Everyone remembers the movie-like bank robbery back in 2013, when the robbers dug a 30 metre tunnel to a bank branch in Berlin and ransacked the safety deposit boxes. It took hard work, creativity and, above all, a great deal of time and know-how. And even then, the master thieves ended up getting caught. It was essentially an old school bank robbery, which would have had most modern professional gangs shaking their heads in disbelief. They don't bother digging around in the dirt, they don't take any personal risks and they usually remain undetected. We're talking here about hackers, who steal from banks and customers alike on a grand scale – unobtrusively and quietly, all over the world. And what about the banks? They are generally left trailing way behind in an all-encompassing digital financial world.
Digitalisation or Pandora's box
The Byelorussian publicist Evgeny Morozov recently wrote in an FAZ article "Life turned inside out" about a seismic event that is being "welcomed as an overwhelmingly positive development". He is referring to an all-encompassing digital and networked world, which is becoming increasingly technocentric and is supported by an ominous "faith in innovation". What is happening? Digitalisation is being propagated across all channels and is generally presented as some kind of "saviour" for everything and everyone. Initially, it is welcomed by companies who can penetrate all areas of professional and private life and are using continuous network connectivity to look for new sales channels, if they have not already found them. The risks involved are all too frequently swept under the carpet. The benefits of "always online, always connected" are far too enticing, and not just for Generation Y either. Digital natives are constantly networked and always up to date. Critics of constant connectivity are labelled as backward, reactionary or technophobic. Morozon describes it like this: "According to this logic, opposing technological innovations is a betrayal of the ideals of enlightenment."
Applied to the banking sector, for many years we have been experiencing a unified digital language that promises a great deal – including what is purported to be technical progress in all areas of modern banking. In simple terms – from online banking to automated securities trading through to modern payment systems, the emerging belief is that "banking is necessary, banks are not". The German Federal Financial Supervisory Authority (BaFin) cites providers of payment accounts for sellers and customers (such as Paypal), credit card solutions (for example 3D-Secure), debit-based solutions (such as paying on Amazon), forwarding of customers to a bank website (for example giropay, iDeal), as well as acceptance of a customer's PIN and TAN for online banking, and forwarding of a payment order to the account holding PSP (for example immediate transfers). The list is long and the benefits of each solution are emphasised in colourful advertising. It is suggested that customers can access their banking data whenever and wherever they are and make transactions anywhere in the world. For example, the President of the German savings and deposit banking association, Georg Fahrenschon, is already envisioning a "Savings Bank 2.0". At the beginning of 2013, Fahrenschon said: "In the future, our customers will increasingly want to and will be able to contact their savings bank any time and anywhere from any conceivable device." Meanwhile, Martin Zielke, the Commerzbank director responsible for private customers, is talking about investments of around 200 million Euro in IT and digitalisation of his bank. Commerzbank has a new online portal, a tablet app and their photoTAN, with what Zielke says is "the best security mechanism in online banking".
Huge scope for digital bank robbers
Let's talk about security. As well as the widely touted benefits and opportunities of the digital bank, there are numerous risks associated with using new technologies. Essentially, all-encompassing digitalisation increases the susceptibility of private and business banking systems alike. Here are just a few examples from recent months. Hackers break into credit card providers' computer systems, steal credit card numbers and PIN codes and can then get away with around 45 million US dollars. In a major attack on the US bank JP Morgan Chase, hackers stole user data belonging to 83 million private households and companies. Thieves can access online banking data using wireless data and make off with money. The methods used by digital bank robbers are varied and the number of unreported cases of professionally executed theft could actually be much higher. Experts suggest a figure of up to 90 percent for Internet crime. The BaFin has stated that the different payment methods available "are currently associated with various risks for customers, sellers and financial institutions". In its publication on "Zahlungsdiensterichtlinie II: Risiken und schwerwiegende Folgen für Nutzer und Kreditinstitute" (Payment service provider directive II: Risks and severe consequences for users and financial institutions") the BaFin deals explicitly with the threat of possible attacks and cites "man in the middle" attacks, social engineering and phishing attacks as major risks in online banking. A "man in the middle" attack involves the attackers positioning themselves between the two communicating parties (customer – third party payment service provider/seller). The BaFin concludes that there is a need for considerable improvements. "Better, more secure online transactions are in the interests of European customers, sellers and, ultimately, the payment service providers too. However, it will not be achieved if technical issues are not resolved stringently."
The end of cash?
In Sweden, there are already pilot projects in which bus tickets or groceries, for example, are now only rarely paid for with cash. Credit cards or smartphones are used instead. Back in 2012, the FAZ reported that cash is likely to disappear. According to the newspaper, this idea is being promoted by "techno-prophets in business and politics" who see cash as outdated and impractical. This makes sense for those advocating the change, as cash is the last bastion of anonymous payment. Cash means freedom for citizens and a loss of control for companies and the state. While customers can buy with relative security because they are unmolested, the issue of cash is a thorn in the flesh of companies, banks and financial authorities. The reasons? They have no transparency as to what customers are doing – what, when, how and where they are buying (the "transparent person" concept). For financial institutions, handling cash, piggy banks and savings stashed in old socks is a costly undertaking. A digital financial world without cash promises to make accounting easier for banks and traders and to provide cost saving opportunities. According to the FAZ, in the foreseeable future the world economy will no longer revolve around circulation of notes and coins but around EFT (Electronic Funds Transfer) using financial EDI (Electronic Data Interface). At the same time tax authorities fear hidden and untaxed income, which is less likely in a cashless world, for normal citizens at least.
In essence, trade and transactions are easier. This is a good thing and opens up new opportunities in markets. However, the brave new world of payments also has its dark side. Older people struggle to operate the new technologies and people without a mobile device or credit card are unable to make purchases. Critics view these as disadvantaged citizens who can no longer choose for themselves the method they want to use to make purchases and payments. Not to mention opening up a gateway for attacks by hackers. While a bank robber previously had to take a big risk to reconnoitre a bank, rob it and make off with the loot, these days it's easy.
In the digital age professional thieves largely operate in the shadows. Hacker attacks on major banks or web shops can be made from any external state. The perfidious thing about it is that in many cases the victims do not immediately notice – the attacks are quiet and unobtrusive. In an article on "IT Security: Bank supervision expectations", the BaFin concludes that IT security is becoming increasingly important as the threat is growing [see BaFin 2013]. "In particular, hackers' attacks are becoming increasingly professional. In view of the returns that organised criminals can gain from fraud, industrial espionage or sabotage, there is a strong likelihood that this trend will intensify. Huge hacker attacks on major American institutions and on companies in other sectors such as aerospace and the steel industry give an impression of the kind of fate that could also befall German institutions if they do not take action in good time." [BaFin 2013, p. 26].
A look at the cyber risk map 2015
The Kaspersky Security Bulletin 2014/2015, published in December 2014 [Kaspersky 2014], provides a foretaste of possible threat scenarios. Security experts anticipate that a new stage in the evolution of cyber-criminal activity is imminent. They expect APT (Advanced Persistent Threat) tactics and technologies to be increasingly used in financially motivated criminal activities. Advanced Persistent Threats are complex, targeted and highly effective attacks on critical IT infrastructure and confidential data belonging to public bodies, banks, large corporations and SMEs. There is also a lot of talk about cyber threat or attacks in this context. "Advanced" is the key word here, as APTs are concentrated on particular, selected victims, people or institutions. This means that APTs are on a whole other level to conventional attacks using malware (on a target group that is not clearly defined). "Persistent" means that APTs use the first infected computer merely as a springboard into the affected IT structure's local network, until the primary target, for example a computer containing sensitive research and development data, is seized for intensive spying or sabotage. In the context of APT, "Threat" refers to a potential risk caused by a specific weakness.
