Information Security for the Banking Industry: A University Assignment
The Banking landscape post Financial Crisis presents issues such as new regulations intended to reduce system risks and rebuilding trust across the global financial system (IBM 2012). 2012 has seen unprecedented change within technology, including cloud computing, Malware advancements, and other emerging technologies, resulting in an expansion of internal and external threats, adding complexity to an already overly complicated security landscape (Ernst and Young 2012).
A banking institutions primary assets are its finances, however it is important to clarify that these finances are broken into two distinct asset groups; Consumer accounts and the bank’s own financial reserves. These two components define the primary asset group referred to as the financial 'balances' asset, and whilst a plethora of further banking institution assets exist, this report is primarily concerned with the protection of consumer accounts held with HSBC. The perceived and actual security of which directly and significantly affect the banks reputational asset. A further determining factor of which is the reliability and availability of internet banking services (Ma 2012).
Threat Actors and motivations
Organised Criminal Network
Given the nature of the Client’s business the foremost threat actor is that of an Organised Criminal network. However there are two distinct groups that fall under this term, differentiated by those that operate exclusively online, and those that are deemed as somewhat traditional organised criminal groups, which facilitate IT to enhance their terrestrial criminal activity (Choo 2008).
Whilst both are inherently motivated by financial gain the latter group has a specific propensity to reinvest the wealth gained into further criminal activities such as narcotics and human trafficking (UK OCTF 2007). This has ethical, regulatory and reputational implications, exemplified by HSBC previously having been found “improperly facilitate(ing) transactions by Saudi financiers with ties to Al Qaeda”. HSBC were consequentially fined $700 million (Saviano 2012). Notably however HSBC’s Global provision of banking services, in addition to its insufficient money laundering controls, arguably served to enable transnational Organised Criminals, and provides an insight into why the Organisation has seen such high levels of money laundering (BBC 2012).
Choo (2008) describes exclusively online networks as consisting of a smaller, more skilled network, characterised by a transnational network of criminals that work together for the time of the defined task. This, in addition to the fact that this group would arguably use more sophisticated technologies arguably results in them being a more capable threat actor.
The Evolution of Online Banking Cybercrime
Phishing would be utilised in the form of mass unsolicited emails from the organised criminal network, and would purport to originate from HSBC. They lead the ‘target’ to a phishing website that seeks to resemble the banking institution’s own, where they would capture the sensitive information, such as the customer’s username and password (as illustrated by figures 1 and 2), or install Malware on the targets computer.
Whilst it is contended by some that phishing by organised criminals involves identifying targets by surveillance and psychological profiling (Jahankhani and Al-Nemrat 2012), the indiscriminate mass emailing of persons (that may not even hold an account with the purported bank) suggests that the risk is exponentially linked to the size of the customer base. Therefore despite HSBC being considered one of the most secure Banks in the World (Global Finance 2011), HSBC is also the second largest in terms of customer base (Global Finance 2012), making it a tempting target in comparison to HSBC’s Banking counterparts.
Organised criminals have become increasingly adept at the phishing process, circumventing blocklists by utilising continually changing botnet machines to send the mail from and avoiding spam filters by purchasing domains on mass for unique URL’s (for the phishing website) that remain valid for only a day (Moore and Clayton 2010).
The links within the aforementioned phishing emails may alternatively install malware on the client’s machine, a tact that is being increasingly employed by Organised Criminal Networks (SOCA 2008).
Trojans account for 66% of all Malware (Symantec 2011), of particular relevance to the banking industry is ‘Trojan Shylock malware’, which Symantec argue has recently been significantly altered with modules, and has considerably contributed to the 60% of banking institutions now being targeted (Symantec 2012). The way in which a typically infected computer is utilised is illustrated in figure 3, however the recent additions to the Trojan Shylock malware has seen configuration files (illustrated in figure 4) dynamically inject and alter elements such as a banks contact details (as illustrated by figure 5) allowing criminals to insert telephone numbers that they control.
In 2009 APWG reported that 48% of the World’s computers were infected with Malware, and in terms of the possible current levels within the U.K. it is notable that phishing websites have seen an increase from 7,224 to 37,198 between 2007 and 2011, representing an 18% increase (Financial Fraud Action UK 2012). In one case alone £1.7 million was stolen from 48 companies (Wired 2013), and total phishing fraud amounted to £405.8m in 2012 (The Guardian 2013).
