Feeds

Blighty's top moneymen: Hackers are SLURPING CASH direct from banks

Bank of England warns financial institutions to take cyber-crime threat seriously

Beginner's guide to SSL certificates

Several UK banks have suffered actual financial losses as a result of cyber-attacks in the last six months, according to a Bank of England study.

The Bank of England’s latest Financial Stability Report, published on Thursday, reiterates warnings about the risk posed by hacking attacks made six months ago when Andrew Haldane, the BofE's director of financial stability, testified before parliament's Treasury Select Committee.

Haldane was passing on the view from representatives of Britain's top banks that computer security was their biggest operational risk.

The latest report (PDF) from the central bank contains a small section, titled "Operational risks, including from cyber attack, remain a concern" that riffs further on this theme.

The June Report also highlighted potential operational risks related to financial institutions’ information technology (IT) systems. A quarter of respondents to the Bank of England’s 2013 H2 Systemic Risk Survey highlighted operational risk as one of the main risks to UK financial stability.

Over half of these responses cited risks from cyber attack — where an individual or group seeks to exploit vulnerabilities in IT systems for financial gain or to disrupt services. Cyber attack has continued to threaten to disrupt the financial system. In the past six months, several UK banks and financial market infrastructures have experienced cyber attacks, some of which have disrupted services.

While losses have been small relative to UK banks’ operational risk capital requirements, they have revealed vulnerabilities. If these vulnerabilities were exploited to disrupt services, then the cost to the financial system could be significant and borne by a large number of institutions.

Concerns that high-volume DDoS attacks of the type that interrupted the operations of US banks last year might easily be deployed against Britain banks to similar effect have fortunately proved groundless. Reported operational problems in UK banks (such as recent incidents at Barclays and HSBC) have come as a result of system failure, rather than hostile attacks.

An April attack that led to arrests in September after crooks allegedly planted remote-control hardware in a computer at a Barclays bank branch, which was linked with the alleged theft of £1.3m, is a cause for concern – but no great worry on the grander scheme of things.

A far more tangible existential risk comes from something like an ATM cash-out scam, which cost two Middle Eastern banks $45m last year after hackers broke into a database of prepaid debit cards.

Many operational problems would, of course, be known to the Bank of England without reaching the press. And banks are stepping up their readiness to deal with attacks. For example, financial firms and banks across London took placed in a cyber-war game earlier this month, code-named Waking Shark II.

Banks have focused on credit, market and liquidity risk over the past five years because of financial sector upheavals, caused first by the sub-prime mortgage crisis and banking bailouts of 2008, followed by the ongoing eurozone crisis and a general recession across the EU. The vast majority of the Bank of England's report focuses on these types of risks rather than anything posed by computing attacks, which, nonetheless, still pose a risk that cannot be ignored. Security vendors not unsurprising focused on cybersecurity in commenting on the report.

Peter Armstrong, director of cyber security at Thales UK, said banks need to move towards more integrated cyber defences.

“The combination of high interconnectedness, reliance on centralised market infrastructure and complex legacy IT systems are leaving our banks vulnerable to cyber attacks," Armstrong said. "A holistic approach that is designed to tightly integrate cyber-defences with processes, people and physical measures is crucial to ensure financial organisations are protected against the latest evolution of threat and attack vectors."

Armstrong placed a particular emphasis of re-training staff and sharing threat intelligence among financial institutions as important tactics in the never-ending fight against cyber attacks.

"Banks must make more effort to retrain or re-skill their employees," he said. "Much more emphasis should be placed on retention of soft skills, IP, organisational culture, the evolution of internal security policies and knowledge of legacy systems."

"Greater collaboration on cyber issues should also lead to an improvement in cyber awareness and continuous policy evaluation and adaptation, particularly as external attacks multiply faster than legacy IT security solutions can currently keep up with," he added.

Chris McIntosh, chief exec at security and communications company ViaSat UK, said the cyber threat warning from the central bank comes as little surprise because the financial sector is routinely targeted by state-sponsored and organised crime elements.

"Rather than waiting for the next data breach to occur, the UK’s banks need to realise that they have likely already been compromised and need to work back on this basis… The financial sector is the custodian of millions of customer details and the gateway to billions of pounds. Unless this sector takes the right action, we will see attacks become more refined and sophisticated with massive repercussions for this sector and the wider economy,” he concluded.

A extensive catalogue of the documents released at part of the central bank's Financial Stability Report, November 2013 can be found on the BofE website here. ®

Intelligent flash storage arrays

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Shellshock over SMTP attacks mean you can now ignore your email
'But boss, the Internet Storm Centre says it's dangerous for me to reply to you'
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Business security measures using SSL
Examines the major types of threats to information security that businesses face today and the techniques for mitigating those threats.