As Concerns of Cyberattacks Grow, Banks Look to New Means to Protect Networks
Fantastic article from Moneylaundering.com's Colby Adams on the steps US financial institutions are taking to protect themselves from cyber attacks.. Very well worth a read...
"U.S. financial institutions are reevaluating their cybersecurity controls in light of increasingly complex online attacks aimed at stealing client funds and data, according to experts.
The reviews, some of which have come in response to a confidential U.S. Treasury Department advisory, have coincided with recent disclosures by the Society for Worldwide Interbank Financial Telecommunication (Swift) that unidentified hackers managed on at least two occasions to access and send fraudulent payment instructions over the Brussels-based consortium’s financial messaging platform.
The incidents prompted department officials to quietly circulate warnings that such attacks could be repeated on a scale large enough to disrupt global payments, ACAMS moneylaundering.com learned in May. The department, which in 2014 asked banks to report cyberattacks much as they do suspicious transactions, is “actively monitoring” related regulatory filings, according to sources.
In response to governmental scrutiny and separate advisories by Swift, a number of financial institutions are weighing whether to implement biometric checks and require passwords that expire after a single usage in order to guard against authorized access to their interbank portals, according to Kevin Streff, founder of Secure Banking Solutions, a cyberdefense firm based in Madison, SD.
Others have begun sending spam emails to their employees to identify which are most likely to introduce malware into institutional computer networks, said Streff.
“The Swift network is a black box as far as a bank is concerned, because they only view the inputs and outputs. They don’t and can’t know what’s going on inside. The only thing to do is limit access to it, test employees, make sure everyone knows to not open email attachments or visit external websites with bank hardware,” he said.
Last month, Swift CEO Gottfried Leibart disclosed that the consortium could soon bar member banks with weak cybersecurity controls from accessing its interbank messaging platform. Three days later, the consortium announced plans to issue new security standards for its members and consider additional tools to “quickly recall” fraudulent payments.
“We recommend that customers consider third-party assurance reviews and, where necessary, ask your correspondent banks and service bureaux to work with you on enhanced arrangements,” Swift told financial institutions in a May 13 statement.
JPMorgan Chase limited employee access to Swift amid reports that attackers installed malware on the Bangladesh Bank’s interbank portal and exploited the network to steal $81 million from the institution’s account with the U.S. Federal Reserve, anonymous sources told The Wall Street Journal.
U.K. officials instructed banks to outline plans for guarding against fraudulent access to their own Swift terminals shortly after the Bangladesh Bank heist, Reuters reported in May. The attack culminated in February, two months after nearly identical malware facilitated a similar scheme involving Vietnam’s Tien Phong Bank Swift server.
Vietnamese officials believe the malware which targeted Tien Phong Bank was inadvertently installed by a third-party Swift contractor, a Vietnamese central bank official told Reuters.
In contrast, the Bangladesh Bank heist most likely commenced with a spear phishing attack, according to BAE Systems.
Spear phishing, which often involves tricking a targeted institution’s employees into downloading malware via spam emails, represents the biggest cyberthreat against financial institutions, John Riggi, section chief of the FBI’s cyber outreach section, told attendees of an ACAMS moneylaundering.com conference in April.
Perpetrators of spear phishing attacks usually target internal money processors, ATMs and customer accounts after successfully infiltrating the victim financial institution’s networks, Riggi said.
The scale of such intrusions, which in some cases have prompted major banks to spend hundreds of millions of dollars in cyberdefense budgets, only seems to be growing.
In 2015, members of the so-called Carbanak group exploited a common cybersecurity vulnerability to access the internal systems of more than 100 financial institutions in 30 countries and steal $1 billion. Carbanak manipulated the Swift network to transfer some of the funds, according to Kaspersky Lab, a Russia-based cyberdefense firm that first reported the heist.
Other attacks, like that disclosed by JPMorgan Chase in 2014, have involved the theft of client data and the misuse of customer accounts.
Hacks into brokerages can facilitate penny stock frauds and pump-and-dump schemes that could trigger scrutiny from anti-money laundering (AML) compliance departments, according to Adam Cohen, managing director of the Berkeley Research Group, a New York-based consultancy.
“A hacker with control of several accounts can more rapidly spike the price of any particular security. As an AML person, your antenna has to be up at that point, because you’re going to be held responsible for a higher level of diligence,” he said.
After learning of an attack, cybersecurity personnel should alert their institution’s AML and anti-fraud departments to immediately review both incoming and outgoing high-value wire transfers, among other categories of unusual transactions, according to Cohen.
Cooperation is already on the rise among the cybersecurity, information security, anti-fraud and AML functions within banks, all of which involve identifying and mitigating risk, according to Doug Johnson, senior policy analyst at the American Bankers Association in Washington, D.C.
“Of course, there are technical things that need to be done and have to be done a certain way, but cybersecurity is largely a risk-based exercise because it’s understood that you can’t defend everything. You have to evaluate where your greatest threats may originate and how those threats may evolve,” said Johnson.
Risk levels vary significantly across different sizes and types of financial institutions, the Federal Financial Institutions Examination Council said recently in a study that identified “major shortcomings” in cyber-risk management.
The Office of the Comptroller of the Currency subsequently identified cybersecurity as one of its top five exam priorities for 2016, alongside underwriting policies, interest rate risks and strategic risks and AML compliance.
As with their AML controls, banks can mitigate the risk of cyberattacks but not entirely eliminate them, said T. Jack Williams, president of ERAD Group, a Dallas-based electronic payment network design firm and consultancy.
“It’s just not going to be possible to entirely silo off one server from another, in the truest sense of the word,” he said. “If the hacker does his research beforehand, knows how to cover his tracks and be patient, chances are he’s going to find a way through,” he said."