Feeds

Blighty's top moneymen: Hackers are SLURPING CASH direct from banks

Bank of England warns financial institutions to take cyber-crime threat seriously

Top 5 reasons to deploy VMware with Tegile

Several UK banks have suffered actual financial losses as a result of cyber-attacks in the last six months, according to a Bank of England study.

The Bank of England’s latest Financial Stability Report, published on Thursday, reiterates warnings about the risk posed by hacking attacks made six months ago when Andrew Haldane, the BofE's director of financial stability, testified before parliament's Treasury Select Committee.

Haldane was passing on the view from representatives of Britain's top banks that computer security was their biggest operational risk.

The latest report (PDF) from the central bank contains a small section, titled "Operational risks, including from cyber attack, remain a concern" that riffs further on this theme.

The June Report also highlighted potential operational risks related to financial institutions’ information technology (IT) systems. A quarter of respondents to the Bank of England’s 2013 H2 Systemic Risk Survey highlighted operational risk as one of the main risks to UK financial stability.

Over half of these responses cited risks from cyber attack — where an individual or group seeks to exploit vulnerabilities in IT systems for financial gain or to disrupt services. Cyber attack has continued to threaten to disrupt the financial system. In the past six months, several UK banks and financial market infrastructures have experienced cyber attacks, some of which have disrupted services.

While losses have been small relative to UK banks’ operational risk capital requirements, they have revealed vulnerabilities. If these vulnerabilities were exploited to disrupt services, then the cost to the financial system could be significant and borne by a large number of institutions.

Concerns that high-volume DDoS attacks of the type that interrupted the operations of US banks last year might easily be deployed against Britain banks to similar effect have fortunately proved groundless. Reported operational problems in UK banks (such as recent incidents at Barclays and HSBC) have come as a result of system failure, rather than hostile attacks.

An April attack that led to arrests in September after crooks allegedly planted remote-control hardware in a computer at a Barclays bank branch, which was linked with the alleged theft of £1.3m, is a cause for concern – but no great worry on the grander scheme of things.

A far more tangible existential risk comes from something like an ATM cash-out scam, which cost two Middle Eastern banks $45m last year after hackers broke into a database of prepaid debit cards.

Many operational problems would, of course, be known to the Bank of England without reaching the press. And banks are stepping up their readiness to deal with attacks. For example, financial firms and banks across London took placed in a cyber-war game earlier this month, code-named Waking Shark II.

Banks have focused on credit, market and liquidity risk over the past five years because of financial sector upheavals, caused first by the sub-prime mortgage crisis and banking bailouts of 2008, followed by the ongoing eurozone crisis and a general recession across the EU. The vast majority of the Bank of England's report focuses on these types of risks rather than anything posed by computing attacks, which, nonetheless, still pose a risk that cannot be ignored. Security vendors not unsurprising focused on cybersecurity in commenting on the report.

Peter Armstrong, director of cyber security at Thales UK, said banks need to move towards more integrated cyber defences.

“The combination of high interconnectedness, reliance on centralised market infrastructure and complex legacy IT systems are leaving our banks vulnerable to cyber attacks," Armstrong said. "A holistic approach that is designed to tightly integrate cyber-defences with processes, people and physical measures is crucial to ensure financial organisations are protected against the latest evolution of threat and attack vectors."

Armstrong placed a particular emphasis of re-training staff and sharing threat intelligence among financial institutions as important tactics in the never-ending fight against cyber attacks.

"Banks must make more effort to retrain or re-skill their employees," he said. "Much more emphasis should be placed on retention of soft skills, IP, organisational culture, the evolution of internal security policies and knowledge of legacy systems."

"Greater collaboration on cyber issues should also lead to an improvement in cyber awareness and continuous policy evaluation and adaptation, particularly as external attacks multiply faster than legacy IT security solutions can currently keep up with," he added.

Chris McIntosh, chief exec at security and communications company ViaSat UK, said the cyber threat warning from the central bank comes as little surprise because the financial sector is routinely targeted by state-sponsored and organised crime elements.

"Rather than waiting for the next data breach to occur, the UK’s banks need to realise that they have likely already been compromised and need to work back on this basis… The financial sector is the custodian of millions of customer details and the gateway to billions of pounds. Unless this sector takes the right action, we will see attacks become more refined and sophisticated with massive repercussions for this sector and the wider economy,” he concluded.

A extensive catalogue of the documents released at part of the central bank's Financial Stability Report, November 2013 can be found on the BofE website here. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.