Picture of the shadow of a PC user
Financial services organisations are constantly examining new security measures to stay one step ahead of online criminals

Are the bank robbers winning?

Financial institutions offer phishers and hackers the juiciest of targets. Tom Young asked an expert panel how confident the banks can be about their IT security

Written by Tom Young

Computing, 18 Oct 2007

Financial services is the sector that spends most heavily on IT, often taking on the role of new technology pioneer, but it is also the one where information security is under the greatest pressure. Phishers and hackers put plenty of energy into scams to defraud the banks’ customers and siphon off the money in their accounts.

Computing recently hosted a two-part video roundtable on IT security in financial services to explore the issues. The expert panel comprised:
*Richard Hackworth, ex-chief information security officer at HSBC.
*Marcus Alldrick, ex-chief information security officer (CISO) at Abbey.
*David Luijerink, head of fraud risk management at KPMG.

Can you give us an overview of the situation concerning IT security in financial services? What should we be looking at?
MA: The major concern within the financial sector has to be data leakage: the breadth and depth of it, and the implications of it.

RH: I would agree, but I think that the concerns go a lot wider.

Financial services organisations are now critically dependent on some very complicated technologies for delivering primary services to customers. The commercial dependence on the technology working right, securely and with confidence becomes really quite critical.

DL: There are also wider implications for institutions.

If they have a breach, it may have an impact on their institution, but more widely on the other institutions that they deal with and the wider community. It is certainly an issue of concern for management and regulators.

Do you think that data leakage and security breaches are new issues?
MA: I think that the issues have been well known for quite a while, but the scale of the problem has increased.

With the introduction of new technology and new practices ­ not least bringing practices from home into work ­ it has got worse. As well as a technology change, you have a cultural change.

Also underlying that is what is being termed the underground economy.

The perpetrators of attacks are becoming more sophisticated and we’re seeing a commoditisation of the information that’s being leaked or stolen. It has become more sophisticated, and business principles are now being applied to the distribution and the selling of this information. That is of major concern.

One of the reasons for developing underground business is the spread of online banking. What do banks offering online services need to be particularly aware or concerned about?
RH: I think they need to be concerned about their dependence on a remote customer for protecting a lot of the online banking services they use.

Financial services organisations undertaking internet banking are critically dependent on a remote PC which is outside of their control. That fact is recognised by regulators and the criminal community.

The profile of the issues has grown enormously over the past five years. At a technical level, I think a lot of the issues have not moved very much in terms of their technical description, but in terms of their depth and complexity they definitely have.

And I think underlying all of that, management must realise that technology has become an essential part of the competitive stance. Consumers are now comparing service providers in terms of the way the technology works as well as the service provided.

That puts quite an edge on what banks are trying to deliver. Organisations and institutions are trying to distinguish themselves from the competition by the way in which they deliver electronic services.

Do you think management concerns and regulation are well aligned?
DL: I think management is acutely aware of what the regulator may think, particularly if these issues aren’t controlled or they get out into the wider community.

But it goes back to an earlier issue regulators will be looking at: how does the business manage these types of incidents and what sort of assessment does it have?

We’ve spoken about the speed of transactions and faster payments after coming online, but it’s also about the rest of the business keeping pace with what’s happening on the IT front.

People need to understand the implications when new technology is being embedded for their customers, and how it affects their jobs.

Can you give us a timeline or example of how your bank dealt with a breach?
MA: We had an issue concerning an outsourced service.

Naturally, at the time it was a very sensitive issue. What happened was somebody had sent a proposal for the outsource, which was coded, to an unsecured printer.

Somebody else picked it up, read it and saw the implications, and gave it to a union representative. The next thing it was in the local newspaper.

The investigation was naturally reactive but luckily the document was coded. We had controls over who received it and so we could actually track it down. It was encrypted and there were strict instructions that it wasn’t to be forwarded or copied.

We found out who had done it and how it occurred. That took about two days, though.

In the meantime, we had to make sure we had the right communications in place to inform employees what was going on and to make sure that they were reassured that everything was being done to look after their interests.

