igor - Fotolia

Financial Conduct Authority concerned about cyber security of banks

The FCA expresses concern about the cyber security of banks after 9,000 Tesco Bank customers lost £2.5m in fraudulent transactions

This article can also be found in the Premium Editorial Download: Computer Weekly: Counting the cost of financial cyber crime

The UK’s Financial Conduct Authority (FCA) has said it is concerned about weaknesses in banks’ IT systems, after cyber attackers drained £2.5m from 9,000 Tesco Bank current accounts at the weekend.

The bank halted online banking after discovering suspicious activity relating to 40,000 current accounts and initially feared that around 20,000 had been affected by fraudulent transactions.

However, the bank has now confirmed that just under 7% of the bank’s 136,000 current account customers were affected by fraudulent transactions.

The bank claims to know exactly what happened but is yet to give any details, saying the matter is still under criminal investigation by the National Crime Agency (NCA).

However, the bank said no personal data was compromised in the attack, and that all money stolen from accounts has been refunded. The bank has also lifted the suspension of online debit transactions.

“We’ve refunded all customer accounts affected by fraud and lifted the suspension of online debit transactions so that customers can use their accounts as normal. We’d also like to reassure our customers that none of their personal data has been compromised,” said Tesco Bank CEO Benny Higgins in a statement.

The Information Commissioner’s Office (ICO) is looking into whether the bank is doing enough to secure personal data. The incident is also being investigated by the new National Cyber Crime Centre (NCSC).

FCA chief executive Andrew Bailey reportedly told members of Parliament (MPs) that he is concerned about the cyber security of banks due to the complexity of their IT systems.

The more complex banks’ IT systems are, the more potential “points of entry” are available for criminals, he told MPs, according to the BBC.

“The heart of concern is what is the root cause of this [attack] and what it tells us about the broader threats. It looks like it’s [in] online banking, [it] clearly appears to be on [the] debit card side of online banking, as far as we can tell. But it requires further urgent analysis,” said Bailey.

FCA data shows that reported attacks on financial institutions in the UK have risen from just five in 2014 to more than 75 in the first 10 months of 2016, but many attacks are believed to go unreported.

Growing risk in banking industry

In November 2014, a University of Cambridge researcher told a HM Treasury select committee that the amount of money being taken from people’s accounts through cyber crime is twice as much as what is reported.

In addition to having to compensate customers, Tesco Bank could face a fine if regulators find that failures in the bank’s systems and controls were contributory factors.

The FCA is conducting an investigation along with the Bank of England’s Prudential Regulation Authority (PRA).

In 2014, the FCA and PRA fined Royal Bank of Scotland £56m for an IT outage in 2012 that left 6.5 million customers unable to access their accounts for several weeks.

Joe Fantuzzi, CEO of risk management firm RiskVision, said the attack on Tesco Bank clearly indicates that risk in the banking industry is growing.

“While banks have always been lucrative and vulnerable targets for attackers, the risk is exponentially compounded by the global and interconnected nature of most banking systems,” he said.

This kind of connectivity, said Fantuzzi, greatly expands threat vectors and increases risk. “These days, it’s likely that vulnerable and inadequately secured organisations share the same communication channels and networks with multiple other financial institutions.

“Subsequently, banks will need to be even more vigilant, placing more resources and energy into finding the critical vulnerabilities in their environment and addressing the ones that open up the door for attack,” he said.

Serious about security

Security industry commentators have said the attack on Tesco shows that traditional approaches to security are not working and that companies are not taking the threat seriously enough.

Andrew Tschonev, technical specialist at security firm Darktrace, said the attack will force Tesco Bank to upgrade its cyber defences and other companies should do the same if they want to avoid being next.

The attack on Tesco Bank will hopefully inspire businesses to take cyber security as seriously as they should and think of it as a business imperative, said Adrian Davis, managing director for Europe, Middle East and Africa at (ISC)2.

Davis believes that despite growing awareness of the issues, business leaders are losing control and visibility of core business risk. “They have not realised just how much their organisations have changed in the digital age, and how this is leaving them vulnerable,” he said.

The theft of $81m from an account belonging to the Bangladesh central bank in February 2016 was a watershed event, according to Alain Desausoi, CISO at financial messaging service Swift.

“We were surprised by the gap between the skills of the attackers and the cyber security practices in the banking industry,” he told the FT Cyber Security Summit in London in September 2016.

The heist was part of a wider campaign that would have netted the cyber thieves almost $1bn if a typo had not alerted bank officials, who managed to block a further fraudulent transaction of $870m.

In August 2016, Swift warned that an undisclosed number of banks had been targeted and some had lost money in a new wave of cyber thefts.

Swift urged banks comply with security measures recommended in the wake of the $81m heist that included calls for stronger systems for authenticating users and updates to software for sending and receiving transaction messages.

Read more about online banking and cyber security

Read more on Hackers and cybercrime prevention