By: Rana Gupta, Vice President – APAC Sales, Identity and Data Protection, Gemalto
Cyber criminals have known to make attempts to infiltrate our systems since the early 1980s. Banking and financial data in particular is frequently sought after by cyber-hackers and such looters, thus accounting for highly targeted and sophisticated cyber heists across the globe. The Bangladesh Central Bank robbery where unknown hackers breached its computer systems and got away with $81 million, while attempting to steal $951 million from its account at the Federal Reserve Bank of New York, exposed very serious flaws in security and confirmed that our financial infrastructures remain vulnerable in terms of complete security deployment.
What follows such a breach is the obvious monetary loss combined with cost of notifying data subjects, investigation and breach control. Involved organizations may also end up facing (potential) law suits and penalties. However, the most severe ramification is the damage caused to the customers’ trust, corporate brand and decline in share value.
Inadequacies leading to cyber breaches
Technological advances over the last decade or so have completely changed the way we use, store and transfer data. With the growing use of the internet, higher adoption of smart devices, and even increased adoption of cloud we are becoming increasingly vulnerable to security threats such as data breaches, identity thefts and fraudulent transactions. Banking and financial services are also becoming increasingly digitised and private information such as credit card details, ATM pin and account authentication details etc., are stored and processed digitally which gives more vulnerable entry points to hackers.
Here are some of the most common methods used by hackers for cyber breaches:
Trojan horse program: Using this program the intruders trick you into installing “back door” for them to penetrate the system. In case of the Bangladesh Central Bank heist the hackers installed some type of malware (possibly a Remote Access Trojan – RAT) in its computer systems few weeks before the incident observed how money was withdrawn from its United States account.
(DoS) attack: A denial-of-service (DoS) attack is when the target computer is instructed to crash or to become busy processing data that you are unable to access it
Cross-site scripting: A malicious script is attached to something sent to a web site, such as a URL exposing the web browser
Phishing: Phishing attacks could either be in the form of an email from a trusted source asking for personal information such as passwords, bank details, personal details, or it could mimic an existing website or webpage and trick a user into entering confidential information on the page.
Tapping unprotected computer networks
As many as 534 phishing incidents were reported last year, of which 342 involved phishing websites hosted outside India, according to data provided by the Indian Computer Emergency Response Team (CERT-In)1. In a different case, Russian banks have lost more than $US25 million over the period of six months in 2015 to a hacker group infecting their computers using tainted phishing emails, according to Russian security firm Group IB2.
Similar to the recent Bangladesh bank incident, British banks lost around £650 million in 2015, after hackers managed to infiltrate the bank’s internal computer systems using malware and injecting virus, thereby infecting networks in more than 100 financial institutions worldwide3.
Another glaring loophole in the system is the organizations’ incompetence to evolve along with the technology. Gone are those days when cyber security was considered an added advantage or an option. Preventive measures are a necessity for smooth functioning of any business. A thorough organization will use multiple layers of security on multiple fronts, to deadlock every combination of attack. Many organizations leave the confidential data like bank records and passwords without encryption or proper security making it vulnerable to the hacking. Hackers may have had complete access into Bangladesh Central Bank’s database to know which major projects in the country are waiting for finances. Authentication credentials database should be stored confidentially.
Best practices to ensure data security at different levels
Strong authentication and authorization: Strong multi-factor authentication adds a layer of identity verification to existing username password combinations. Using One Time Passwords (OTP) or the challenge-response authentication, organizations can implement effective security mechanisms. Using multifactor authentication where the corresponding keys are safeguarded in FIPS certified cryptographic modules making it impossible to steal by any external hacker or an unauthorized insider. This measure can be furthered by implementing multi-level authentication over the access of accounts the so that at least more than one person is required to approve any transaction.
Ensuring data confidentiality: By classifying and encrypting the sensitive data at rest at the organization’s respective data centers malicious program like Trojan can be prevented from perpetuating, collecting and sending the sensitive information out of the system. Opting for world class solutions for safeguarding sensitive information can ensure –
-Data confidentiality of sensitive data by encrypting it
-Security of the keys responsible for data encryption
-Granular access and will grant data on need to know basis
-Usage of multifactor authentication to access the sensitive information
-Management of the keys in efficient manner based on defined policies
-Many layers of security like tokenization and secure key exchange for communication over and above data encryption
-Encryption for not only preventing the breach in an effective manner but will also ‘Secure the Breach’ in case it happens
Ensuring data integrity: Data integrity can be accomplished by encrypting the transaction details so that while the data is in transit it cannot be analyzed by middlemen. Also by digitally signing the transaction it can only be verified for authenticity at the other end. The signing keys should be store in temper resistant cryptographic device like a Hardware Security Module or HSM. HSM based public key infrastructure (PKI) generates a unique key for each and every session.
Regular auditing and reporting: 80 percent of Indian banks are susceptible to security threats because they do not maintain their database safely. RBI has issued guidelines (prepared by the Working Group formed under the chairmanship of G Gopalakrishna) for the Indian banking industry for information technology (IT) governance, information security, and cyber fraud laid out clear measures for the effectiveness of IT controls. New set of security challenges do follow growth in technology but with regular check on the methods and transactions smooth functioning can be ensured.
Increased connectivity comes with its own set of risks. The potential for exposure of sensitive, confidential and legally protected data has increased making financial systems vulnerable targets to malware, hacking, spyware, and performance-corrupting activity. In the era of increased vulnerability, viewing security in a single layer approach is no longer sufficient. As your confidential data is passing through different layers, hence securing the data at every level is as crucial. Sensitizing consumers will improve reporting and help the industry become more resilient to threats/breaches. It is also very important for the financial institutions to equip themselves as necessary, in response to changes in the technological and threat environments.