Finance Industry Cyber Attacks

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 1 of 10

Cybersecurity Module 3: Finance Industry Cyber Attacks (45 min) - Emmanuel van de Geer Through security in the banking industry, and specifically I am going to take you through why information security is different in banks from other industries and particularly different pronged paths to technology industry. I'm gonna take you through my career in banking, and particularly in security, what banks worry about, and then we're gonna have a bit of a look at Zeus and SpyEye, which are two specific types of malware which cause banks globally a fair amount of concern. So why is security different in banking? We'll start with Sutton's Law. Willie Sutton was a bank robber, and when he was interviewed, some reported asked him why he robbed banks, and he said, "Well, that's where the money is." So no surprise--if you work in a bank, guess what. You actually do get attacked. People try and steal from you all the time because you have a lot of money. The other reason that it truly is different is because banks work because customers trust them with their money, right? Banks have to be a safe, reliable, and secure place, right? So, you know, what would you think if you went to the branch and you couldn't get your money? What would you think if you went online and the bank wasn't there? So it's very fundamentally important to banks that we have a safe and reliable place for people to store their money. Is there a problem with the slides?

Importance of information security in banking (01:31) So at my bank, we have basically a value promise to our customers. We should heed the rule, all right? I don't know if you've seen yet the advertisements, but heed the rule actually speaks about how fundamentally important risk instability and security of our banking is, all right? The bank is here for the customers. It's here in good times, it's here in bad times, and we are always there. You can always take your money out, and you can always get a home loan, all those sorts of services. It's very, very important that we're there. And this is particularly important the current climate, you know, where you've got GFC and those sorts of things going on, where people are very concerned about the security of our financial systems. Sorry, this slide's going wrong. - Slide's not working. - So what you find is that, for banking, security is less of a technology problem, and it's more an asset to the bank itself, right? The other reason that security is different in the banking industry, it's because the way that money works, all right, in the way that banking works. And so I'm just gonna take you very, very briefly through how a banks works and why security risk actually affects how much money we make.

Workings of a bank (02:53) So as you're aware--okay, risk management in banking. So as you're aware, the banks have customers, and the customers are generally in two forms. They're either depositors or investors, and either lenders, right? So a depositor comes along and gives the bank some money; in return, we give him a small increase either through shares, right, so basically through shareholders or through people that actually have a deposit account and put money into the deposit account and you get a small incremental percentage back. We then take that money and we invest it, right? So the investment could be in assets such as commodities or we could trade it through FX exchange, or we could give people home loans, which is an investment for us. And then basically our properties is a difference between how much you pay to our investors and how much we get back from investing the money ourselves.

