Feeds

Blighty's top moneymen: Hackers are SLURPING CASH direct from banks

Bank of England warns financial institutions to take cyber-crime threat seriously

The Power of One eBook: Top reasons to choose HP BladeSystem

Several UK banks have suffered actual financial losses as a result of cyber-attacks in the last six months, according to a Bank of England study.

The Bank of England’s latest Financial Stability Report, published on Thursday, reiterates warnings about the risk posed by hacking attacks made six months ago when Andrew Haldane, the BofE's director of financial stability, testified before parliament's Treasury Select Committee.

Haldane was passing on the view from representatives of Britain's top banks that computer security was their biggest operational risk.

The latest report (PDF) from the central bank contains a small section, titled "Operational risks, including from cyber attack, remain a concern" that riffs further on this theme.

The June Report also highlighted potential operational risks related to financial institutions’ information technology (IT) systems. A quarter of respondents to the Bank of England’s 2013 H2 Systemic Risk Survey highlighted operational risk as one of the main risks to UK financial stability.

Over half of these responses cited risks from cyber attack — where an individual or group seeks to exploit vulnerabilities in IT systems for financial gain or to disrupt services. Cyber attack has continued to threaten to disrupt the financial system. In the past six months, several UK banks and financial market infrastructures have experienced cyber attacks, some of which have disrupted services.

While losses have been small relative to UK banks’ operational risk capital requirements, they have revealed vulnerabilities. If these vulnerabilities were exploited to disrupt services, then the cost to the financial system could be significant and borne by a large number of institutions.

Concerns that high-volume DDoS attacks of the type that interrupted the operations of US banks last year might easily be deployed against Britain banks to similar effect have fortunately proved groundless. Reported operational problems in UK banks (such as recent incidents at Barclays and HSBC) have come as a result of system failure, rather than hostile attacks.

An April attack that led to arrests in September after crooks allegedly planted remote-control hardware in a computer at a Barclays bank branch, which was linked with the alleged theft of £1.3m, is a cause for concern – but no great worry on the grander scheme of things.

A far more tangible existential risk comes from something like an ATM cash-out scam, which cost two Middle Eastern banks $45m last year after hackers broke into a database of prepaid debit cards.

Many operational problems would, of course, be known to the Bank of England without reaching the press. And banks are stepping up their readiness to deal with attacks. For example, financial firms and banks across London took placed in a cyber-war game earlier this month, code-named Waking Shark II.

Banks have focused on credit, market and liquidity risk over the past five years because of financial sector upheavals, caused first by the sub-prime mortgage crisis and banking bailouts of 2008, followed by the ongoing eurozone crisis and a general recession across the EU. The vast majority of the Bank of England's report focuses on these types of risks rather than anything posed by computing attacks, which, nonetheless, still pose a risk that cannot be ignored. Security vendors not unsurprising focused on cybersecurity in commenting on the report.

Peter Armstrong, director of cyber security at Thales UK, said banks need to move towards more integrated cyber defences.

“The combination of high interconnectedness, reliance on centralised market infrastructure and complex legacy IT systems are leaving our banks vulnerable to cyber attacks," Armstrong said. "A holistic approach that is designed to tightly integrate cyber-defences with processes, people and physical measures is crucial to ensure financial organisations are protected against the latest evolution of threat and attack vectors."

Armstrong placed a particular emphasis of re-training staff and sharing threat intelligence among financial institutions as important tactics in the never-ending fight against cyber attacks.

"Banks must make more effort to retrain or re-skill their employees," he said. "Much more emphasis should be placed on retention of soft skills, IP, organisational culture, the evolution of internal security policies and knowledge of legacy systems."

"Greater collaboration on cyber issues should also lead to an improvement in cyber awareness and continuous policy evaluation and adaptation, particularly as external attacks multiply faster than legacy IT security solutions can currently keep up with," he added.

Chris McIntosh, chief exec at security and communications company ViaSat UK, said the cyber threat warning from the central bank comes as little surprise because the financial sector is routinely targeted by state-sponsored and organised crime elements.

"Rather than waiting for the next data breach to occur, the UK’s banks need to realise that they have likely already been compromised and need to work back on this basis… The financial sector is the custodian of millions of customer details and the gateway to billions of pounds. Unless this sector takes the right action, we will see attacks become more refined and sophisticated with massive repercussions for this sector and the wider economy,” he concluded.

A extensive catalogue of the documents released at part of the central bank's Financial Stability Report, November 2013 can be found on the BofE website here. ®

Designing a Defense for Mobile Applications

More from The Register

next story
DARPA-derived secure microkernel goes open source tomorrow
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.