Earlier this month, I’d attended an event organised by the UAE Banks Federation (UBF), which has created a platform for banks in the region to come together and share threat intelligence. At present, this alliance has 13 financial institutions actively collaborating on threat information.
The UBF event’s keynote address was delivered by William Carter from the US-based think tank Center for Strategic and International Studies, who mapped out the forces shaping threat landscape for financial institutions. Among other attack vectors, he singled out mobile banking as the biggest threat faced by banks today, which I think is something banks in the Middle East need to get serious about. With the advent of digital technologies, mobile banking now represents around 40 percent of customer engagement for banks, and if surveys are anything to go by, this would become the primacy customer engagement channel in near future. Though mobile security has improved significantly, there are still many low-cost devices with questionable security features out there , especially in developing countries, and this should be a growing concern for banking CISOs.
While many banks use multi-factor authentication methods and one-time-password (OTP) systems to prevent fraud, cybercriminals have found ways to bypass these systems as we have seen in the case of Gozi banking Trojan. Another scary scenario painted by Carter is cybercriminals using bots to search Project Unicorn or Shodan for banks that use Apache Struts (an open source web application framework widely used by banks but contains many known vulnerabilities) and then use off-the-shelf ransomware to exploit those vulnerabilities.
When it comes to cybersecurity, I don’t think anyone can dispute the fact that the banking and financial industry has moved forward by leaps and bounds, and yet there is still a long way to go. If you want to pull off a bank heist today, all you need is a computer not a gun. It is why UBF’s initiative on threat intelligence collaboration is a welcome step in the right direction. However, threat intelligence collaboration is still in a nascent stage, and we need more region-specific threat intelligence centres and ISACS, and SOCs with advanced threat hunting capabilities. Finally, to make threat intelligence more meaningful and glean actionable intelligence out of it, banks would need to find subject matter experts and more private/public sector partnerships. And that’s the only way to you are going to find that needle in a needle stack.