However there are inherent difficulties in quantifying risk., as identification of such crime is considerably marred by the underreporting of such crimes. Europol (2011) found that Individuals may fail to report because they do not notice the offence occurring, or because they may be subject to threats of violence and/or blackmail, a characteristic of particular prevalence to organised criminal gangs.
Attributing the proportion of such crimes to organised criminal networks is therefore an arduous task, although it is widely argued that they account for a high proportion (McCombie 2007; Moore and Clayton 2010; Jahankhani and Al-Nemrat 2012).
Legal and Regulatory
HSBC have a legal responsibility take reasonable steps to protect consumer data under the Data Protection Act 1998. Furthermore however, The Financial Services Authority (the body mandated with reducing financial crime, amongst other tasks) states that money stolen through fraudulent activity should be refunded to the victim (BBC 2010), therefore efficient security tools have reputational, regulatory and financial impetus.
The Money Laundering Regulations Act 1993 states that Banking institutions have a responsibility to have robust procedures for detecting money laundering and associated criminal acts, it additionally legislates the need for appropriate record keeping and reporting procedures.
This is of particular relevance in tackling organised criminals that have offline criminal activities. Whilst beyond the scope of this paper, successfully locating such crimes may aid in reducing the resources, and therefore the capability of such criminals.
Symantec Fraudulent Transaction Detection
Companies such as Symantec, offer fraud detection software that identifies, and contacts customers for verification on suspicious banking transactions (as illustrated by figure 6); furthermore this outsourcing of security entails the third party company continually researching and blocking emerging sites, viruses and threats.
Single-factor authentication for e-banking sign on has historically been found to be inadequate in protecting consumer accounts (Tan et al 2033; Federal Financial Institutions Examination Council 2011; Mok 2009); Whilst a number of factors contribute to this, the propensity of persons to choose passcodes that are related to their birth date or year (as many as one in eleven people do [Bonneau et al 2012]) is certainly contributing to criminal activities.
HSBC requires customers to use their keypad each time they log in, in addition to their customer number and memorable word. Comparatively, Natwest, for the purposes of logging on, require the customer’s ‘I.D’, passcode and password. Additionally, Natwest has also introduced a keypad, however the keypad is only required for the initial time a customer wishes to transfer money to an outside account. Notably the card must be present, and slotted into the keypad for the transaction to be authorised.
Whilst Hertzum et al. (2007) contends that ease of use through security automation is paramount to e-banking, it is this reports suggestion that the optimum combination for security purposes is the requirement of the keypad, to be used with the customers card, for logging in, and for transactions to new recipients. Additionally the log in details should consist of a customer ID and passcode, the latter of which should forbid the use of the customers birth date/year in any form.
Multifactor authentication such as this equates to having taken ‘reasonable’ steps to safeguard customer information, and as such, comply with The Data Protection Act 1998. However recent developments in Malware have seen MitB (‘Man in the Browser’) attacks circumvent the keypads by representing themselves as the respective banks training section, instructing the customer, from a pop up box, to enter their code (BBC 2012).
Financial Fraud Action UK (2012) contend that most fraud detection software will block this kind of threat through identifying any subsequent transactions as suspicious (BBC 2012), conversely however Garcia-Cervigon and Lilnas (2012) argue that the amount of emerging, previously unknown Malware results in this claim being implausible.
One approach to stop phishing, and consequent Malware at installation stage, is at the originating email stage (Adida et al. 2005), to this end banking institutions had previously promoted free anti-virus software that would identify, and alert the user to, any malware activity or suspicious emails, through prompting the user to download it at the log in stage.
However it now often serves as an additional, although secondary, security tool to the aforementioned ‘keypads’, and is generally only found through the consumer seeking it out from the respective banking websites, as illustrated by figures 7 and 8.
It is this reports contention that this somewhat defeats the object of a banking institution having purchased the distribution of such software (the cost of which are considerable) and devalues the protection the software offers. This is of particular concern as nearly a fifth of home p.c.’s have no anti-virus software (McAfee 2012).
Therefore it is suggested that the former, more prominent method of promotion is reverted to and is additionally promoted by the Bank’s staff.
The optimum situation is for the Consumer’s machine to be protected by anti-virus, in addition to them being educated upon the dangers of Phishing and Malware. HSBC could promote education through their Bank staff, in addition to displaying educational flyers in branch, and security emails being sent bi-annually.