attacked at least three times in 2016, but the real number is a mystery since many banks choose not to report breaches. The lesson of the SWIFT attacks is that because the global banking system is so heavily interconnected (just like power grids) and dependent on the trust and security of its members, more information sharing is vital. In spite of the billions of dollars spent each year by the big banks on cybersecurity, supply chain vulnerabilities are a real obstacle to making meaningful progress.
The now infamous hacking of the Bangladesh Central Bank in 2016 provides an excellent example of the challenges involved in making such progress. The Bank failed to change its SWIFT passwords between late 2015 and early February 2016, and was also not deploying two-factor authentication on the system it used to access SWIFT. The hackers used malicious software to remotely monitor routine activity at the B for weeks before they struck. The hackers had sent the New York Federal Reserve Bank fake payment orders requesting nearly $1 billion. The Fed paid out $101 million, of which $20 million was recovered after a banker in Sri Lanka spotted a typographical error. The Fed rejected some orders for formatting errors and others because the requests were picked up by a sanctions screen. The Fed subsequently stopped making payments based on the strength of SWIFT messages alone and adopted a policy of double-confirming orders from Bangladesh by phone. It was widely reported that the cyberthieves were successful in stealing $81 million from the Bank, and that the funds were subsequently routed through a variety of countries, most which was never recovered.
Clearly, more must be done from the top down and bottom up in order to help reverse the tide. Earlier this year, G20 finance chiefs agreed to fight attacks regardless of their origin, and promised cross-border cooperation to maintain financial stability. The group committed to promote resilience among financial services and institutions in G20 jurisdictions against malicious use of information and communication technologies (including from countries outside the G20), however it stopped short of making specific reference to enhanced security requirements for financial services.
If financial institutions want to get a real handle on this problem, they should form their own multilateral cybersecurity organization, financed and run by its members. Individual institutions can and should continue to pour billions of dollars each year into fighting Virtual Terrorism, but the enemy is too numerous and sophisticated to stay ahead of the curve. It is only by joining together in numbers and sharing information liberally that the surging tide may hope to be reversed. The time to do that is right now.
*Daniel Wagner is author of the new book “Virtual Terror”, founder of Country Risk Solutions, and Managing Director of Risk Cooperative.