It is a constant arms war that costs banks millions of dollars each year to combat the attacks of increasingly sophisticated criminals.
Do banks have the resources and skill to get ahead of the cybercriminals?
The short answer is no.
Ever since criminals realised that bank heists were no longer a viable risk strategy, they’ve moved their efforts online. For a couple of decades, banking security has had to evolve in line with a number of widespread but basic attacks: DDoS, phishing and malware. As the digital sphere expands and becomes more accessible and cheaper, cybercriminals became specialists.
The cybercriminals of today, backed with governmental money in some cases, have pushed banks onto the back foot with small package virus ransom attacks among other techniques to exploit legacy systems. The cloud, for all the operational value it could bring, has nevertheless caused headaches for many CIOs. With GDPR around the corner, just how safe can banks guarantee the cloud to be?
Putting aside Uber’s misconduct over covering up their data breach, the implicit role of the third party provider should worry the financial industry more than anyone. With the New Year’s resolution of “I will do thorough security testing on legacy platforms with APIs to third party providers” still ringing in board members’ ears on the 13th of January, PSD2 will not help the nerves.
Are banks doomed to be forever reactionary?
It would appear so, more by the nature of attack/defence than any inherent disadvantage the bank is placed under. On the one hand 2017 has brought a host of new emerging technologies that greatly improve the financial industry’s security but the institutional money pumped into cybercrime by rogue states and actors means they can now compete on the banks’ previous monopoly on resources.
What’s the solution?
Emerging technologies such as biometrics and blockchain may one day improve frontend and backend securities. Indeed, these new technologies are not be-all and end-all solutions but work hand in hand. Biometrics serves alongside Chip & Pin, and passwords as a harder to hack verifier of identity. It will be useful and more convenient for consumers, but it will also provide a valuable tool to authenticate employee access to banking infrastructure.
Blockchain too provides a very real possibility for an immutable store of value that would require massive computer power and concerted effort to hack. But, for now at least, there is little they can offer in practice without serious risk beyond proof of concept.
Anti-money laundering too, has applied the cold efficiency of AI technology to learn behaviour and patterns to stop the bad guys.
Open Banking causes headaches for security. It is more the uncertainty of attack that makes legacy banks vulnerable; after all, a heavily armoured, multi-verified front door is of little use if the criminal can get in via a small open window in the garden. And this is before we even contemplate the challenges IoT will bring, as every device provides a hackable route into sensitive data - who's to say the next hack won't derive from a hacked home assistant that shares the same network as a CMA9 employee's work computer?
For more on banking and cybercrime, here are our top five articles exploring the newest trends throughout 2017: