Cybercrime, a significant risk for banking systems

Banks: invest to address cyber threats  

In 2019, Jamie Dimon, CEO of J.P. Morgan Chase & Co., stated that: “The threat of cybersecurity may very well be the biggest threat to the U.S. financial system,“. According to CNBC, the U.S. company spends nearly $600 million each year to strengthen its cyber defenses and deal with “a constant stream of attacks“.  

A significant investment that can also be justified by the fact that J.P. Morgan Chase & Co. was the victim of a significant data leak in 2013. According to Forbes, in 2014, the company reported that 76 million households – the equivalent of 65% of all U.S. households – and 7 million small businesses had been compromised in the cyberattack against the firm. 

This story is, unfortunately, not an isolated case. In the 2020 edition of its Risk Mapping Report, the European Central Bank (ECB) identifies the main risk factors that the Eurozone banking system is expected to face over the next three years.  

Risk Mapping, 2020 Source: ECB 

As shown in the ECB’s diagram above, cybercrime and computer incidents are among the banking system’s major risks.  

These risks are significantly amplified by:  

• the continued digitization of financial services;  
• the obsolescence of certain banking information systems (IS);  
• Interconnection with third-party I.S. and, by extension, migration to the cloud.  

Banking sector: IT systems that are sometimes obsolete but always interconnected

The banking sector presents specificities that make cyber attacks a very serious matter, both in terms of occurrence and the potential severity of the impacts. Data security is a major challenge for the financial sector, which plays a vital role in the economy’s overall functioning. An attack on a banking institution can indeed have harmful consequences on an entire country’s day-to-day operations or even a region of the world.  

Today’s banking institutions rely entirely on IT systems. This is how they started very early on to computerize their business activities. Yet, even today, we are surprised to see that some information systems (IS) remain old and ill-adapted to cope with the threats affecting banks, and in particular, APT (Advanced Persistent Threats), to which we devote a paragraph below.  

In a recent note, the ECB writes that most security problems stem from a failure to apply risk detection rules In some cases, software patches, which update the defense system against new vulnerabilities, are simply not installed. In this same perspective, Immunize6 has studied external web applications, APIs, and mobile applications from the S&P Global list (which mentions the world’s largest financial organizations from 22 countries). In particular, Immunize found that 92% of mobile banking applications contain at least one medium-risk security vulnerability. Even more worrisome, 100% of banks have security vulnerabilities or problems related to forgotten sub-domains. 

Information systems in the financial sector are also very often based on multiple, decentralized systems within large, widely interconnected groups, which exchange a great deal of information with the outside world, particularly for making online payments.  

These characteristics do not rely on classical protections, such as protection centered on the internal IS. The banking context requires the intensive development of more sophisticated protection and attack detection mechanisms. Because cyberattacks are legion.  

What kind of cyberattacks targets the banking and financial sector?

Cyberattacks against banks: phishing and DDoS

According to the Security Navigator, our annual report, the financial sector continues to have a higher amount of confirmed social engineering incidents than the majority of other sectors, in particular phishing incidents.  

In 2020, our experts also detected a striking fact: no other sector has presented so many DDoS attacks. Thus, fraud through theft or manipulation of bank data is no longer the sole aim of attackers. Another goal is to harm the bank by damaging its reputation. Attackers’ motivations are no longer limited to the lure of gain.  

It should be noted that espionage, which may be practiced by a competitor or a foreign economic power, is also rising.  

The banking sector significantly affected by APTs

The above-mentioned attack techniques are not the only ones used by cybercriminals. In particular, banks are targeted by Advanced Persistent Threats (APTs). These sophisticated and stealthy threats combine advanced intrusion and spoofing techniques to allow hackers to access account management applications, such as cash management in distribution channels or mass payment flows.  

By illustration, the APT type cyberattack that has undoubtedly made the most ink, given the amount was stolen (between 800 million and 1 billion dollars according to the Economic and Financial Agency), is that of the Carbanak case from February 2015. “Carbanak” is the name given to the malware used by a group of hackers to spy on the infrastructure and data of employees of a hundred Russian, Japanese, American, and European banks. Discovered by Kaspersky Lab, the intrusion technique was based on phishing and social engineering. Sending fraudulent e-mails with a malware-infected attachment gave access to the banks’ internal network, the necessary authorizations for money transfers. It discreetly installed a remote administration tool for access to screenshots and employee passwords. 

Conclusion

As this article in the French economic media Les Echos explains, between February and April 2020, a “tripling of cyber attacks (+238%) against financial institutions around the world” has been observed by VMware Carbon Black. The significant figure shows the urgency for banking institutions to protect themselves against numerous and sophisticated attacks. 

To effectively address the risks facing the financial sector, it is recommended that a comprehensive approach be taken, including third parties, as protecting oneself is not enough. Compliance with existing regulations is also the first and most important step towards adequate protection.  

An analysis by Ibrahima Sene, cybersecurity consultant at Orange Cyberdefense France. 

More on Finance