At about 10:30 a.m. on Friday, Feb. 5, 2016, Jubail Bin-Huda, a joint director of Bangladesh Bank, and a colleague went to pick up the latest Society for Worldwide Interbank Financial Telecommunication (SWIFT) acknowledgement messages from the printer. When they got to the printer, they found nothing had been printed. They restarted the printer manually, but it still didn’t work.
They had no idea this was the first sign that $1 billion was being stolen. Hackers’ malware initiated from North Korea had disabled the printer, taking advantage of a vulnerability in the SWIFT electronic payment messaging system.
The funds were being transferred from the Bangladesh Bank to multiple banks in Sri Lanka and the Philippines, including one branch of the Rizal Commercial Banking Corp. (RCBC) in the Philippines, located in Manila’s business district.
The arrangement called for the money to be transferred electronically from the New York Federal Bank (NYFB) in multiple millions per transaction. At the time of the request, the NYFB had no idea a cybercrime was taking place. Only by pure coincidence, the transaction was stopped because of the word “Jupiter.” The system flagged the transaction because an Iranian oil tanker also bore the name “Jupiter,” and U.S. sanctions against Iran were active. But the thieves got away with $101 million before the NYFB managed to stop the transactions.
The Bangladesh Bank cyber heist became a case in point demonstrating how one country could use cyberattacks to steal money from another. A well devised phishing scam got the heist up and running, and neither SWIFT nor the NYFB detected the cyberattack. Since then, SWIFT implemented more than 30 security measures to fight cyberattacks.
Fast forward to 2022. According to Reuters, a New York husband-and-wife team was arrested in February 2022 for money laundering on the order of $4.5 billion, including $3.6 billion in bitcoin. The couple’s cyberattack targeted the digital currency exchange Bitfinex. The U.S. Justice Department called the attack the biggest cryptocurrency theft to date, and a group of investors collectively lost $3.6 billion in digital money. Yet despite the scope of the theft, it took only a two-person team to pull it off. Imagine what sophisticated, organized cybercriminals can do.
Unthinkable as it may sound, we are only seeing the tip of the iceberg of upcoming cybercriminal activities.
What are the real threats?
Fig. 1: Who’s behind the cyberattacks. Source: ESRB
The global banking systems are very complex with many moving parts. They connect regional banks, national banks, countries’ central banks, the World Bank, financial clearing houses, and government authorities on a global basis with countless users (bank employees, government employees, contractors, and customers).
These connected systems have many components — networks with cloud and local servers, dedicated terminals at the bank and retail sites, consumer and mobile devices, software, ATMs, and more. Besides using dedicated Ethernet, the connected systems use various wireless connections, such as WiFi, LTE, 5G, and other proprietary protocols, and at the foundation of all of this, there are very fast servers or consumer devices using some of the most advanced semiconductor technology available. Trillions of transactions involving money transfers, wiring of funds, remote deposits, money withdrawals, and loan payments take place over these networks.
“Banking systems include many components — dedicated terminals, networks, servers and cloud, consumer devices, software, and people (bank employees, contractors and customers), said Steve Hanna, distinguished engineer, Infineon Technologies. “Each component has its own vulnerabilities and is thus a potential entry point for attacks.”
With digitalization transforming the world, unless you are buying and selling with paper money, all money is digital during transactions between banks. This also facilitates cybercrimes on a global basis, and those crimes increasingly are targeted at the hardware as well as the software.
Even though American and European banks are the prime target for cybercriminals, the rest of the world is not immune from cyberattacks. The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a Belgian cooperative society that acts as an intermediary and executor of financial transactions among banks worldwide. It funds the SWIFT Institute, which performs independent research, helping academics and financial practitioners learn from each other how to strengthen financial systems. According to the SWIFT Institute, banks in Asia are becoming the primary targets of cybercriminals.
With mobile banking increasing, the global banking system is at risk. In many countries, mobile phones are the only means of transferring funds to conduct business. Phone apps are even less secure than laptops, making them vulnerable to attackers.
“Today’s banking systems have been increasingly equipped with the latest digital transformations, leveraging technologies such as cloud computing, mobile payment, and big data analytics,” according to Lang Lin, lead product specialist at Ansys. “However, if the hardware/software security is not well implemented, the same vulnerabilities from modern computer systems are present in banking systems. We are used to hearing many reports about such crimes as skimmer attacks on ATMs, denial-of-service attacks on banking virtual private networks (VPNs), and malware on banking apps, just to name a few,”
With almost every bank connected on the Internet, cyberattacks will be on the rise. Worse, in some cases each attack will lead to subsequent attacks.
Fitch Ratings, a credit ratings company and research firm, conducted a study along with CyberCube, a cybersecurity quantification company. The study looked at the potential impact of cybersecurity incidents on the U.S. banking industry. It focused on the entire U.S. banking sector of approximately 4,900 banks, with over $1.1 trillion in total revenues in a one-year time period. The impact of systemic cyber events on the U.S. banking sector under various cyber risk scenarios was examined. In particular, the research focused on how a single point of failure (SPoF) for cyber incidents would impact the U.S. banking system.
