With the increasing number and frequency of sophisticated attacks on the banking sector in the region, the need to develop a comprehensive cybersecurity programme is now more pertinent than ever, Daniel Bardsley reports.
Few organisations are more inviting targets for cyber-attackers than banks.
It is unsurprising, therefore, that news reports are full of cases of banks from all over the world that have fallen victim.
Just recently, for example, a North Korean hacking group, APT38, was identified by a cybersecurity organisation as being responsible for incidents that had defrauded banks of vast sums of money.
Banks in the UAE and elsewhere in the GCC are not immune to the dangers, having been attacked in various ways and on multiple occasions.
A 2016 report, Top 5 Cybercrime Attacks and Trends on GCC Banks, published by the International Quality and Productivity Center (IQPC), indicated how wide the range of threats that the region’s banks face is.
There is data theft, such as the “Hacker Buba” November 2015 incident in which hundreds of customers’ data was stolen from a Sharjah bank.
Another data theft attack on banks, this one a few years earlier and affecting institutions in the UAE and Oman, resulted in tens of millions of money being taken from cashpoints outside the UAE after prepaid debit card details were stolen.
Banks in the region also face Distributed Denial of Service (DDoS) attacks, such as when, at the end of June 2015, several UAE banks saw their operations disabled because of efforts by the group Anonymous.
The report by IQPC, which has run the Cyber Security in Banking conferences in Dubai, also highlighted the problem of ransomware attacks. Both banks and customers are at risk, and the report said that an extraordinary $1.36 billion was lost by UAE bank customers in 2015 due to these types of incidents.
Often coming from well organised cyber-criminal gangs, the threats appear to be intensifying. According to an early 2018 estimate from John Drzik, president of Global Risk and Digital at the insurance broking and risk management company Marsh, annual worldwide cybercrime losses – from attacks on banks, other institutions and individuals – are estimated to total $1 trillion.
Figures recently reported by the media indicate that, in the first six months of this year, $658.04 million (£503.40 million) was stolen from customers of British banks alone.
Fraudsters used a variety of ways to get hold of other people’s money, including coming up with scams that made them pay for goods and services that never existed or did not arrive. Such scams are a type of authorised push payment (APP) fraud, which lost consumers and businesses a total of £145.4 million, only about one fifth of which banks and other financial providers were able to return to consumers.
Other types of non-authorised fraud, such as theft after the takeover of an account, were responsible for the remainder of the half billion pounds or so stolen.
David Birch, a commentator on digital financial services and a founder of Consult Hyperion, a digital transactions consultancy, says there are “all sorts of risk” facing banks.
“The risk of credit-card fraud is different from the risk of small business bank account takeover, which is different from payment misdirection,” he says.
Breaches are not the result only of technology. As is so often the case with cybersecurity vulnerabilities, the human factor is also of key importance.
“If you look at a lot of the things that have been going on recently, quite often it’s not hackers, it’s an inside job,” says Birch.
“It’s people bribing bank employees for account details and that sort of thing. A lot of these people are vulnerable to social attack.”
As more people carry out banking transactions using mobile phones, new cybersecurity risks are opened up, such as those that come from the use of mobile banking trojans. These are a form of malware, typically an app, used to steal money from users’ accounts.
As the cybersecurity company Kaspersky Lab has previously described, people are lured into installing these apps because they are disguised to appear to be legitimate.
“Once the banking app is launched, the trojan displays its own interface overlaying the banking app’s interface. When the user inputs credentials, the malware steals the information,” Kaspersky Lab says.
According to figures reported by Kaspersky Lab, there was a significant increase in the number of installations of mobile banking trojans in the second quarter of this year, with the figure reaching more than 61,000, a statistic that represented “a massive influx”.
This number is certainly a cause for worry: in the first quarter of this year, the total was less than 20,000, while over the past three years the quarterly figure has never before exceeded 30,000.
When the numbers were published in August this year, Victor Chebyshev, a cybersecurity specialist at Kaspersky Lab, said in a statement that the growth showed that “cybercriminals are constantly creating new modifications to their malicious software to make it more sophisticated and discreet for cybersecurity vendors to detect”.
“Users and the industry should be extremely cautious and vigilant in the coming months as the trend continues to grow,” he says.
Yet while new vulnerabilities are created, Birch thinks that, overall, the growing popularity of mobile banking is a good thing in cybersecurity terms, at least “when it’s managed properly”.
“It’s a much more secure mechanism than the traditional things – phoning up or walking into a shop for a debit card,” he says.
“There’s a lot of new technology around. They can tell whether it’s a different SIM; is it doing what you normally do; are you in a different place. These are really big positives. There’s a lot of work going on about passive biometrics; I’m quite bullish about the possibilities.”
The way the keys are being tapped can indicate whether the legitimate user is in charge of a device or not.
“You have the first steps in machine learning that looks for unusual patterns or behaviour, then it moves to full AI [artificial intelligence], which holds out the greatest hope,” says Birch.
“The ability to spot unusual patterns is fantastic and by itself makes a vast different in what people can or cannot get away with.”
One reason why Birch sees the increased use of machine learning and AI as such a significant development when it comes to bank cybersecurity is the asymmetry in terms of who has the data: the banks have such a lot, and the criminals not as much. This, he says, is the banks’ “trump card in the future against fraudsters”.
“The sheer volume means your AI will be better than other people’s data. These fraudsters’ AI may be very good, but the banks have more data. What’s crucial to spotting patterns is the volume of data you can feed into it. Machine learning needs huge amounts of data. That’s a cause for optimism,” he says.