Amar Singh, global cybersecurity and privacy thought leader, and Neeti Aggarwal, senior research manager, The Asian Banker, discuss how banks should prepare amidst increasing threats of financial crimes in the cyber space, and how to successfully manage fraud risk in the digital age.
Here is the transcript:
Neeti Aggarwal (NA): Good afternoon. It is 1:00 p.m. in Singapore and 6:00 a.m. in London. Welcome to The Asian Banker Radio Finance – the online broadcast platform that aims to enhance the understanding of industry by bringing together senior opinion leaders to examine current critical issues. This comprises an incisive 30-minute panel discussion with a short Q&A session in which our call-in audience can participate. I am Neeti Aggarwal, senior manager of research at The Asian Banker.
The topic for today’s session is “Combating Crime in the Digital Age: What Can We Learn From CBA?” Increasing digitisation of financial services and transactions has greatly enhanced the ease by which consumers can gain access to their banks and financial products, including sensitive assets such as bank accounts. However, it has also opened the doors for criminals and other third parties to use bank assets to perpetrate an increasingly large spectrum of financial fraud and crime.
The increasing reliance on mobile digital networks and connections via the internet or the cloud has exposed banks’ complex IT systems to more frequent cyber-attacks and cybercrime. But, these often include online mobile fraud, such as fraudulent payment and transfer, as well as credential and data theft. Recently, we heard about how 143 million Equifax accounts were hacked during the months of June and July in 2017. This included customers’ social security numbers, names, addresses, dates of birth, driver’s licenses, and other sensitive information – almost all that is needed to open or access an account.
Financial crime is an evolving threat, and increasingly becoming sophisticated. Every year, money laundering is estimated to channel around $2 trillion worth of proceeds from different illicit activities. The case of Commonwealth Bank of Australia recently came to light, where the criminals used its intelligent deposit machines to launder about $35 million across 53,000 transactions that breached email and counterterrorism financing acts. Despite various efforts by the institution, almost every other week, we hear of a new instance of financial or cybercrime or fraud.
The loss of trust and damage to reputation that arises from a successful cyberattack and fraud is immeasurably harmful, even though actual financial and monetary loss may be mitigated. Regulators have put requirements in place to ensure high and robust standards on IT security risk management and preventive measures. These frauds are often indiscriminate. They’re aimed not only at the smaller banks perceived as more vulnerable, but often target the larger banks perceived as having higher standards of security protection, and are therefore more trusted.
Such is the paradox of this new-fangled digital world. The better the institution’s security standing, the more reason they may be targeted. No wonder that security breaches, control lapses, and governance failure at the world’s largest companies are making the headlines these days. We can never assume that organisations will always be vigilant or be adequately protected, as recent incidents proved. With increasingly smarter global organised attacks, the organisations are often forced to play catch-up.
In today’s session, we will be discussing the following: What banks have been doing to combat financial crime in the digital age, how to successfully manage fraud risk, and what we can learn from recent incidents like CBA and others that we’ve seen, and from their experience, what we can learn today. To do this, we’re happy to have a panellist – Mr. Amar Singh – he’s a global cybersecurity and privacy thought leader who acts as the resident consultant on information security product development and market direction for several organisations based in the US and the UK. He’s also a freelance senior analyst at Kuppinger Cole and serves as chairman of ISACA UK Security Advisory Group.
With that, I would like to start with the panel discussion. Mr. Amar, thanks for joining us for this session. Before I proceed, I wanted to take your views on how you’d describe the level of awareness and preparedness of industry and institutions in general, and how you would specifically describe banks’ posture towards tackling fraud, financial crime, and cyber-crime these days.
Amar Singh (AS): Hello, everyone. Thank you. Hopefully, some of you know me. I know some of you on the call here – on the webinar. Thank you so much, Neeti. My view is from the technology and cybersecurity point. Let’s not bash the banks too much. However, one thing to keep in mind is that cyber-criminal gangs – or criminal gangs – are now so involved in cyber-crime, and the difference is that they are not using standard software.
What I mean by that – which is very important to understand – is you are not dealing with criminals who are trying to steal $1.00, $2.00, $50.00. There is big money involved here. For those who are listening in, if you write down – when you have a moment, you can do a bit more research. It’s called “Carbanak”. It’s a criminal gang malware. C-A-R-B-A-N-A-K. Why is this important to this particular discussion? Because the Carbanak criminal gang has already stolen approximately – this is according to INTERPOL, Kaspersky, and a couple of other vendors – has already stolen over $1 billion.
I’m sure all of you have heard the term “on-the-job training,” OJT. Now, the Carbanak gang is very well-known for compromising banks – they may compromise your bank, for example, but they will not do anything stupid. They will not do anything damaging to your systems. They will observe and learn from your systems. They will watch what you are doing. It’s not movie; it’s not science fiction. They will infect your machines, and they will then have the patience – cyber-criminals have one thing that a lot of us on this call don’t have, and that’s time.
