While our banks suffer fewer attacks than their US counterparts, they could be less prepared for criminal attacks.

While our banks suffer fewer attacks than their US counterparts, they could be less prepared for criminal attacks. Photo: iStock

Australia’s banks will be increasingly seen as soft targets for cyber criminals. Ernst & Young’s global head of information security warns. 

On a flying visit to Australia to meet clients this week, Ken Allan said while banks here suffered fewer attacks than their European or US counterparts, they could be less prepared for criminal attacks as a result.

“Australia doesn’t have that many enemies. You don’t have many groups who are motivated by ideology viewing Australia as a target,” he said. “The downside of that is that it means the readiness to respond to the threats here is probably less.”

Mr Allan said the primary perpetrators of cybercrime were organised crime syndicates, and backed the view of some state police chiefs that the banks need to do more to share intelligence

Cybercriminals “view hacking as an economic activity," the information security expert said..” And as detection and response to attacks is improved elsewhere, he predicted they will target institutions where “the bar is lower”.

He said the US has long introduced formal, increasingly real-time sharing of information on threats and fraud in the financial services sector between companies, law enforcement and government.

“That’s because an attack on one bank is an attack on the sector,” he said.

“US banks have a very sophisticated formal structure under an organisation called the FS-ISAC (Financial Services Information Sharing and Analysis Center).

“In Australia, it is done on a relatively informal basis.”

The UK has a permanent National Fraud Intelligence Bureau, as well as a Cheque and Plastic Crime Unit in the City of London Police funded by banks to tackle fraud.

Information sharing with police

Queensland’s Police’s head of fraud and cybercrime, detective superintendent Brian Hay, told Fairfax Media in May that Australia needs something similar because most bank fraud is not shared with police, and when it is, it is often too late to prosecute.

The Victorian Police has also repeatedly attributed a big rise in break-ins and theft to criminals searching for tap-and-go credit cards, calling on banks and credit card companies to share more information on fraud levels.

Card companies and banks say they now have regular meetings with police set up by the Australian Payments and Clearing Association.

They also said fraud levels are very low on contactless cards. But official figures show transactions on lost and stolen cards more than doubled in 2013.

Mr Allan added each institution needs to move from “prevention” of cybercrime to being able to both detect and be ready to respond to it.

There is an extra cost to be able to do this, he said, but as efforts by banks overseas to defend themselves intensify, Australia would have to follow suit.

“We know the leading organisations are taking threats from commercial, law enforcement, from each other, plus all the electronic data feeds that come from intrusion detection systems,” he said.

“All those electronic flags would have been viewed on their own. Where this is evolving is gathering all the data together and looking for anomalies in the data.

“An electronic alert of a denial of service attack might be aligned to another attack in another part of the organisation, and only by seeing the correlations can you identify a material breach.”