Module 3: Finance Industry Cyber Attacks


Risk management of a bank: credit, market, operational (03:50) However, as we discussed before, banks have to be very, very stable places, and there are a number of issues-- you know, WorldCom, the GRC, those sorts of things, where people said, "Well, basically banks need to be able to provide risk incidents, right?" And so to do that, we need to reserve the money aside, all right, and that security reserves money aside for three specific reasons: credit risk, which is the risk that everyone pay it back; market risk, which is the risk that our assets or the assets of our customers will lose value; and operational risk, and this is where we're gonna spend a bit of time looking at it. Operation risk encompasses failure of our processes, platforms, people. Yeah? So this process of reserving capital aside is called capital allocation, where the amount of the capital allocated is actually to do with how much risk you have, and you could-- how much fraud you have, how much tech you have how many documents you have, all right? So operational risk is actually made up of all these various things: legal risk, compliance and regulatory risk, internal fraud, external fraud, security risk, all right? And we're going to talk a bit about--later on about some of things that we're concerned about, particularly in terms of external fraud, and things like people getting loans through us and never paying us back because they forged their identity all the way through to criminals using us for laundering their own money. And we'll also talk about security risks as well. And how this affects the bottom line, right, from a banking perspective, is that the more risks the banks have, the more money it has to reserve, the less it can invest, the less it can make-- less it can invest, less it can make-- the less it can pay. The less is can pay to its customers, the less customers it will have. So actually security and risk affect what we call the comparative equilibrium, right? How competitive we are against our competitors, all right? Less risk in terms of more security, the less we're in control, the less in turn that we have to reserve. Less capital aside, and can afford to have better deposits returned to our customers, we can afford to make more money. Yeah? So this--you know, as we talked before, its business asset, right. It's not really about technology problem. And actually it's not really about security, you know, itself. It's a combination of compliance, fraud, and risk management. This combined space is called GRC, or government risk and compliance. So it wasn't always like this, right? And in 2000, online fraud is actually unheard of. I know because I was actually working at a bank in 2000, all right? And in fact, online fraud now costs U.S. banks a lot-- $60 million a year. That's money that people actually steal from U.S. banks, and we're going to later on and we'll be talking about actually how much money people lose through online fraud and all that sort of stuff and putting that in context with some other things that we are concerned about. So a brief history of my career and what a career in security banking can mean to you. So, as I said before, in 2000, I started my information security career as a firewall engineer, all right, so I was used to doing network security. I built firewalls. I managed RAS connectivity. I built proxies. All the sorts of things that you're probably quite familiar with. Today what I do is, I design systems. I'm kind of like an enterprise architect for a range of capabilities, including operational risk platforms, anti-money laundering, trade surveillance, as well as all of the security aspects as well. And a bit about how this all came about, right?

Brief history of online fraud (07:56) Because in banking as, you know, we've faced a large number of threats over the last ten years or so, and it really started when phishing started. So phishing was where people actually tried to trick online banking customers into giving them their username and passwords. This was well before the days when we had, you know, a true vector authentication, transaction authorization control that you're probably familiar with in terms of SMS OTP or tokens. And before that, you



know, online fraud really didn't occur. It really started to emerge when people started to move into online banking and the Internet started to take off. Soon after that, sort of around, you know, after we started to put in better controls around phishing, all right, they moved in to man the browser. And that's some of nuisance via stuff that we're touching later on, and these days they're moving into mobiles. So BlackBerrys, iPhones, that sort of thing. They're migrating them out into there. Sort of around the same time... Right about the same time, the regulators started to get more interested in banks. They started in California with the data breach laws. Before the data breach laws existed, if you lost the information, you didn't tell anyone, right? But now it's actually a regulatory need, and if you lose customer information in multiple geographies, you have to tell them, and this actually kicked off a whole range of technologies around data leakage protection and a really big focus on this issue. Soon after that, and what we talked a bit about around capital allocation, that really kicked off with Basel II and actually we can see that it's continued on with GFC. I put the TJX data breach in here because that was a moment when, you know, data leakage became a really big issue. TJX lost about 14 million credit cards, all right? So Citibank had to conceal those. Main suppliers had to reissue millions of credit cards at a lot of cost, and they sued TJX for hundreds of millions of dollars, and the company went down. One of the other interesting aspects is that we've been seeing more recently, and we'll cover this in a bit more detail later on, is the evolution of hacktivism recently, all right? We'll talk a bit later about some of the drivers behind DoS. It's a real trend at the moment through Lulz, Anonymous. Those sorts of things that are taking off. And just a story about RSA. RSA has a really, really interesting case. I don't know how many of you are familiar with the RSA incidents, but what we started to see is a change in attack paradigm. What used to happen was, people would look for a hole in software, all right, or infrastructure. You know, vulnerability to write some code, and they would then find a target, all right? It wasn't--you know, it wasn't a very good way of attacking someone to get money out. What we've seen is a complete change. People choose a target. All right, let's choose a target first. After choosing a target, then try to find a hole in that target. And this is a big concern to banks, because, you know, used to be that we could probably pretty well protect ourselves by managing the technology. All right? But now what we're finding is, that people are turning that paradigm around, and they're gonna attack us specifically, because we have the money, all right, and they'll want to steal money, so they're gonna attack us. But RSA took it to a new level. What they actually did was, they hacked RSA not because they wanted to hack RSA. They hacked RSA because they wanted to cause a weakness in RSA's customers and specially three weapons manufacturers. All right? So this is at the espionage end of, I guess, the security paradigm, but a very, very disturbing trend. I guess the story behind this is that it's been a massive evolution in terms of the attacks that banks face, which is good for anyone with a career in security in banks, because as the treats grow and the role of security in risk management grows within these organizations, so does the career opportunities for anybody doing security within the bank.