So, imagine this, Neeti: They are probably some of the best employees, because within two to four months, they end up learning everything about how the bank operates. How they transfer money, what their KYC procedures are, what their cash teller procedures are, what their ATM management procedures are – they’re learning on the job. And then, they will repeat the same actions so that their anomalous activity is not detected.
Remember, their objective is money, and they know many – a lot of research has been done on this gang, but it may be other gangs, also. They know that they are very good on their governance. They’re very good on their compliance. They are very up to speed on what amount would trigger an alarm, for example. One CEO of a bank told me, “Amar, are you saying that this is the ideal employee?” Maybe they are ideal employees, but they are not in it for small money. They are in it for big money.
NA: So, Amar, what do you think? Do you think crime is a service, as I would say it, or much more of an organised and global organisation that is – the threat is obviously becoming more and more complex, and from what I’m hearing from you, it’s more like a bank is becoming a moot spectator if they can include into your systems, and become observant of your daily activities, and be able to replicate it later. So, what are the biggest challenges and issues that banks are facing in appropriately assessing these cyber and financial crime risks? Why are they failing in being able to find these out in time?
AS: I think banks – like I said, in credit to banks around the world, I think they understand, and most of the time, they have the money to invest in the technology. But, I think the adversary, the criminal banks – and, I repeat, they’re not sitting around. Take a step back. Everyone must have heard of NSA. I’m not talking about the Nigerian Security Agency, I’m talking about the American security agency.
So, NSA recently – several months ago – had a major – call it a theft – of some of their most advanced software, malware, whatever you want to call it, that they had developed. Now, NSA has the money, the brains, the scientists, the geeks, and in their many years, they have developed a lot of advanced software to basically spy, to intercept communications, to compromise machines, et cetera. It’s so advanced that Microsoft, Apple, and other vendors did not know about it.
Now, that treasure trove of software has been stolen by criminal gangs, and I’m sorry to say… On the BBC website, I’m known as a pragmatic, paranoid professional, but in this case, I’m a bit more paranoid because that software is extremely powerful, extremely dangerous, and for many months now, it has been in criminal hands. I’m sure all of the listeners here must have heard of “WannaCry”. WannaCry was a result of that theft – a small result of that theft.
Now, what I’m trying to say is yes, we want to beat banks up – regulators want to beat banks up. For whatever reason, they did not protect the money. If it was my money they lost, I would be angry. But, the reality is that criminals are not using, if I may, bog-standard off-the-shelf software. The criminals now have access to the same software – badware, malware, whatever you want to call it – they have access to the same things that the NSA has developed.
So, for everyone listening in, just take a minute and think about the threat. The risk is obviously going to increase, but the actual threat that you are now dealing with is no longer software developed by one guy, one girl, or whatever. You’re now dealing with the threat of software that is now being used that was developed by one of the most intelligent, powerful agencies on the planet, and that’s why the threat landscape – and, banks must be aware now of what they can do. They can do several things, and they’re already doing several things.
But, the reality of the situation today is instead of – and, this is not only for banks. Everyone listening in can share this with their clients and other businesses. The reality of the situation is that banks and organisations must stop thinking about 100% protection.
When I do consult with clients, when I talk to clients, when I do presentations, the question is if someone asked me today, “Are you secure? Is your bank secure?”, and I work for them, and I said yes, and tomorrow they got hacked, I would be fired. If I said no, I would still be fired. So, the better question – and, everyone listening here should take note of this – the better question is are you prepared? Are we prepared to deal with a Carbanak attack? Are we – Carbanak, just for those who joined in a few minutes ago, is C-A-R-B-A-N-A-K – are we able to respond to a Carbanak-style, advanced NSA software attack?
The other question is are we able to detect an NSA software-based attack that criminals now have access to? Governments have to do their jobs, but sadly, some really advanced criminal gang stole that software and is now selling that software on the market. That’s why the threat landscape – those listening in should feel free to ask questions, must go back and talk to the cybersecurity officers. Yes, you may need to improve your KYC procedures, your AML – you may have to look at that, but the reality is the criminals are also pretty much aware of AML, KYC, and a lot of the procedures that you have. Carbanak will learn what procedures and policies you have.
So, the bank or any organisation has to become more proactive, and almost more paranoid about – I know it’s not easy, but imagine walking into your house, and every day, before you walk into the house, you ask, “Is someone there?” I know it’s a bit paranoid, but given the profile of banks, the fact that they handle money, and the fact that criminals now have access to some of the most advanced software ever made to hack, the threat profile is definitely saying, and I’m sorry to say that CBA is probably just one of the many that are going to come in the future.