Nevertheless it was an incident and it put the bank on the front page of a newspaper, which had not been anticipated at all.

RH: The adverse publicity that follows a breach can be one of the larger parts of the impact.

The emphasis that Marcus put on managing people ­ communication with those affected, whether they are trading partners or customers ­ is very important.

If you look at something such as a phishing incident ­ which is more common in a way ­ once you’re alerted to the issue you have to track down the source: where is the phish coming from?

Industry statistics indicate that it can take an average of six or seven days to track down the phisher, which I think is too long. A company operating without its own resources also has to rely on quite a lot of external help just to do that.

HSBC is an unusual group. Because of its global reach we were able to track down phishing attacks in under two days. But HSBC is in a privileged position and I don’t think it’s good enough for the industry as a whole.

General industry players need external support to do it much quicker than that. To track phishers down faster, we need a much higher level of international co-operation than I see happening at the moment.

I think the mention of the regulators that David made earlier is very important as well. As regulators become more interested in the impact of a security breach on the paying public, so the heat on management increases to solve these problems more quickly.

Sometimes an incident can be no more than a reported breach. It doesn’t even have to be a real breach ­ just a strong rumour going around that something’s gone wrong means that you have to manage it.

The typical timeline is two days to find out what the source of the issues is. Then, depending on the technology, it might be another three, four or five days to sort it. For some incidents, it can take a bank a significant time to recover from the incident. The visible impact on customer service can be appreciable.

MA: In trying to get the phishing site closed down you can’t launch an attack on the web site to bring it down ­ that is illegal under the Computer Misuse Act.

So you really need very joined-up procedures with all parts of your organisation ­ especially legal people, who then have to contact the ISP with a legal notice to get the site shut down.

The issue is complicated when the site is located in somewhere such as Taiwan, which is in a completely different time zone and the people might not speak English. That all exacerbates the situation.

So if people think two days is a long time, yes it is ­ but in reality it can take that long because of the various implications you have to deal with.

RH: And almost always when dealing with a phishing attack or a hacking attack, or an attack of a piece of malicious software directly at a customer, it is going to come from a different country.

There’s a whole layer of administrative and legal issues that have to be worked through. It can be quite tough.

Most US states now have a data breach notification law. There has been some discussion over whether such a law should be introduced over here, and global organisations such as HSBC are affected by the law as it stands. What are the issues surrounding a similar law over here?
DL: You have various sides to look at. One is from the point of view of the organisation, which is about containing the information.

If you have such an incident in your organisation, one of the issues is whether to tell other people so that they can better guard against what could be happening, or to try to stop it going any further.

That’s quite a difficult thing for an organisation to deal with. When does it notify the rest of the customer base it could potentially affect? Of course, the regulator may have a different view because of the wider impact on the community.

I think every case is quite different, and sometimes these cases have wide-ranging impact and there could be data relating to a lot of customers.

If you have cases where you know that an incident has happened because somebody has reported it, then you are at least able to contain the incident within a reasonable time and follow a course of action.

Sometimes organisations don’t know that something has happened. For example, a CD containing information has fallen into the wrong hands by accident ­ the organised crime fraternity perhaps. That’s more of a problem because nobody has actually raised with you the specific information leak, so talking about how responsive you are is a little bit different because you don’t know about something that happened just yesterday.

MA: At an operational level, whoever lost the information wants to make sure that a copycat attack cannot be successful, so it takes time to put in the appropriate controls to ensure that.

If it’s concerning account information, you want to make sure it’s not going to involve first-party fraud by people who might be involved claiming that certain transactions were fraudulent.

As a result of something like that, calls to call centres are going to go up, so you need to be able to improve your cover to take these calls. There are strong operational implications about what needs to be in place to make sure you can cope with the result of the reporting.

More information is going outside the firewall on smaller and smaller devices. How difficult is it for a large organisation to track which information is going where?
RH: It is both very important and very difficult. This is a key point.

Technology is making it ever easier for information to be portable, and to leave an organisation’s physical perimeters on a USB stick or a laptop.

