igor - Fotolia

US Treasury tells banks to provide more cyber attack information

The US government is calling on financial institutions to share more cyber attack information as concerns grow about the sector's vulnerability

The US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) has issued an advisory to financial institutions on cyber events and cyber-enabled crime.

FinCEN said cyber criminals target the financial system to defraud financial institutions and their customers and to further other illegal activities.

Financial institutions can play an important role in protecting the financial system from these threats through thorough and timely reporting of cyber attacks, the advisory said.

FinCEN said the advisory was aimed at the financial sector’s cyber security units, network administrators, risk departments, fraud prevention units and all those involved in anti-money-laundering activities.

In addition to the advisory, FinCEN has issued guidelines on the reporting of cyber events, cyber-enabled crime and cyber-related information through suspicious activity reports (SARs).

The guidelines call for SARs to include all relevant and available cyber-related information, such as the magnitude and characteristics of the event, indicators of compromise (IoCs), methods used, relevant internet protocol (IP) addresses with timestamps, virtual-wallet information and device identifiers.

FinCEN is also calling for greater collaboration between anti-money-laundering units and in-house cyber security units to identify suspicious activity, and the sharing of information, including cyber-related information, among financial institutions to guard against and report money laundering, terrorism financing and cyber-enabled crime.

The move by FinCEN comes just a week after US bank regulators outlined cyber security standards to protect financial markets and consumers from online attacks.  

Cyber security issues have become a priority for regulators as the likes of the New York Federal Reserve have been caught in high-profile cyber attacks.

Anti-hacking tools

The new standards will require banks with assets of $50bn or more to use the most sophisticated anti-hacking tools on the market and to be able to recover from any attack within two hours, reports Reuters.

Qualifying financial institutions will also be expected to be capable of operating critical business functions in the face of cyber attacks.

The financial industry has been invited to comment and provide feedback in the next three months before authorities finalise the rules aimed at raising cyber security to a top priority for executives and directors.

“While banks arguably allocate the most resources towards addressing cyber security of any industry, they still lose billions every year due to hacking,” said Mike Ahmadi, global director of critical systems security at Synopsys.

“While they have remained profitable despite such losses, one of the major concerns is a loss in consumer confidence, which is something they cannot easily rectify.”

Read more about two-factor authentication

Ahmadi said the explosion of technologies means banks must now manage security for thousands of applications, which all introduce risk that must be constantly monitored and managed.

“In order to be more effective in managing such risks, banks will need to require their supply chain of technology providers to deliver products that have been developed using a rigorous secure software development lifecycle,” he said.

In the UK, consumer group Which? has slammed the country’s high street banks for failing to adequately protect customers from online scams.

According to the consumer group, only five of 11 high streets banks have adopted two-factor authentication methods to protect customers.

Which? identified Halifax, Lloyds Bank, Santander and TSB as being among the worst offenders, saying that from 2014 to 2015, losses rose by 64% for online banking to reach £133.5m and increased by 28% to £323.3m for phone banking.

The banks “consistently scored poorly” in their security measures over the four years they had been monitored and had failed to invest in the proper security systems that would keep their customers safe from fraudsters, the report said.

Shoulder more responsibility

The consumer group called on banks to shoulder more of the responsibility and to introduce extra protections to safeguard their customers. The group also called on the financial regulator to investigate whether banks could do more to protect people who are tricked into transferring money to a fraudster.

But some of the banks named in the Which? report have rejected its findings, saying they deploy multi-layered security controls at the back end to protect customers from fraudulent attacks.

According to Gabriel Wilson, managing consultant at Rivington Information Security, two-factor authentication is only part of the solution.

“While it will reduce unauthorised access to customer accounts, it will not stop customers falling for scams,” he said. “This remains a crucial issue, due to a lack of education and awareness of scam types and the temptation of financial reward.

“Banks and businesses need to start working with their customers and better educating them on the risks. End users need to understand the important part they play when it comes to responsibility for their own data protection from cyber criminals.”

Light at the end of the tunnel

Steve Mullan, UK operations manager at identity and access firm Ilex International, believes that despite the current lack of regulation governing security standards in the UK banking industry, there is light at the end of the tunnel.

“A growing number of organisations are making the bold move to implement multi-factor authentication as part of their ongoing identity and access management strategy,” he said. “They see this as a means of creating a trusted working environment between themselves and their customers or employees.

“This demonstrates how much they value their customers’ security and are taking active steps to prove it.”

But Paul Calatayud, CTO at security firm FireMon, pointed out that in a very competitive market, better security could have a negative effect on customer adoption.

“Instead of two-factor authentication, I would recommend that most critical online applications deploy risk-based authentication,” he said.

This means that in most situations, consumers would be allowed to authenticate with single forms of authentication without impedance.

Only when unusual activity is detected as a possible indicator of fraudsters at work would more advanced forms of authentication be invoked.

“A risk approach is an approach that often addresses risks while taking into account the business and its requirement to operate within certain business conditions, such as customer-facing scenarios where extra security steps can be viewed as a hindrance,” said Calatayud.

Read more on Hackers and cybercrime prevention