BT launches ethical hacking service for bankers

BT is to offer its financial services customers the chance to test their network security with the introduction of a specialised element of its Assure ethical hacking service.

The BT Assure Ethical Hacking for Finance service is designed to help financial organisations, including retail and investment banks, and insurance companies ensure their exposure to cyber attacks is limited.

The risk to such firms, which present a tempting and often soft target to online criminals, has vastly increased in recent years as banks move more services online and electronic trading becomes more prevalent.

BT has a long history of working closely with large financial institutions and has gathered a wealth of ethical hacking expertise. Within the rules of the game, its hackers have already compromised the security systems of many financial services firms.

Among other things, it has performed database dumps of tens of thousands of social security and credit card numbers; intercepted mobile cheque deposit data; reverse engineered encryption; generated valid gift cards; created admin accounts; escaped remote access sessions and get shell access to systems; transferred funds between accounts without authorisation; and harvested complete account data by attacking machine-to-machine (M2M) communications.

Its new service will use Crest-certified simulated targeted attack and response (Star) methodologies in its testing procedures, which were developed alongside the Bank of England and the UK government. BT is one of only four companies worldwide to be certified in this way.

Its methodologies will mimic those exploited by black hat hackers and other malicious attackers to provide a number of tests centred on the various entry points and other weak spots in a bank’s IT systems, which can include phishing scams on customers, mobile devices and hardware, internal and external networks, databases and enterprise resource planning (ERP) systems.

Assure Ethical Hacking for Finance will also assess the risk of human failure by using social engineering to test employees’ cyber security mettle.

“The prospect of accessing confidential financial information is a powerful lure for hackers – few companies attract as much online criminal attention as banks. Apart from direct financial loss, a serious hack could lead to irreparable reputational damage,” said BT security president Mark Hughes.

“While much of the concern focuses on retail-banking activities, the threat is just as important for investment banks or for wholesale, where banks provide services like currency conversion and large trade transactions for major corporate customers.

“We encourage all financial institutions to put themselves through a rigorous series of cyber security simulations, whereby our ethical hacking consultants push the cyber defences of financial institutions to the limit,” said Hughes.

The global security officer of one large banking firm, which has been using the service on an ongoing basis, said BT helped it detect a number of significant issues with its systems, and not just when it came to protecting customer data – in one test its hackers managed to crack a commercial employee benefits system and change the value of a discretionary bonus payment.

“We’ve never hit the news because of a hack. A key reason for that is strict security testing and BT is part of that,” said the unnamed executive.