Banking security concerns (12:31) So what are banks concerned about, from a security perspective? Obviously we have cards and transactions, right, so it's this payment processing, you know, both domestic and overseas payments, credit cards, ATMs. You see a lot of scheming these days. It's always a bit of cat and mouse between the controls we physically put into ATMs or the controls that we physically put onto credit cards and the innovation that you see coming out from criminal elements. These days, with ATM fraud, they do things like they manufacture a complete ATM, right? You know those free-standing ATMs you see in, like, a 7-Eleven or something? They go off and they make one that looks exactly the same. Doesn't serve any money. It just skims people's cards and collects the PINs. They also do things like creating facades for specific banks to do the skimming



as well. It's a very, very, very big multimillion dollar issue, and we'll see a little bit how big it is later on. Another one that we're going to talk bit more about is online fraud. Online fraud, holistically in terms of the entire market is quite big. Banks actually make up a fairly small component of that, though it's definitely an evolving space. We saw before in terms of, you know, phishing starting in 2000, all the way through to people hacking into people's phones through man-in-the-mobile, to defraud banks and customers. And there's been some activity particularly in the Asia Pac region recently. Historically in this geography, Australia has been the focus, but that's starting to move now. We have seen insider threats, all right, an insider threat is an interesting one, right, so you would have seen, you know, perhaps recently in the news something about Credit Suisse and trading fraud. You would remember SocGen, those sorts of things. They are very, very big issues. They literally can end a bank. So Barings Bank had a massive trading fraud back in--I think it was early 1990s out of Singapore that actually literally closed the bank down. All right? These are what we call catastrophic risks. Obviously payments processing. You know, our staff has to be very, very trusted, but obviously, you know, there's a lot of money flowing through the system. When you think about, you know, how much money we clear-- we literally clear in terms of moved money in terms of billions of dollars a day. You know, so there's a lot of room for people to start trying to sneak money through. And obviously we talked a bit before about data leakage, information fits. It's a big issue. And actually, you know, people often don't do it to sell the information; sometimes they're moving employees, all right? You know, you might have someone who works for us who does corporate banking and has some very, very influential customers and they move to Citibank and they want to return the customers and they attack our customer information. And then it's data leakage again. But data leakage in this context actually has a bit of a broader connotation, because it's not just an insider threat. Any mistake these days on the Internet is noticed within minutes, so, you know, I think Citibank lost or exposed a couple of thousand credit card numbers on the Internet accidentally through their website. All right? These things, in terms of data leakage, aren't always deliberate, so you have to be absolutely assured around the services that you're delivering specifically to the Internet to make sure that the content that you're providing is deliberate content, all right? You're not accidentally publishing some of this information. And of course denial-of-service. As we talked a bit before about hacktivism, right? So I'm just gonna talk about what the motivations behind denial-of-service are. So broadly speaking, denial-of-service falls into three categories. There's geopolitical tensions, all right? So this is a Taiwan-- you know, sites going down, or a South Korean site going down, and generally it's because, you know, there's geopolitical tensions between China and Taiwan, or North Korea and South Korea, or China and the U.S. Hacktivism, obviously there's a major move on hacktivism at the moment, and that is loosely related to geopolitical, but it's much more around crowd sourcing. All right? This is, you know, similar to the Arab Spring context where people are voicing-- a bit of protesting in the streets. You know, they're joining Anonymous and downloading the Low Orbit Ion Cannon, if you've ever heard of that, and targeting sites in a coordinated fashion. And lastly, there's extortion. Now, extortion, I think a couple slides back I talked a bit about the DoS that was occurring until the mid-2000s. Extortion used to be the key reason for DoS. And that changed; it doesn't happen that much anymore. But people--what used to happen was that organized crime would literally DoS a major organization, like a bank, as an example, and then demand payment to make it stop. Now obviously, with things like banks, it doesn't work very well, but banks don't do that sort of negotiation, all right? But gaming sites, gambling sites, pornography sites, would generally pay up.