“A cyberattack on a particular SPoF may have a cascading impact on the identified connected banks, creating significantly larger footprints of compromise than in traditional attacks that infect one bank or system at a time,” warned Christopher Wolfe, managing director of Fitch Ratings, who heads up North American banks for the company. “An incident at a single critical third- or fourth-party vendor could lead to significant business interruption losses.”
There are countless ways hackers can use to attack the banking systems and they change every day. The top five cyberattacks include ransomware, DDoS attacks, consumer fraud, malware, and state-sponsored attacks.
Fig. 2: Where ransomware is hitting the hardest. Source: SonicWall Cyber Threat Report
Ransomware has emerged as hackers’ top choice for attacking banking systems. In general, ransomware attackers freeze the victim’s operation, demanding money in return for releasing their hold. Last year, the Ryuk ransomware generated $180 million, followed by SamSam with $104 million.
Additionally, hackers gain the ability to sell the personal financial records of account holders, including name, date of birth, address, social security or government-issued ID numbers, and other personal information to the darknet market, where people can do illegal transactions. Inspired by SaaS, ransomware cybercriminals came up with the idea of ransomware as a service (RaaS). Ransomware is rented to less-sophisticated hackers to maximize revenue.
Distributed Denial-of-Service (DDoS) attacks, which use malware to disable the victims’ servers, will continue to be a threat, as well. According to the Imperva report, layer 3 and 4 DDoS network traffic volume has increased by 24%, while the text malware attack by 21%. The number of packets used in an attack has grown by 41% in six months. That amount of growth indicates the increasing sophistication of the attackers.
“All technology and systems potentially could be exploited as hackers are continuously probing banks for vulnerabilities,” said Gerry Glombicki, director at Fitch Ratings’ U.S. Insurance Group. “It is not only systems that present vulnerabilities, but the people running them, as well. Computer networks are not different by sector, but different sectors have different regulations, security concerns, and reputational risks to consider. For example, banks and financial institutions may have significant amounts of personally identifiable information (PII), which is often targeted in cyberattacks.”
Besides bank attacks, consumer fraud has been increasing at an alarming rate, often in the name of a bank. Fraudulent activity comes in different shapes and forms, including phishing scams, the spoofing of credentials, and identity theft to attack checking, savings, and retirement savings 401(k) accounts. Spoofing is particularly concerning. Hackers impersonate the bank’s URL and create website pages that look and function just like those of the bank.
Malware often looks for vulnerabilities within banking systems, including the supply chains. Schemes such as SQL injections, local file inclusion, cross-site scripting, and OGNL Java injections are deployed. Even though they may be different in some ways, at the end they all attempt to modify, add, or delete victims’ software codes with the intent to steal or disrupt. Supply chain security is important. When banks’ third-party vendors do not have good security measures, it is the banks that will be affected. Last but not least, state-sponsored attacks are expected to increase as a form of conflict among countries.
In today’s environment, banking cybersecurity is a tug of war with cybercriminals. On the bright side, the global banking community is taking the cyber threat very seriously. Many organizations are coming together to help fight cybercrime on a global basis.
Earlier this year, the European Systemic Risk Board (ESRB) published a comprehensive report, Mitigating Systemic Cyber Risk. The report provides strategies for mitigating the risk of financial instability when cyberattacks occur, available to all the banks.
Fig. 3: Enforcement activities in Europe. Source: ESRB’s Mitigating Systemic Cyber Risk report.
Separately, the Center for Strategic and International Studies (CSIS) published its updated research information in the Financial Sector Cybersecurity Requirements In The Asia-Pacific Region report to help banks in the Asia-Pacific region gain the upper hand. CSIS, a nonprofit policy research organization, provides practical ideas to help solve the world’s greatest problems.
How to fight back? While there is no perfect solution to guarantee cybersecurity 100% of the time, banks and financial institutions should build the most secure defense with the strongest available technology and, at the same time, apply the best practices. Together, these will help banks deter cybercriminals and minimize risks and loss.
The three major components for establishing a robust banking cyber defense system include strong defense system deployment, continual monitoring and threat detection, and damage containment and recovery plan if attacked.
Strong defense system deployment. The defense system’s connected banking architecture should always include end-to-end security. Each element of the network – the cloud, servers, terminals, and endpoint devices, including mobile phones and ATM machines – should be secure. This is easier said than done primarily because the hardware and software on the network are made by various suppliers. Within the supply chain the degree of security sophistication varies. While it is difficult, it is the responsibility of individual banks to secure their networks and device connections.
Banking network systems design should take a top-down, layered approach. This approach avoids having a breach affect all data. Additionally, all basic security requirements, including hardware and software, must be observed, and best practices should be applied to achieve maximum security.