NA: So, essentially, from what we are seeing, if the criminals already have such an advanced system in place, a lot of reactionary stance – for banks, where trust is probably the most important thing because it’s the whole philosophy on which they are based – the trust with people’s money that they have. So, it’s much more of a defensive or a reactive stance. How can they be proactive enough? How can they devote the resources to prevention and mitigation of these cyber-attacks? That’s the primary requirement of how to manage these now.
AS: That’s a very good question. Let me give you one example, okay. I’m sure almost every bank on the planet is doing security assessments. Another word for that is “penetration testing”. Here is a simple story I tell people. Imagine there are only ten bank CEOs on the planet. Nine of the CEOs have been murdered, and those CEOs were murdered by eating poisoned cake…for some reason. Now, there’s only one CEO left, and the bank decides they’re going to build him or her a super-strong, bullet-proof, bomb-proof house out in the river where nobody can swim to him. There are crocodiles all around the river, and he’s going to be super safe. But, guess what? They forgot to check the cake.
NA: So, that’s the whole point. Today, at this, every attack is different from the other. So, for example, if we find out what happened –
AS: I understand. I’m going to correct you here. Every attack appears different. Criminals are lazy. If an attack style works – if someone has managed to kill nine CEOs by cake, by food, most cyber-criminals would say, “Oh, that’s their weakness.” You see what I’m trying to say? I’m trying to say that there’s no point in building the strongest bullet-proof, bomb-proof house with crocodiles, lions, and elephants if someone forgets to test the food. That’s a very important concept because criminals use strategies that work for other criminals. Trust me.
Now, yes, the output is going to be different – the Equifax hack was 140 million records, et cetera. The output is definitely different, but the actual method of compromise – and, this is for the banks. I don’t want to get technical here, but talk to your technical people. Write down something else: It’s called “CBEST”. Charlie B-E-S-T. C-BEST is a framework by the Bank of England that basically tells banks how to run security assessments. I don’t want to get too technical, but everyone listening in please write it down. CBEST framework. It’s free information. It’s copyright Bank of England, but the information on how to do the test is free.
NA: So, it’s understanding the scenarios that we have in different attacks right now, and making sure that the same concept is not replicated in our own bank.
AS: Exactly. It’s a scenario-based testing. It’s not just walking into a house and saying, “Yeah, I took a hammer and broke the wall down”. The wall wasn’t the problem. The scenario wasn’t testing the wall. So, you hit the nail on the head.
NA: So, if a bank has to devise a comprehensive strategy against cyber-crime and financial crime – CBEST, as you mentioned, is one of the ways in which they could be testing the scenarios – but, a more holistic organisation-wide kind of approach… Often, from what I’ve seen, a lot of times, the approach has been of a fragmented, or a piecemeal kind of approach. How would you advise the banks to build their security management within the organisation?
AS: There’s one simple answer to this. If the big boss does not admit and acknowledge that cybersecurity is a business risk – and, I’m not saying banks are not doing that; I’m saying generally – if the big boss, the CEO, the board does not make it clear to all employees that cyber is a major threat, and we are all working together – I’ll give you an example.
For those of you who have been to the UK and Europe, health and safety – hopefully, most of the time, you can no longer electrocute yourself by putting your hand on the kettle anymore. What I’m trying to get at is that in most organisations in the UK, health and safety is basically practiced religiously, and made sure that every employee is…
So, the same must happen for cyber, for IT, for information risk. It’s not an IT problem. Yes, there’s a lot of money spent on IT on firewalls and, actually, exit or exit ramp. But, cyber must become a business risk from the top. That lays the foundation for everything else you’re talking about. We could be here for hours and hours about different strategies, but the foundation of a secure organisation has to be management accepting that cyber is a business risk and that information risk is a business issue as much as bribery legislation or AML. Then, you have a chance.
NA: So, the top management oversight and commitment to cybersecurity is probably one of the most important things right now. In terms of data and technology becoming an enabler for preventive measures – we are seeing things like real-time analytics, monitoring, or authorisation controls like biometrics – any suggestions on what could be a more effective strategy towards building your systems in place in order to be able to manage these threats?
AS: That could get really technical. It’s a good question. How much time do you have? Do you want me to discuss that? Again, it goes back – in total honesty, it depends on what your risk profile is. In the UK, some banks have made the decision that I can do banking with my thumbprint, but they have taken the accepted risk of…I can’t remember. I think it’s about £100.00, or something. There’s a limit to how much banking I can do with my thumbprint because they want the customers to enjoy technology and transparent access.
So, it’s a risk-based decision. You can make it really onerous. You can say you must scan your eye, your thumbprint, and your hand. But, customers want ease of access. The banks have to figure out how to give ease of access and increase the security at the same time.
