Global banks have not secured their weakest link

Three hackers recently strolled into the boardroom of a large European bank. Moving swiftly, they were soon “terrifying” the bank’s top executives by showing them how easy it was to infiltrate most aspects of their lives, according to one of those present.

In a few minutes, they had demonstrated how they could steal the executives’ identities, take control of their mobile phones, eavesdrop on their conversations, and even spy on them through the phones’ inbuilt cameras.

Fortunately, this was not a hacker-heist. The trio had been hired by the bank to help it combat a wave of cyber attacks that is becoming a serious concern for both executives and regulators. “Even hackers get older and have families and want to settle down,” explained their boss.

This poacher-turned-gamekeeper recruitment strategy is just one of many ways in which banks are trying to combat what some consider the main risk to their businesses.

Regulators have, in some ways, made the banking system safer in recent years — notably by increasing the amount of capital and liquid assets that banks must hold to prevent any repeat of the financial crisis of six years ago. But what if the next crisis comes not from the banks’ own balance-sheets but from cyberspace?

Imagine the panic that would ensue if the likes of Bank of America or Wells Fargo were forced to tell their customers one morning that they could not access their money because the bank was under attack from cyber criminals trying to rob them. If customers at other banks worried that the hackers might start targeting them next, there could be a rush to withdraw cash from branches across the country, leading to a run on the banks that could ultimately cause financial meltdown.

In the past year or two, regulators have been waking up to this threat. IT systems are now part of regular examinations by regulators, including the US Federal Reserve and the Office of the Comptroller of the Currency.

They pushed the issue even further up the agenda after hackers stole contact details for 76 million households and 7 million small businesses from JPMorgan Chase last year.

But, when pressed on whether they can fend off future attacks and what they will do if their systems are penetrated, bankers hardly sound very reassuring. “It is inevitable that a systemically important institution will go down at some point,” says the head of technology at one big bank. If the worst happened, the technology head says the bank’s systems would revert to the “last moment of integrity” by recovering data from backup systems, some of which are physically stored on tape — “in a scaled-up version of a silver suitcase with handcuffs”.

And while banks are spending hundreds of millions of dollars a year on defending themselves, executives say they are only as strong as their weakest link. Such potential weak points include the third-party contractors, vendors and suppliers that large financial institutions use.

Another Achilles heel could be the shared infrastructure that forms the plumbing of the global financial system. What if there was an attack on the Swift international payments system, which financiers say is more vulnerable than individual banks? How about the systems that allow the $5 trillion-a-day foreign exchange markets to function?

The latest area of concern is whether banks can launch counterattacks against computers they believe are being used against them. Bloomberg has reported that the Federal Bureau of Investigation is looking into whether hackers working on behalf of US institutions disabled servers that were being used by Iran to attack bank websites last year.

In the UK, the Computer Misuse Act makes it illegal for a bank to carry out any cyber strike against a another computer in the country. But many attacks originate from overseas computers that are not in the same country as the hackers — and the overseas owners are often unaware that their machines are being used in this way.

“It is very difficult for banks to take pre-emptive strikes against hackers,” says Julian Cunningham-Day, a partner at law firm Linklaters. “There are a lot of legal restrictions on private sector organisations taking direct action, so you can get into trouble quite quickly.”

However, if they keep hiring the type of people who have been attacking them for years, it is possible that banks will be tempted to take matters into their own hands — and going on the offensive against cyber criminals is unlikely to end well. Banks should focus on cooperating more closely with rivals, law enforcement agencies and intelligence services to stay on top of the growing threat.

— Financial Times