The cyber risk experts from Kaspersky Labs are registering an increasing number of incidents involving malware getting into banks and using methods that are textbook examples of APT. Once the attackers are inside the bank's network, they acquire enough information to enable them to steal money directly from the bank in several ways:
- Remotely commanding ATMs to pay out cash;
- Making SWIFT transfers from different customer accounts;
- Manipulating online banking systems to enable transfers to be made in the background
Attacks on ATMs in particular appear to have exploded in the past year. As most of these systems run under Windows XP and have poor physical security, they are automatically very susceptible to attack, which makes them a desirable target for cyber criminals. In 2015, Kaspersky Labs expect an increase in APT attacks on ATMs. These refined technologies make it easier for cyber criminals to get to the "brain" of the machines. The next phase will be for attackers to compromise banks' networks and use this access to manipulate ATMs in real time.
However, manipulating ATMs is not the only item on cyber criminals' agenda. As the popularity of virtual payment systems is increasingly rapidly in many countries, many hackers are concentrating on attacks in this area. This could be extended to Apple Pay, which uses NFC (Near Field Communication) for wireless transactions. This area is a treasure trove for security researchers. Although Apple Pay is designed to be secure, cyber experts agree that hackers are looking for and will find ways to overcome these hurdles [Kaspersky 2014]. The race between cyber criminals and IT security professionals is like the classic Grimm fairy tale of the hare and the hedgehog. We know how that turned out – after the 74th race the hare collapsed with exhaustion and died.
Focus on people
Supervision, legislation and processes alone are not enough to counter the many and varied risks in the banking sector. Parameters have to be defined, such as stable IT operation with professional IT services and integration into the relevant financial institution's internal control system. The same applies to IT development, selection of IT service providers and integration of all measures into a company-wide Enterprise Risk Management (ERM) system. In addition, institutions must have an appropriate technical and organisational structure and an appropriate emergency response concept, particularly for IT systems [see BaFin 2013, p. 22].
This is a key factor in mapping risk data as correctly as possible. As financial institutions' complexity and size increase, with a constant stream of new technical challenges and rapidly changing product cycles, this is far from being a trivial undertaking.
It is a core task of banks' executive boards, namely professional management of opportunities and risks. When all said and done, risks are a bank's core business. The overall strategic direction of the system determines the understanding of risk. In other words, risk management is part of strategic business management and thus cannot be delegated.
The responsibility lies with managers, and this means that many managers in banking urgently need to adopt a contemporary management style focused on risk and value. They also need to incorporate all employees into the overall process of risk management, promptly and comprehensively recognising each individual colleague as an important part of the bank. One thing is clear. Without a focus on people and raising awareness of handling sensitive banking data, any technological innovation will fail and IT security measures will not have the desired impact. This is especially true in today and tomorrow's complex and digitalised banking world.
- DTCC : Cyber Risk – a global systemic threat, A White Paper to the Industry on Systemic Risk, October 2014.
- European Parliament : Amendments adopted by the European Parliament on 3 April 2014 on the proposal for a directive of the European Parliament and of the Council on payment services in the internal market and amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and repealing Directive 2007/64/EC (COM(2013)0547 – C7-0230/2013 – 2013/0264(COD)).
- Gracie, Andrew : Managing cyber risk – the global banking perspective, Speech British Bankers’ Association Cyber Conference, London, 10 June 2014.
- Kaspersky Labs : Kaspersky Security Bulletin 2014/2015 – Ein Blick in die APT-Kristallkugel [A Look Into The APT Crystal Ball], 11.12.2014.
- Kokert, Josef/Held, Markus : IT-Sicherheit: Erwartungen der Bankenaufsicht [IT Security: Banking Supervision Expectations], in: BaFin Journal, November 2013, p. 22-26.
- Kokert, Josef/Held, Markus : Zahlungsdiensterichtlinie II: Risiken und schwerwiegende Folgen für Nutzer und Kreditinstitute [Payment service provider guidelines II: Risks and severe consequences for users and financial institutions], in: BaFin Journal, June 2014, p. 26-34.
Andreas Eicher, Editor in chief of the competence portal RiskNET – The Risk Management Network
Frank Romeike, Managing Partner of RiskNET GmbH – The Risk Management Network, board member and chairman of the Society Of Risk Management and Regulation, and editor in chief of RISIKO MANAGER magazine.