At a minimum, security system design requirements should include the following:
- Cybersecurity should be part of the business planning practice with annual budgets.
- Data should always be safeguarded against cyber threats with the highest level of encryption, and access limited to authorized individuals only. Multi-factor authentication should be applied.
- System vulnerabilities are discovered daily. When patches are available, they should be treated with the highest priority. It’s dismaying to hear news about how a system vulnerability was discovered, yet applying the known patches took months, enabling system breaches to continue.
- Include AI as a tool to detect threats whenever possible.
- This may sound like common sense, but training bank employees to defend against cyber threats may not be practiced by everyone.
“Because banking systems are so complex, a defense in-depth approach is typically used. By including multiple layers of defense such as strong authentication, tamper-resistant hardware, honey pots, and AI-based anomaly detection, the compromise of one or more components can be prevented, detected, and mitigated,” said Infineon’s Hanna.
Continual monitoring and threat detection. All banking systems should have continual monitoring and detection of threats. This should be done automatically. Include AI whenever possible. If any threats are detected, preventive actions should be taken in the shortest possible time before serious damage occurs.
Fig. 4: Threat detection and response. Source: Gartner
Damage containment and recovery plan if attacked. When attacks occur, the layered design of the banking system should contain the damage and prevent malware from spreading. This may mean instant lockdown of part of the systems around the world, in the case of an international bank.
“Financial system architects should first know most attack vectors to prioritize system design countermeasures, since a particular device in the system can have specific ‘security assets’ and expose specific vulnerabilities,” said Ansys’ Lin. “For common hardware vulnerabilities, you can refer to the common weakness enumeration website to validate the effectiveness of design countermeasures at the chip level. Semiconductor companies have to adopt a pre-silicon security verification flow and a lab testing procedure for security compliance. It calls for collaboration among security experts, design engineers, and EDA vendors.”
This is critical, given the connectedness of various financial networks. “Financial systems, especially payment processing systems, must support a wide variety of clients,” said Jamie Boote, software security consultant in Synopsys’ Software Integrity Group. “The long delay in upgrading past magnetic stripe readers to chip and pin wasn’t caused by technology. Instead, contracts with clients, SLAs, and the logistical problems of rolling out new payment systems to venues ranging from large multi-national retail chains to small ‘mom and pop’ shops meant that mandating upgrades to new technologies could see delays lasting years.”
While the industry is now looking at future-proofing systems against security threats, this wasn’t always the case. “Technologies lacked methods to add encryption, new interfaces, or other security measures,” Boote said. “Additionally, contracts with partners may mandate specific encryption algorithms for connections or file formats, and until multi-year contracts expire and can be rewritten, known security holes will continue to exist. Every year, encryption algorithms are deprecated due to increases in computing power or newly discovered vulnerabilities. However, partner contracts that don’t have an upgrade clause may be forced to continue to run on vulnerable algorithms and face contractual penalties greater than the cost of a related security incident.”
Future outlook: Living dangerously
Mobile banking and the convenience of connected banks worldwide will continue to drive demands. Online trading, fund transfers, credit card transfers, ATM machines, bank account access, and mobile phones are here to stay. More and more users, especially those in developing countries, will continue to use the Internet for banking purposes, including wireless connections. As a result, 4G and 5G banking will grow leaps and bounds. This means every cell phone and every bank account is a target. There is no escape from cyberattacks.
Application programming interfaces (APIs) used by most mobile apps are not as safe as people think. Banking Trojans attempt to hide inside mobile apps. Once the apps are launched on a consumer’s device, the malware would attempt to rewrite the software codes of the apps or other apps installed on the same device.
In February 2022, a new Android banking Trojan called Xenomorph was discovered by ThreatFabric, a mobile security firm. Threat actors started to target the official Google Play Store. More than 50,000 Android Trojans had been downloaded, resulting in users of 56 different European banks became the targets. This particular malware seems to be in its infant stage, and may indicate an alarming new trend.
Perhaps mobile phone banking is most vulnerable. David Stewart, CEO of Approov, offered this advice: “More than 50% of mobile apps contain valuable and easily stolen API keys and tokens. Hackers targeting the mobile banking segment constantly come up with innovative ways to modify or manipulate those mobile apps. Most often, they completely bypass the mobile app and generate their own scripts using stolen API keys and tokens to impersonate the mobile apps, fooling the banks into thinking the real user is online. The only solution is to authenticate that the real mobile app is present through a deep, real-time analysis, much like verifying the DNA of the mobile app to prevent money or sensitive data from being stolen. Further, such authentication must run every few minutes and must generate cryptographically secure and distinct access tokens at the end of each process.”
Whether a bank, financial institution, or a consumer, fighting cybercrimes will be an ongoing activity. The attacks will only become fiercer over time. Defense and fighting back are the only choice. In this battle, with many attempts, the attacker only needs to get through once, and an account will be hacked.