Bank cyber safety: Are banks safe from cyber attacks?
Share
Long gone are the days where most of us were distrustful of internet or phone banking. Originally seen as risky, many of us now think nothing of paying via tap-and-go, BPay or PayPal. Electronic banking has become the go-to convenience for so many people, too busy in their day-to-day lives to manage a trip to pay bills directly anymore.
But did you have any idea how often these databases and storage facilities were breached?! At a cursory search, Wikipedia showed me a listing of all hacks and breaches. Whether it was an intentional inside leak, or hacking, from data being sold to a third party, or just negligence and accidentally publishing client’s details.
Some of the most outstanding mentions were the Bank of America, NASDAQ, the IRS, American Express and Citigroup.
Entity |
Year | Records | Method |
Bank of America | 2005 | 1,200,000 | lost / stolen media |
Citigroup | 2005 | 3,900,000 | lost / stolen media |
Citigroup | 2011 | 360,083 | hacked |
Citigroup | 2013 | 150,000 | poor security |
Data Processors International
(MasterCard, Visa, Discover Financial Services and American Express) |
2008 | 8,000,000 | hacked |
Desjardins | 2019 | 2,900,000 | inside job |
Educational Credit Management Corporation | 2010 | 3,300,000 | lost / stolen media |
Equifax | 2017 | 163,119,000 | poor security |
European Central Bank | 2014 | unknown | hacked |
First American Corporation | 2019 | 885,000,000 | poor security |
Internal Revenue Service | 2015 | 720,000 | hacked |
Iranian banks (three: Saderat, Eghtesad Novin, and Saman) | 2012 | 3,000,000 | hacked |
JP Morgan Chase | 2014 | 76,000,000 | hacked |
Massive American business hack
including 7-Eleven and Nasdaq |
2012 | 160,000,000 | hacked |
NASDAQ | 2014 | unknown | hacked |
Source: https://en.wikipedia.org/wiki/List_of_data_breaches
The numbers of records exposed is quite concerning. And the table above just shows select banking breaches. There were entire Government sites infiltrated. If they contained personal banking information on the population, that would also contribute to the banking data spewed out. Airlines and hotels with booking confirmations and bank account details, even if saved temporarily until your flight or hotel stay, are still vulnerable during that time out of your hands.
All it took for Chile was for one employee to click on a link in a spam email. The malicious file sent via an Office document, opened a backdoor into the banks network resulting in all branches of the country’s largest three banks shutting down completely. This was not long after Chile’s network was breached in an attempt to completely disrupt the nation’s banking.
For Bangladesh, having nearly $100 million stolen from their Central Bank hit the nation hard in 2016. Soon after, Russia confirmed hackers had stolen over $31 million from their Central Bank as well.
The Boston Consulting Group found financial firms were 300 times more likely to be attacked than other firms, with Mastercard reporting in 2019 that there were over 460 000 attempts to breach each day.
This report highlighted the ability of banks and financial institutions to detect and contain a cyber attack rather than prevent them in the first place.
Now that the shift away from cash and toward electronic banking due to Covid-19 has a majority of the world’s population sticking to electronic options, attempts to breach networks have intensified. The thieves are targeting the increased vulnerabilities.
A year ago the Big 4 in Australia were compromised. Banking details linked to PayID were all breached. Westpac did not even realise this breach had occurred until another institution contacted them. Once a second party realised what was happening, they alerted the bank, who only then could investigate and begin securing customer’s funds.
And the NAB specifically reported being hit by millions of cyber attacks per day. The increase of attacks by 78% mid year led to 33% more losses being reported. The claim in the NAB report was also that some of the cyber crime was state-sponsored as well, just to obtain information on Australians.
However they also showed syndicates attempting to slow down bank’s systems to gain financial information. We won’t go into DDoS attacks and what they can do to systems. But large scale attacks can slow processing speeds so far that transactions in and out of account will come to a standstill.
Back in May a report showed ransomware attacks against banks had increased nine-fold earlier in 2020. It reported attacks on banks had actually spiked 238%. 238! Quite a few of the respondents also reported the attacks had become much more sophisticated over the past 12 months, with many reporting an attack that was designed purely to elicit damage, rather than obtain any ransom money.
In fact, an interview with hacker Phineas Phisher revealed he “lived” in banks networks for months before being detected. Phineas is a private individual whose anti-capitalist, anti-surveillance views prompted him to hack the Italian IT company Hacking Team, as well as Anglo-German company Gamma Group. These corporations sell software to enable governments to gather data and information on, and from, their citizens.
The most worrying part of the interview was that Phineas did not use any sophisticated tools, only off-the-shelf crimeware. The investigation into the Cayman National Isle of Man Bank found a breach that Phineas claimed was not actually his. His claim was that it was a coincidence, and that someone else was simultaneously hacking the bank. The less sophisticated and experienced criminal was exposed, revealing the Phineas Phisher hack from months prior.
What we can all learn from this is that there are large corporations out there, supplying software to countries so they can surveil their own inhabitants as well as other countries, AND that competent hackers don’t even need that type of software to be able to hack into our data.
So while I am not advocating the mass withdrawal of cash that is prompting countries to have shortages of notes, perhaps keep in the back of your mind that electronically speaking, our money is not entirely safe either. We may be looking at governments preferring a cashless society, but is that going to be safe enough? Is there going to be a guarantee that my hard earned income is only accessible by me?
Cyber security is becoming a much larger field. I think perhaps an extremely necessary one. And could it lead to individuals having to hire their own cyber consultants before deciding on which bank to hold funds? If governments are going to push for cashless societies, they should secure them.