Every minute of every day, a bank is under cyber attack
Online attacks on banks are not limited to theft. Photo: Louise Kennerley
Cases are rarely publicised, but online crime is one of the financial system's biggest threats.
Heard about the multi-billion dollar takeover that collapsed because cybercriminals stole confidential information on the deal? Or how about the millions of dollars stolen on a regular basis from banks?
Chances are you probably have not and that is because few of these stories ever make the news. But look at the latest warnings from the Bank of England and senior industry executives and there is no doubt that the "cyber threat" has become one of the biggest problems facing financial systems around the world.
Every minute, of every hour, of every day, a major financial institution is under attack.
Threats range from teenagers in their bedrooms engaging in adolescent "hacktivism", to sophisticated criminal gangs and state-sponsored terrorists attempting everything from extortion to industrial espionage. Though the details of these crimes remain scant, cyber security experts are clear that behind-the-scenes online attacks have already had far reaching consequences for banks and the financial markets.
"We are aware of at least a few very significant M&A [mergers and acquisitions] transactions being withdrawn or taking place on less favourable terms than they otherwise would because of cybercrime," says Mark Fishleigh, head of financial services at BAE Systems Detica, one of the biggest providers of security services to the big lenders.
Details of cases that have become public show the extent of the threat of cybercrime to everyone from ordinary depositors to the large corporate customers.
Dissected last year, Operation High Roller marked one of the biggest online thefts to have been made public. According to details of the investigation, somewhere between $US78 million ($83 million) and $US2.5 billion ($2.7 billion) was last year stolen from thousands of bank accounts across Europe, the US and Latin America. Among the customers targeted were rich individuals and high-value commercial accounts, with sophisticated software identifying the victims' main bank accounts and transferring money to prepaid debit cards which could be cashed anonymously. Once the money had been taken, the hackers were able to hide their thefts by changing the victims' bank balances so they appeared unaltered.
Attacks are not limited just to theft and can take the form of denial of service assaults on a bank's online operations to prevent customers from accessing their accounts. Last year, HSBC became the victim of one of the largest attacks of this kind yet recorded, causing the failure of its online banking services. Stuart Gulliver, chief executive of HSBC, and other senior managers at Britain's largest bank, believe cyber threats are one of the biggest dangers to the industry.
British authorities already require major financial institutions to take extensive steps to secure their core computer systems.
Two years ago, the Bank of England undertook Operation Waking Shark, an industry-wide exercise to mimic a large-scale cyber attack on the British financial system. The day-long test simulated everything from the complete failure of payments systems to the failure of major industry IT platforms as a result of a sustained cyber attack. Next month, the Bank of England, along with the Financial Conduct Authority and the Treasury, will undertake Operation Waking Shark 2 to see how defences have improved in the intervening years.
All of the major British banks are expected to take part in the exercise, which will be used to assess their resilience to cyber attacks and will likely lead to some lenders being required to tighten security in weak spots discovered. "It is hard to state quite how useful these type of war games are. Exercises like this allow us to see the interconnectedness of the system and find out how problems in one area can have knock-on effects on another," says one senior security expert at a major international bank.
One of the biggest areas of weakness is lax security among employees. In particular, the use of unauthorised applications.
Research by the Economist Intelligence Unit shows that more than one in 10 financial services sector staff are using cloud storage services such as Dropbox and Google Drive without their employer's knowledge.
For hackers this means that instead of having to penetrate the potentially more secure systems of the bank, they simply need to get into an employee's cloud computing account. Steve Holt, the head of financial services cyber security at Ernst & Young, says the use of outside technology, as well as social networks, such as Facebook and LinkedIn, have proved a boon for those looking to circumvent banks' online defences.
"You can get lots of info on people off LinkedIn, which then enables the criminals to perpetrate a much more sophisticated attack. If I send you an email that is well researched with personal information, you are more likely to get to open a piece of malware or a Trojan Horse program," says Mr Holt.
Criminals have also begun targeting the physical hardware underpinning banks' systems. Last month, a gang was arrested after a man posing as an engineer attempted to fit a device to a computer in Santander UK's Surrey Quays branch that would have allowed the alleged criminals to remotely access customer accounts.
The growing number and sophistication of cyber attacks reflects the seriousness of the criminals behind it, says Mr Fishleigh. "We can see from attack patterns that these people come into work at nine o'clock and leave at five when they are replaced by a night shift. It even appears that they earn salaries," he says.
There is little chance of the threat diminishing and the results of exercises such as Operation Waking Shark 2 may be as key to how banks do business in the future as any major industry financial stress test.