NA: It’s becoming an issue of having customer-centric fraud management while being able to…
AS: Exactly. Having a customer-centric approach while being able to keep the customer secure. Now, many organisations and banks are also trying to figure out how to make sure they put the responsibility of security on the customer. The banks are doing everything, but there’s still a lot of fraud happening. So, your laptop or mine could be compromised, but the bank is still secure. What some banks are doing is tying up with antivirus software vendors and offering discounted products to their customers as one way to encourage them to make themselves secure. Am I making sense?
So, one strategy that I think works is educating your customers on the dangers of cyber. In retail banking – customer banking – one of the biggest weak links is the customer, not the bank. CBA was different, but if you take other risk, you and I are the biggest risk to the bank, rather than the bank itself, because we are using browsers, we are not updating our software, et cetera. In some countries I’ve heard of – I can’t remember the names – if you lose money because of a cyber-attack, it’s your problem. In the UK, the money is still protected, but sooner or later, the banks will have to flip. Now, why not educate your customers and make them more secure at the same time? It’s a win-win situation.
NA: So, it’s not just the endpoint security or the weakest link. It’s also the customer education, which is equally as important as the kinds of systems that you have in place.
So, here is my last question: If we had to look at the industry as a whole, what kinds of collaborative or united efforts could be tough enough to tackle the growing sophistication of attacks? How could governments, banks, and private institutions be working together against international crime, and are there any lapses or failures from one side in that sense that you’re seeing today?
AS: I think a lot of banks are already sharing intelligence. Maybe some banks are not doing it, but they should check it out. Many governments are sharing intelligence. What I mean by “intelligence” goes back to the story of the cake. One bank is sharing the intelligence. “Hey, buddy, please make sure you don’t eat the cake. Check the cake.” So, that is happening quite a lot. It could happen more.
Why is that a very effective way? Instead of scaremongering, it’s threat intelligence. If someone knows something has happened because of eating cake, it’s almost – you or I would tell our families, “Please be wary of that particular brand. Don’t eat that cake. It’s got plastic in it.” Am I making sense? So, something as simple as that – obviously, translated into technological terms – is a very effective way of reducing the risk, the likelihood.
We could go on and on, but for the takeaway for now, that’s one thing most banks should look at. Is your government already sharing threat intelligence? If not, can you join information-sharing platforms? What is out there? There are many out there in the US and other countries for the banking sector that share intelligence. They should look at that, and they should definitely talk to their governments about how much threat intelligence is being shared.
NA: True. So, essentially, the information-sharing part could play a much bigger role. In fact, a lot of times, what we’ve found in the past is that these security lapses – because they lead to so much mistrust or loss of reputation for the organisation – many of these hacks may actually not be publicised. But, what we’re talking about is if there is more proactive information-sharing, then there will be greater preventive measures going forward. So, it’s a balance for an organisation to be aware of a reputation loss and not suppressing the information, but being proactive and sharing it.
So, are you expecting to see regulatory compliance costs to go up and more regulations because of these increased threats? Are you expecting to see more in that front?
AS: I don’t think there is a direct correlation with the fact that threats are going up and fines are going up, but I think that over time, if the attacks continue succeeding, then the fines are going to go up without a doubt. I think Singapore actually has some of the strictest regulations around breach notification and reporting, which is good – it keeps banks and financials on their toes.
NA: True. So, just to summarize what we have discussed today, the complexity of threats is definitely increasing, and to the extent that – as you mentioned with the NSA example, what is required from banks is to study the past incidents and to be able to proactively manage threats, keeping in mind the kinds of systems that have been used in previous cases. So, that could be one way of being more preventive.
Of course, from a strategic perspective, it definitely needs much more management oversight, board oversight, and probably a more holistic strategy that goes across an organisation to manage these threats. But to talk about the – you mentioned CBEST, and of course, there are other frameworks. In fact, MAS also came out with TRM guidelines on IT risk management.
So, those are some of the areas that banks need to actively look at managing, and they need to build their IT systems in such a way that it is a more holistic, less fragmented approach where they are able to have multi-layered security and complement that with customer education at the front-end because customer education is very important for the endpoint security. When we are talking about these interconnected people, devices, and organisations in this world, it opens up a whole new playing field of access points and vulnerabilities that banks need to talk about.
Lastly, we need industry-wide, greater information oversight, greater sharing of information, and not just from institutions or regulators, but also government-induced intelligence and sharing of information. That could be the other area that institutions can look at in greater scale.
AS: Just one final – and, you’ve already covered it – again, we’re not trying to put fear into anyone, but the reality is there’s too much money in cyber-crime, and it’s only going to go up. Every man, woman, dog, or cat – whatever you want to call it – has an opportunity today to buy cyber-crime as a service.
NA: Definitely. So, banks have to be much more proactive and preventive. In fact, they had to be yesterday, and more so today.
Definitely. Thank you so much.