What banks can do to secure systems from cyberattacks

Banks are spending huge amounts of resources in trying to protect their networks rather than the money.

According to Alon Cohen, the chief executive and founder of Israeli cybersecurity company Nsknox, most chief information system officers tend to concentrate their efforts on securing bank data and networks from hackers rather than focusing on how to secure the money, which is their core business.

He gave the example of a Bangladesh Central Bank that lost $81 million (Sh8.2 billion) where a bank staff's computer was used by unknown hackers to move money via the SWIFT system.

A Swiss company, ABB, also lost $103 million (Sh10 billion) through theft by an employee working in the audit department of its South Korea unit.

In Kenya, banks have been losing billions of shillings through cyberattacks. According to an Israeli source who has worked in Kenya, and speaking on condition of anonymity, the losses in the country are worth billions of shillings, but banks do not declare them due to fears of losing their customers' confidence.

Last month, Barclays Bank ATMs were seized in what experts called jack-porting, where hackers insert a device on the money machine to disrupt the network and steal the cash.

Cyberattacks, mostly targeting payment systems, are now one of the most powerful threats, with more than  82 per cent of the companies having been targeted, according to a recent AFP research. 

According to the US Federal Bureau of Investigation (FBI), corporate payment fraud is the highest form of any cybercrime in the US. Mr Cohen’s company has security solutions that protect firms from theft by their own workers or outsiders.

In the banking sector, for example, account numbers are split into several parts and the different parts are stored into four to five other companies called cells.

For any attacker or insider to access one account, they would have to hack into the four companies’ networks which is difficult.

The company has collaborated with IT firms and lenders such as Microsoft ventures, Amazon Web Services, and Israel Discount Bank to store such information.

Mr Cohen said the technology dubbed cryptoscript is difficult to break.

“We are the first company to use it for real cybersecurity. Everything is converted into numbers. For example, number three can be stored as seven minus four,” Cohen said at a media briefing in Tel Aviv last week on the sidelines of a global cyber forum.

“Even if a hacker is able to access the database of one company, he can only get part of a number but would never access the full bank account, making it impossible to steal.”

He said no entity is strong enough to protect itself on its own. “Even a large firm like JP Morgan Bank was attacked some years back by hackers and lost 18 million files. We have to adopt cooperative cybersecurity methods,” he noted.

“Remember all accounting and IT workers in a company can steal money. We have to develop systems where they don’t have full control and access.”

He observed that most lenders lack the means to validate bank details of peers during transactions since they only know their bank account numbers.

His company, with assistance from the US Government, has managed to get account details of many bank accounts globally, which they store in a secure format and can verify whenever there are transactions to protect account holders from having their money moved to unknown accounts. Their database is updated regularly.

Check Point Software Technologies Chief Executive Gil Shwed said today’s infrastructure is vulnerable and urged companies to invest more in defence rather than detection facilities.

“I see most IT leaders investing 80 per cent in the detection and only 20 per cent in defence. This is wrong. It should be vice versa where 80 per cent is defence,” he said.

He observed that his company uncovered a hacking operation from a Nigerian youth who had managed to penetrate oil and gas companies alone.

Inspired by his "get rich die trying" mantra, the hacker conducted what initially was suspected to be a State-sponsored operation.

Check Point managed to stop the attack and got the attackers details, including his Facebook account and residence and handed over the information to law enforcement agents for arrest.

Most hacking operations are done by staff who have administrator access.

The CEO of Cyber-Ark Udi Mokady said most attackers target administrative accounts of junior staff and not senior managers who often don’t manage the systems.

He said every airline, bank or government run on IT systems managed by human beings who can easily take them over.

Mr Mokady said his company has developed a solution where the staff doesn’t have full access and control of the security of systems. According to the CEO of ThetaRay Mark Gazit, banks are using obsolete technology against hackers who have sophisticated systems.

“No one nowadays uses guns to steal from banks. They use cyber tools - be it for money laundering for terrorist activities to tax evasion schemes. Real threats are coming where you don’t expect,” he said, adding that criminals just infect ATMs with viruses while depositing a few notes.

They then shut cameras or smear them with petroleum jelly and then take the money.  

He noted that companies have to adopt artificial intelligence systems where machines monitor the networks and can identify attack attempts very early.