One of the key questions that someone like me asks is, when we start to remove or enhance the controls in online banking, the criminals aren't going to go away. They earn money now; they're gonna want to retain that money. And in fact, you know, the criminals that we're dealing with aren't, you know-- they're not individuals. They're organized crime, generally out of Eastern Europe, but serious business, right? They make a lot of money, they employ a lot of people, and they're not gonna disappear. So one of the key things for us is keeping an eye on this one to make sure that they don't-- you know, if you're locked out of online banking, we're real mitigated particularly to DoS, and you got to come back to that sort of way of making money. But if you have look over the last year, and this is a new phenomenon, it actually started sort of toward the end of 2010, is that almost all of the major DoS incidents have been hacktivism, all right, people protesting. And actually just recently there was a broad-ranging denial-of-services of all the banks in Brazil, which was orchestrated by Anonymous. Bank of America also got DoS'd, because in the middle of being resuscitated by the government after the GFC, they decided to slap a $5 fee on top of the debit cards. The customers didn't like it very much, and they got DoS'd. I think one of the ones that I'm watching at the moment quite closely is the movement in Australia. So in Australia, there's been a large amount of layoffs, from financial organizations and major organizations like Qantas, and so you might suspect that that might incentivize some people to game together and protest about it. But it's a very interesting movement, right, away from criminals and inter-democratized sort of protests, but nonetheless, still quite a pertinent research to an organization. It obviously needs to be up and available all the time.

Zeus and SpyEye (20:06) So I'm gonna talk about now, I'm gonna do a bit of a more of a deep dive in terms of Zeus and SpyEye and some of the things that banks all the around the world are seeing. So Zeus and SpyEye, if you don't know, they're two specific variants of malware, and in fact they call it crimeware. Zeus used to be the number one player in that space and constitute 80% of all online fraud globally. SpyEye, a newcomer to the area and is changing particularly the way that it attacks and also the targets its choosing have changed recently, and in fact what's happened is, they've joined forces. So what you're seeing now is that Zeus and SpyEye are more of a blended product. Now, these things interesting enough are software as a service crimeware, all right? So the people that make this code aren't the people that use it. They sell it; they sell it to other people to actually steal money from banks. So it's actually something you can purchase. It's generally used in conjunction with another kit called the Phoenix Exploit Kit, and that's used for developing exploits for browsers, and so the general mechanisms by which these sorts of malware get into your machine is by what is called a drive-by download. Drive-by download means you browse a site and it exploits your browser and installs the malware without you even knowing it. One of the other ones we're keeping a very close eye on is drive-by jailbreaks. Similarly, you know, familiar with jailbreakme.com, using that, you know, in a different context to install malware on the phone. So these are the sorts of things that occur quite a lot. Now, the reason why these things are successful is because people generally don't do the right thing by themselves. So a lot of people don't run antivirus in their home machine. If they do, it's out of date. They never patch their OS. Most people with an Android handset don't even conceive of running antivirus on their Android handset, right? Not something you think you would have to do. But nevertheless, you definitely do have to do it. So what are the impacts? So here you see that this is rough in local currency the values that banks lose annually. In the U.S., it's about $60 million U.S. In the U.K., it's about 50 million pounds a year, which is about $70 million U.S. a year. Australia is-- it fluctuates, but it's around $20 million a year. Europe also gets impacted. Now, the value you can't actually publicly find out, but it is fairly significant there. So looking at this, you're going, "Well, there's probably about $200-



