By Ron Condon, U.K. Bureau Chief
When it comes to information security, the financial services sector currently faces a vexing set of conflicting priorities.
Banks, brokers and insurance
At the same time, sophisticated criminal gangs are targeting financial services companies and their customers, using every kind of trick to infect client machines and steal login details.
To make matters worse, in-house security teams are much smaller than they were back in 2008, and with the economy still uncertain, there seems little chance of adding employees in the near future. Existing staff members have to work that much harder.
"Banks are focusing on doing business, sharing information with customers, even using social networking sites. Their IT initiatives are focused on making it easier to do online banking, which opens them up to new risks," said Reed Henry, head of marketing for U.S.-based system monitoring company ArcSight Inc.
"It's a perfect storm: They are opening more doors, while the threats are becoming more sophisticated," Henry said. "If the criminals target a particular firm, they will get in; it's just a question of how and when."
The threats are not all external. Banks are obliged to monitor and report on their investment staff to prevent insider trading, and they must also ensure other staff behave correctly. Monitoring technology can help catch dishonest call centre staff, for instance, but insider trading is harder to block.
"Technically, it is impossible to control; you'd have to put all the pubs in London under surveillance," said Bruno Piers de Raveschoot, European head of Actimize Inc., which specialises in fraud prevention.
He added that fraud in investment banks is quite rare, but it is huge when it happens: Incidents involving rogue trader Nick Leeson at Barings Bank, and Jerome Kerviel at Societe Generale, both whom cost their companies vast sums, come to mind.
But in retail banks, fraud happens much more often but involves smaller amounts. "The numbers are terrifying," he said. "It ranges from people taking small cash to pay for their lunch, to people stealing clients' identities and selling the details to outsiders."
Research carried out by Actimize shows the fraud problem has been exacerbated by the recession. In late 2009, the company surveyed finance companies in the U.S., Europe and elsewhere, and compared the results with the findings of a similar study conducted in 2007.
Results showed that internal staff was more likely to commit fraud or steal information as a result of the recession. Greed and employee financial distress were cited as major motivators of employee fraud.
Although call centre workers and temporary staff are traditionally seen as security risks, the survey showed that full-time staff members now pose the biggest risks because they typically have access to more valuable information and processes and are monitored less closely than non full-time employees. IT staff are also considered high-risk because they have privileged access to information.
The Actimize survey noted that confidence in companies' abilities to prevent fraud had fallen while the financial industry has deployed more sophisticated tools to detect employee fraud: "The combination suggests that as firms have better insight into the problem, they are discovering that employee fraud is larger than initially anticipated."
The Financial Services Authority (FSA) has long recognised the dangers of poor information security, and has already taken some famous scalps in recent years from companies that have lost data. The biggest came last July when the FSA fined HSBC Holdings more than £3 million following a series of data breaches at three of its subsidiary companies in 2007 and 2008.
For a subscription, you can rent a hosted Zeus server and then create your own botnet. It's cybercrime as a service.
solutions architectTrend Micro Inc.
Despite the headlines, the FSA believes more is needed to encourage banks to protect their data. In March, it introduced a new system for calculating fines, which could double or even triple the fines payable in some cases. It means that companies could now be fined up to 20% of relevant income, and individuals up to 40% of their total salary and benefits (including bonuses) for regulatory breaches. Serious market abuse cases against individuals, such as insider trading, will attract a minimum penalty of £100,000.
Financial services sector taking strides against information security challenges
Companies operating in the financial services sector are working to improve financial security by reducing the likelihood of a data breach or any other event (such as insider trading) that could land a finance company in trouble.
David Cowan, head of infrastructure and security for London-based consultancy Plan-Net plc, said: "In the last year, we have had lots of demands for independent reviews from the financial services sector, as specified by the FSA."
In general, Cowan said the banks have "good security plumbing" in place -- firewalls, antivirus, resilience and secure application development -- but they still lag in terms of training and awareness, and the application of standards such as ISO 27001.
"In many respects the banks are well locked down, but they are not up to speed with the business side of security," Cowan said. "When it comes to HR induction, managing starters and leavers, and security policies, training and awareness, they are not so good."
"Financial services companies are under pressure, and training can be neglected. If you have a good information security management system, then it is harder to circumvent processes," Cowan said.
Endpoint security continues to be a struggle for financial services sector
One of the biggest headaches related to financial services sector security is customer insecurity. New figures from the U.K. Cards Association Ltd, which handles inter-bank payments, show that online banking losses totalled £59.7 million in 2009, a 14% rise from the 2008 figure. There were also more than 51,000 phishing incidents recorded during 2009, up 16% from 2008.
Ironically, the banks have spent the past decade persuading people to switch to online banking because online transactions cost a fraction of those conducted over the phone or in a bank branch. The success of that movement has resulted in around 22 million people in the U.K. now regularly banking online, leaving the banks with little control over how or if customers seek to secure their online activities.
Success of banking threats, such as Trojans, for example, depends largely on users failing to keep their computers properly patched, and their antimalware defences up to date. Once a Trojan manages to plant itself on a user's machine, attackers just wait for the user to log on to his or her online bank account to capture login details.
According to Rik Ferguson, a solutions architect at Tokyo-based Trend Micro Inc., Trojans such as the notorious Zeus code can be hard to block and detect. "Zeus is designed to overcome traditional antimalware technologies," Ferguson said. "The bot can be repacked so it looks different every time. If your AV works by downloading new signatures every day, or even every few hours, it's not going to be enough to detect these variants.
"Once installed, Zeus uses rootkit techniques to hide itself," Ferguson continued. "It is in communication with command-and-control servers, so it can continue to update itself and continue to fly under the radar."
And as Ferguson said, Zeus can be downloaded for free or bought as part of a managed criminal service. "In underground forums, people are tending now to bundle Zeus with other services, such as hosting, configuration, management and setup. For a subscription, you can rent a hosted Zeus server and then create your own botnet. It's cybercrime as a service."
This leaves the banks in the invidious position of being liable for their customers' losses but unable to influence security on their systems. Most send out regular security warnings, and some give away antivirus software as a way of persuading customers to take security more seriously.
In a pioneering move, HSBC recently offered its online customers a free copy of Rapport, a browser-lockdown product from Trusteer Inc. that is intended to prevent session hijacking by an infected browser. In just a few weeks, more than 1 million customers have taken the free download.
Although that may help solve some problems, some people believe the financial services sector needs to move away completely from using usernames and passwords as credentials.
"I'd like to see no confidential sites requiring username and passwords," said Daniel Cuthbert, a consultant with Surrey-based security firm Corsaire Ltd. "Users still pick the same terrible passwords. You only need to go to Facebook to harvest information about a user. Where were you born? What's your mother's maiden name? All that information is on Facebook. If you want to target a user and get their account details, Facebook is the ultimate hacking playground. The moment we remove all that, and use one-time passwords, the overall security of the application will be a lot better."
He also said that some U.K. banks are already experimenting with using smartphones as a second channel to send one-time passwords to users. Measures like that may help strengthen security, but getting users to adopt them will take some clever internal marketing and customer education by the banks.
Whatever technology they choose, banks need to move fast because the threats are growing. In recent months the industry has seen the emergence of the Silon Trojan, which is designed to go after the customers of British banks, and which has already infected thousands of machines. The British banking industry provides the cybercriminals with a big target to aim for, and so expect more of the same in the future.
As ArcSight's Reed Henry said: "In the U.K, you have a concentration of big banks. If the criminals can get into one of them, then they have a huge treasure trove."
This was first published in April 2010