The extent of the technology and the infrastructure that people use these days means it’s probably impossible to track where every bit of data is. Nothing would work if you had such controls in place.

So you have to look for general controls over data whenever it is on a portable device. A difficult problem is staff or visitors or technical support bringing in devices and having the opportunity to copy data and take it out for whatever reason ­ accidentally, but not necessarily maliciously.

In some ways modern technology has passed a tipping point and the question of capturing data has become more critical.

Watch the video of our IT security roundtable at www.computing.co.uk/tv

  • Have your say
  • Send to a friend
  • Print this
  • Share

reader comments

related articles

UK card fraud hit from abroad

Chip and Pin fails to halt rise in card fraud 04 Oct 2007

 

Can online crime ever be beaten?

A new report offers an insight into the scale of e-crime and what can be done about it 25 Sep 2007

Security

Data breach costs continue to rise

Annual PGP study finds incidents cost an average of £1.68m 27 Jan 2010

Internet

Businesses are next after Dalai Lama hack

Researchers warn firms to think long and hard about the impact of social malware 30 Mar 2009

Security

Companies sceptical about external hacking

Employees most likely to cause data loss, finds survey 09 Oct 2009

related whitepapers

today's top stories

Internet

Face facts: social media is the future

No organisation can afford to ignore the way business communications are changing 18 Mar 2010

Security

Is the data watchdog about to pounce?

Experts believe the Information Commissioner’s Office is itching to use its new power to impose hefty fines for data breaches. Martin Courtney reports 18 Mar 2010

Management

Lloyd’s of London gears up for regulation

CIO Peter Hambling tells Angelica Mari about how the insurance market has updated its IT infrastructure to comply with new regulations 18 Mar 2010

Communications

Protests greet new Digital Economy Bill amendment

ISPs, digital rights groups and Liberal Democrat supporters cry foul 05 Mar 2010

Management

IT Leaders' Forum in association with IBM

A unique opportunity to hear from expert speakers and engage in a debate about the future of the CIO job function 29 Jan 2010

> More news

Advertisement

Subscribe

Keys to successful Serviceā€Oriented Architecture implementation

This white paper explores best practices and general design patterns for service oriented architecture (SOA).

The Roadmap to IT Maturity — Matching Strategy to Infrastructure for Business Success

This paper defines a roadmap for matching infrastructure strategy to business success.

Advertisement

Keep up to date with the latest products, services and technologies from the world's leading IT companies; ITHound.com brings you over 6,000 white papers, case studies and analyst reports.

Advertisement

Newsletter signup

Sign up for our range of FREE newsletters:

More available - click 'submit' to view

Existing User

Newsletter user login:

Jobs

Related jobs

Job of the week

> More IT vacancies

Job alerts

  • Latest jobs to your inbox
Sign up here

Find your next job

IT Salary Checker

  • Are you being paid what you are worth?
Check salary here

Advertisement

Latest poll

NHS centralised data

NHS centralised data

Do you think the NHS can be trusted to safely look after personal data electronically?

View poll results

> More polls

Latest audio and video articles

Video

HP unveils S Series notebooks

'Prosumer' line overhauled 01 Mar 2010

Web Seminar Listings

Preparing for enterprise-scale Windows 7 migration

The web seminar on 18 Feb will discuss how Windows 7 migration can increase IT efficiency in large enterprises, freeing up budgetary and personnel resources to focus on business innovation. Our panel of experts will examine the strategies, tools and services IT leaders can use to migrate successfully and reap the rewards of increased efficiency. 19 Feb 2010

> More audio and video

Latest in-depth articles

Smiths Group CIO Brian JonesAnalysis

Q&A: Brian Jones, CIO, Smiths Group

How should conglomerates be looking at the new IT technologies coming through? Brian Jones explains. 19 Mar 2010

Analysis

What security strategy should enterprises adopt after the recession?

Act now to put your your firm on higher growth path advise CISOs 19 Mar 2010

> More in depth articles

Primary Navigation