250 million worth "of revenue to anyone that can defraud banks by this mechanism." That by anybody's margin is a pretty large sum of money, and this incentivizes a lot of criminals to take on this road to attack banks, all right? And this kind of like the Zeus footprint, historical markets of Europe, U.S., and Australia. What we've seen, particularly in the last 12 months or so, is that SpyEye's really made an insurgence into the market, and we're starting to see it diversify. Specifically, what's happened is, a lot of the Tier 1 banks have upped their control levels, input a lot of mechanisms to prevent Zeus from being successful. What that means is that SpyEye's come in, used a bit of the Zeus code, really putting some extra credibility particularly around regular expression matching, and those targets, Tier 2 banks in those markets, but also heading into Asia, heading into the Middle East, all right? So they're really diversifying, you know, away from the historical markets. There's a lot of theories around why they historically only targeted, you know, U.K. and U.S. and Australia. Around--you know, those markets generally had straight-through processing for overseas payments, which makes getting money out of the country and into a Latvian bank that much easier, all right. You know, a lot of banks in, you know, these emerging markets had historically done manual payments of FX payments, which meant that they were more likely to pick up fraudulent activity. I guess the other piece is around money mules. So money mules are people that generally answer online ads where they can work from home, right, only have the Internet, shipping manager, marketing consultants, these sorts of ads, and the job basically is that, if they get the job, they hand over their bank account number to the criminals, the criminals use or configure their malware to transfer local exploits or local hacks of the value of those transactions into their account locally. They then take that money and go to Western Union and transfer it off to criminals. So either they're pretty stupid or they're just lucky with the money. The treatment of money mules actually varies by geography, and, you know, in Australia they're criminally prosecuted. I think, you know, in most of Asia they haven't-- they don't understand how to treat them yet. So watch out; don't answer any online ads, all right? Anyway, so this actually looks pretty bad, all right? It looks like there's a lot of money leaking out. So how bad actually is it? So this is a graph showing from 2005 to 2010 the online losses to banks in the U.S. and the U.K. You can see it's a fairly steady increase, all right? So it looks pretty disturbing. This graph in the green I've added together the online frauds from banks in the U.S. and U.K. markets, and I'm comparing it to the online fraud from a total market perspective in the U.S. alone. You see that massive jump in 2009, all right? Something like $600 million was defrauded online, all right? Not just some banks; from everybody. So the market for online fraud is pretty deep, all right? There's a lot--you might think about that and go, "Well, actually banks are either doing pretty well "in terms of controlling it, "or there's a lot of room for growth for online fraud, I guess." But we talked a bit about credit card and ATM card fraud, right? So this is a graph of U.K. ATM card and credit card fraud in the U.K., all right? Actually we've done quite well recently, but if you look at 2008, you know, 800 million pounds. That's all--that's a lot of money, all right? So, you know, credit card fraud and ATM fraud is a very big problem. But it's not actually the biggest problem we have. Still see the green on the graph, yeah? All right, that's online fraud from U.S. and U.K. The red are one of trading frauds. All right? So this is where--I don't know if you know what trading is; it's the dealing of foreign exchange, securities, commodities, trading-- My bank's a very big trading bank, which makes a lot of money trading with those sorts of things on the exchanges. These issues are one-off issues and generally associated with the failure of a thing called segregation of duty. That means that the person who's actually trading isn't the person who counts the money at the end of the day. These banks generally fail to do that properly, particularly on the accounting part, and this is the result.



