Cyber attacks like hacking put not only sensitive information but also huge sums of money at risk. Not far from home, the hacking of the Bangladeshi central bank’s account from the Federal Reserve Bank of New York in February led to $81 million in stolen money getting laundered in Philippine casinos after entering the country through the financial system.
Banks are on their toes, and are now working to beef up online security measures to protect themselves and their customers.
“Online security is a continuing effort. Banks constantly exert efforts to update their security software and protocols. On the other hand, cyber-criminals also exert efforts to overcome bank security. So banks redouble efforts in reaction,” East West Banking Corp. president and chief executive Antonio C. Moncupa Jr. said.
“Banks are also careful that they have competent and trustworthy people to man their IT (information technology) systems,” Moncupa added.
In a recent interview, Etay Maor, senior fraud prevention strategist at IBM Security, said security threats in banking could be minimized by a very simple solution—data sharing among peers.
While he noted that banks, in nature, tend to be protective and secretive with data and information, Maor noted it was only through information exchange could they better combat cybercriminals together.
He said one of the products of IBM—one of the fastest-growing security companies in the world— allowed thousands of firms to share information and opened collaboration to shield themselves from attacks.
“For example, if a criminal uses an IP address, users of our product share such information to warn others. We have no other way to beat criminals,” Maor said.
“You don’t have to shoot bombs today. You just have to shut down several banks and their infrastructure, and that’s it. Organized groups have capabilities to do cyber attacks. It has become easy to do phishing attacks … It’s very easy today to be a criminal—you can go just go to online forums and ask questions, people will help you,” Maor pointed out.
Maor said cyber attacks on banks had become a global problem, such that billions of dollars were being lost to cybercriminals each year.
In a recent statement, cloud services provider and ePLDT affiliate IP Converge Data Services Inc. (IPC) said the banks’ cyber security measures at present were not enough.
IPC hence urged financial institutions “to safeguard their systems by deploying up-to-date security measures to ensure data and network protection” while also checking on their current data security setup as “even the most secure institutions are not exempt from the alarming increase in crimes perpetrated online.”
“This is a reality that has caused the loss of significant revenue for many businesses. The global recorded cost of cyber attacks is at $400 billion to $500 billion per year—about 50 percent of which is from Distributed Denial of Service (DDoS) attacks,” IPC president Rene Huergas said, citing data from its DDoS mitigation partner Nexusguard.
“Unless executives take stock of this as a serious issue at hand, companies are most likely to lose more,” Huergas warned.
Citing that “some institutions may have inadequate system and network security layers to protect them from cyber attack,” Huergas said not only the financial institution but also the customers faced greater danger.
“As data and network security is a commodity in this day and age, now is the best time to recognize that the threats are real and can make businesses vulnerable and susceptible to attacks, banks and financial institutions being the most inclined to this kind of attack,” Huergas said.
World’s most costly
According to IPC, “while DDoS attacks are considered the world’s most costly cyber crime, cyber attacks that involve malware, phishing, password attacks, MITM (man-in-the-middle), drive-by downloads, malvertising and rogue software are also widespread.”
“In fact, it was found that the Philippines’ vulnerability to cyber crimes has statistically doubled. A large percentage of computers in the country have been invaded by malware, the same intrusive software initially found to have allowed the illegal electronic transfer of funds in the Bangladesh case,” IPC added.
“This condition poses a real and imminent threat as records from the Bangko Sentral ng Pilipinas (BSP) show that around 22 million people use electronic banking services and channels and that the volume and value of e-money transactions keep growing over the years. The figure continues to increase each year as more and more people join the workforce and make use of a bank’s facilities. This translates to the overwhelming amount of data that is at risk,” according to IPC.
“Depending on the needs of the institution, additional security measures have to be in place. It is also as important to regularly review and assess whether these security measures are being implemented and are functioning well,” said Niño Valmonte, IPC director for product management and marketing.
IPC said “businesses that do not have a core competency on data and network security may leave it to experts … to conduct rigid vulnerability assessments to ensure that all bases are covered.”
Even the BSP has long been aware of risks from cyber crime.
At the first Cybersecurity Summit for the Financial Services Industry held last November, BSP Governor Amando M. Tetangco opened the event reminding industry players: “It is a fact: Cyber crimes are being committed and financial institutions and financial consumers are being targeted.”
Citing the transformative power of technology in many aspects of human lives, Tetangco noted that technology had likewise revolutionized banking and the manner it was providing services and products such that financial customers could now perform banking transactions anytime, anywhere at their convenience.
“Based on our records as of December 2014, about 22 million users of electronic banking services and channels were being serviced by more than one hundred banks across the country. Indeed, we have seen the volume and the value of transactions using e-money and e-banking channels grow steadily over the years,” Tetangco said.
The cyber landscape, however, has its downside, and also poses a threat to the financial sector.
“As in other fields, there is a downside that comes with innovations in technology—criminal elements have likewise evolved. While it is far from widespread, cyber crimes exploit advances in technology to expand, conceal and perpetrate their criminal activities from the real world to the cyber realm,” Tetangco noted.
He cited how authorities had arrested foreigners belonging to cyber syndicate who had been involved in ATM skimming, credit card fraud and phishing.
While Tetangco conceded that cyber attacks and crimes against the financial industry would likely go on, the sector could manage the risks.
In 2013, the BSP issued Circular No. 808 which, Tetangco noted, “provides the framework for technology risk management which takes into account robust and multilayered security controls for cyber-risk prevention, detection and response.”
Under Circular 808, all banks and BSP-supervised institutions have an obligation to report to the BSP any breach in information security, especially incidents involving the use of electronic channels.
“The BSP has also introduced various initiatives and supervisory enhancements for a more proactive approach to cyber security supervision and oversight,” Tetangco added.