So SocGen, in the U.S., it's about $7.1 billion U.S. from one incident, all right? Credit Suisse, around 3 billion. The UBS again, you would have remembered the UBS incident from last year. So when you actually stop to think about how banks plan their security controls, this is the sort of analysis that we do. All right? And this is how you can see that someone from network security background can get quickly dragged into a lot of different problems, a lot of bigger problems, and a lot of different technologies, all right? And so broadly speaking, you know, trading fraud is something that we control through identify and access management and specifically identify compliance. So I'm not sure if you guys knew that, but it's basically where you make sure that people have the right system accesses to various systems to make sure that this sort of thing doesn't go on. So I'm just gonna take you through some of the capabilities, and it's actually an evolution of capabilities that we see that Zeus and SpyEye sort of can actually undertake. And to do that, first I'm gonna show you-- I'm gonna take you through a hypothesis or a general view of how banking generally works, online banking generally works. So you basically have a user. And we're gonna talk about SMS OTP in this context, so they have a browser and phone and they want to transact with a bank. So obviously they log in. It goes back to the bank. The bank gives them what we call an SMS OTP-- one-time password. They enter the one-time password, into the bank, and they are let in so this was actually quite successful for a period of time, because they had a lot of problems with phishing. People were giving away their passwords. You know, generally we regard the password that you use for online banking as already subverted; we don't trust it. All right? So we're heavily reliant on the magic number that you get through your SMS. So what's different in a malware scenario? Well, in a malware scenario, there's literally a piece of malware that exists in the browser. So the https:// and all that sort of stuff, it looks fine. You can't tell, all right? And what will generally happen is, and this is actually-- what generally happens is that it's controlled as part of a malware web or a botnet, all right? And there are literally thousands of these endpoints, where we count these things, you know, in hundreds of thousands. There are hundreds of thousands, it not millions, of people that have these actively in their browser now. This is mapped-- is a view of the Zeus command and control servers around the globe. It was actually taken last week. It's from a site where people actually internationally track this, all right? So a number of people like us and a number of other banks, a number of security professionals actively track the command and the control servers of the Zeus network and they map it out, and this is actually, you know-- they can actually pull up you know, who owns the server and they can take it down, they shut it down. This changes on a daily basis, as you can imagine, right? But to give you a view of just how active it is, that's how many active command and control servers there were on that specific day, all right? Security professionals say this, you know, particularly banks. They absolutely try and get these commands really stuck in a way, 'cause generally those services are hosted on the hosts that don't know. They've been exploited as well. Similarly, this is the command and control network at SpyEye. All right? Two different capabilities; two command and control networks. And they use this for obfuscating where the actual person orchestrating these attacks, they're controlling these attacks, actually resides. All right? They route their controls through this mesh, and somewhere probably near as it gets done, there's a guy sitting there making quite a lot of money.

Compromised browser (32:32) So... the issue for us and the issue for our customers is because SpyEye and Zeus exist in the browser, they can mimic the bank and the customer to each other to almost perfection. Very, very, very difficult to tell the customer that you've been hacked, and it's very, very difficult as a bank to know that your customer has been defrauded. All right, 'cause it looks like, from a technology perspective, it looks like normal behavior to us, and to the customer it looks like the normal banking screen. So to pick up on this stuff, there's a number of technologies and there's a number of things you can do.



From a technology perspective, you can look at referrer headers; you can look at changes in the timing between specific transactions, right? If someone logs in, immediately they're trying to add a beneficiary or immediately turn into third party payment, the second they log in, that's not normal behavior, because to get to that screen, you have to click through a couple of, all right, other screens, like account balance. You know, it's not--so we do this sort of behavioral analysis as well, which, you know, we keep registers of the browsers people use, the phones that they use, all right, to make sure that we can pick up any of these changes. So just in terms of the attacks, right, so it all started as an adjunct, right, and this was started as an adjunct to phishing-- a better way of phishing where you didn't have to trick people. And what they would do is, when a customer logged in, they would literally copy the password off into their network for later use, and then later on, log in, transfer the money, all right? So the banks at that stage, you know, they've done a lot of education to customers, saying, you know, "Never put your password in an email. Always check out the site. "Make sure it's us, right? We never ask for it over the phone," that sort of thing. And so they eventually did get around it. So we, all right? Either tokenize or SMS OTP to stop them from being successful at this so we look smarter. So what they decided to do was post login and during transactions, and this they generally wait-- they don't have to, but they wait until after you've logged in, and they either flash up a screen that says, "We're checking security settings," or they actually wait till you're doing transactions, and on the fly they use regular expressions to actually change the destination account; they actually route that money out through a different account. And what happens is, we send back the SMS OTPs. There's--"Here's your magic number. Follow transactional authorization." You type in the magic number, and off the money goes. This actually is a screen that SpyEye uses, all right? The post-login screen. So what happens in this scenario, you log in, you see this screen. In the background, SpyEye actually enters either "adding you a beneficiary" or just doing a straight third-party payment, and that generates an OTP. And after you seen this screen, a special screen says, "Please enter your OTP to progress. Weve validated your security. Enter the OTP," and your money's gone. So if you see the screen, I can guarantee you you have been hacked, all right? Incidentally, this is from a devious site. They use style sheets, all right, so this text is always saying they use style sheets to actually tone it the right color, to use the right font. It's very, very, very hard to tell that this is actually a fraudulent injection into the website, all right? Even the developers of the website look at this and go, "It looks just like our content," all right? They are very, very good at this, all right? This is actually quite hard to detect, right? So the other one is post transaction, and this is one that we've started to see in Europe, particularly in the U.K. and in Germany, actually.

Post transaction (36:36) And they got trickier, so in this scenario, you log in and do something like get your account balance. The request goes back to the bank, all right, so this is generally after you've been defrauded, and what they do is, they send you a masked account balance. They keep a record of your old account balance for you while defrauding you so you don't know that you've been hacked and your money's been stolen. This actually--this is generally so that they can either do one of two things. One, so they can get the money out of the country successfully; two, to lengthen the amount of time before, you know, it's notified, because there's something in other customers; or three, to keep on hacking you and keep on stealing your money. There's one specific person who was fooled for months, whole months, and they went, "Oh, where's my pay? Funny me." Called the bank and there was no money in the account.



Next generation: MitMo (37:42) Anyway, all right. 'Cause the old account balance was being presented. Quite clever, right? So... The attacks so far are actually quite easily controllable, using technologies that we have, all right? Specifically, SMS OTP can be used to control this. The way that we use to control this is when we send the OTP; we tell you what the OTP's for, all right? So if you are transferring money, we say, "This OTP to send money to your mom, "this is her account. This is how much the value is." So anybody injecting anything or modifying that will get called out, because you'll see something, going, "I don't want to send, you know, a $1000 to this person because I don't know who they are," all right? Especially if you thought you were validating, you know, the security. But other, you know-- criminals aren't really giving up. There's a lot of money, and they want to stay here. So they decided to develop MitMo. MitMo is basically a branch of SpyEye and Zeus that's constructed for mobile devices. It was first seen in Spain at the end of 2010, where it attacked ING, and it was seen again in Holland at the start of 2011. And it's made some fairly steady progress. So this is the timeline of MitMo developments, and it's fairly recent, right? Android's just come out, so be quite wary of that. I think one of the good things on this front for us is the diversity of operating systems that are out there for handsets. But as you can see, defending, you know, Windows, BlackBerry, Android, most of the majors are covered other than iPhone. So this is an area where we're gonna see absolute development. This is where they're focusing their time, and this obviously causes a number of issues for SMS OTP. 'Cause if you've Trojaned the phone, SMS OTP is worthless. Does not work, all right? So if you don't move, you know, you're gonna lose a lot of money and a lot of customers.

Possible solutions (39:55) So our prediction is that SMS OTP is dead, and what you're gonna see actually is something like this. So this is actually a card that's... was first manufactured in Australia-- is manufactured in Australia. It's been around for several years, but Visa have just picked it up. It's a new card, and it's actually literally a credit card, and it just has a token on the back. Now, tokens are good, because they're completely offline. You can't get a Trojan into it. The only problem is, customers hate them, and, you know, when you think about how you use your online banking services now, you can use them in your mobile, right, particularly if you've got, you know, your iBanking on your phone and your SMS OTP. If you're very mobile, it's very easy to use. This unfortunately, you know, is probably a little bit of a step backwards but something that we likely would have to do. So I'm just gonna recap. So information security in banking, right? People steal money; money lives in banks. You work in a bank, people are gonna try and hack you. All right? Pretty simple stuff. People trust banks, all right? If you lose your money from the bank, you're probably not gonna bank there. If a lot of people lose their money from the bank, no one's going back there, all right? The banks have to be secure and stable in order to retain customers, and, you know, the fraud and risk impact of bank profitability actually is literally a business problem, all right? Literally does affect the bottom line of how profitable we are, all right? So again, you know, if my security is a business problem with a bank, it's not a technology problem. So thinking a lot of the other industries, right, information security is viewed as by this technology thing, you know. I'll patch the servers, good antivirus, you know, make it go away. All right? Not in banks, very, very different, right? Fundamentally part of the business. So I work very, very, very closely with the fraud department, right. The frauds aren't technologists. Aren't technologists in the slightest. There's the kind of-- Compliance. Compliance as well in banks. You know what? They're not technologists. They need technology to actually stop people from laundering money, to stop trading fraud from happening and to stop, you know, credit cards and ATM fraud, to stop online fraud. That's why security is very, very different, all right? And just a recap again on the predictions. So you're going to see a steady increase in online fraud, not just targeting banks, right? Broadly speaking. As people transact on the Internet more,



criminals--you know, it took them awhile to realize there was money on the Internet. Now they know it's there, they're really not going away. All right? And I think while the graph before you saw a massive spike in 2009 online fraud in the U.S., and it's started to peter off a bit, and I think actually it's because people have, you know-- the U.S. economy isn't doing that great; there's not that much money to steal actually, right? Rather than the criminals giving up, right? So what's actually happened is, they started to diversify into other markets where there's more money, all right? The value of the U.S. dollar is going down, so a return on investment to them, spending the-- hacking someone is less. So they want to go where, you know, the money is. And you'll see that in-- online fraud banks, you know, there's actually-- there's a lot of growth potential in there compared to the other frauds that we see, particularly when you talk about credit card and ATM fraud. But again, as you lock people out, as you lock criminals out of ATM and credit card fraud, they're still gonna want money, all right? They're find it other ways to do it, and it's a real arms race, all right? The pace of change and how rapidly, you know-- banks like my bank have to adapt to this attack change is ever-increasing, all right? It's, you know-- you wouldn't see one year with a steady attack vector, right? You have to actually be agile enough to change, and when, you know, your bank employs 90,000 people in 80 different countries, it's very, very difficult to keep that pace of change up. The other prediction of mine, mobile security is gonna get worse. It's just starting to take off. I think that the security habit that most people with mobile phones don't match that of PCs. So their expectation of how they manage an Android device, all right, is different, right? They don't think they have to patch it. They don't think that they have to run antivirus. All right? So the whole cultural change that needs to happen for people to actually use mobile devices securely yet, there's a plethora of mobile devices out there, right? You know, we're seeing a mass increase in the amount of banking services that people use for mobile devices, right? They don't want to sit down at a PC anymore, right? In fact, they don't have a PC, all right? If you think about how many people just have an iPad, all right? "I think I want to use online banking. I just have an iPad." What are you gonna do? You have to deliver online banking to this device, and you have to make sure it's secure. The other one is, the end of SMS OTP. HSBC last year started rolling out tokens again. They actually invested in a back-code token. They spent six months in customer service action surveys to make sure that the token worked the way that the customers wanted it to. They delivered it out, and everyone hated it. So we know we have to do something in that space, but finding the right tool that has the right utility and the right security is, and with that, I might open up this for questions.

Documents

Finance Industry Cyber Attacks