A Blog by Jonathan Low

 

Feb 4, 2013

Electronic Banking is Larger, Faster - and More Vulnerable

As safe as Fort Knox.

That is what people used to say when they wanted to reassure someone that whatever they were worried about enjoyed the ultimate protection from any threat imaginable.

Fort Knox was a facility in rural Kentucky where the US kept most, if not all, of its gold reserves. It allegedly had the most sophisticated and impenetrable defenses available. And as if that werent enough, it was located within a larger military installation where the US Army headquartered and trained its considerable armored forces. Nobody would even THINK about messing with those guys.

Our money was safe. Wasn't life simple and grand?

The problem we now face is that banks, governments and the rest of us who rely on them are faced with a system in which most of our wealth is not actually physical. It resides, electronically, in networks. There are servers with back-ups that contain the information which represents that wealth and the transactions that sustain it (or not) but most of it is the ephemeral output of bits and bytes.

Protecting actual gold with tanks and minefields and barbed wire was something that a tangibly-oriented society could understand. But who is responsible for protecting fibre-optic cable or wireless networks on which space is leased or owned by those who want to use it to report on or transfer wealth? Owners and investors may not be from any one country and may well not be from the country in which the wealth was created, taxed and supposedly stored.

When everyone is responsible, no one is responsible. Banks and other financial institutions are attempting to protect their server farms, but the networks on which they rely are usually owned in partnership with others or owned outright by entities outside the direct control of the bank itself. A confusing mix of government regulatory and military agencies are attempting to define limits and frameworks and boundaries and all of the other concepts that may help them determine who is responsible for what and where. The issue, of course, is that it's just not that clear-cut. Alliances and agreements and understandings and compromises have to be made to attempt to provide the best protection possible given the mind-boggling array of competing interests and concerns. All of which is to say that anyone wishing to attach this system will find gaps and holes.

This is the way we have chosen to live and work and bank. It is efficient and without a similarly loose model, global commerce would be more difficult. But we must live with the trade-offs and understand the risks they entail. JL

The Economist reports:
As banking has gone electronic, it has also become vulnerable. In the dusty hills north of Madrid, in low-slung buildings guarded closely like bank vaults of old, are the rows of servers that run the far-flung banking empire of Santander, a big international bank. Ever since the 2001 attacks on the World Trade Centre, banks like Santander have invested billions in safeguarding and duplicating their data centres to protect them from terrorist attacks and natural disasters.

The threat against banks has, however, evolved. Although the physical infrastructure of the world’s financial system is largely secure, the software that runs on it is not. Bank bosses and regulators are becoming more concerned by the threat posed to financial stability by networks of hackers that have launched a series of attacks on banks over the past few months.

In that time some 30 large global banks, mostly American, have suffered from a series of assaults designed to shut down their websites. These attacks are known as distributed denial of service (DDoS) attacks because hackers harness an army of infected computers to bombard the target with internet traffic with the intention of overloading it. They are relatively unsophisticated. But they have periodically frustrated customers trying to use online services at banks including JPMorgan Chase, Wells Fargo, Citigroup and PNC.

They have also shown some novel features, such as the conscription of computers in “cloud computing” data centres, increasing the amount of spurious traffic generated. Several people familiar with these attacks say there are strong indications that the hackers are state-backed; many suspect the involvement of Iran.

The attacks have caused little more than brief inconvenience, mainly because they were targeted at the public face of the affected banks rather than their connections to other banks and to payment systems. Even so, they have brought to light vulnerabilities in banking and payment systems. Ross Anderson, a professor of security engineering at the University of Cambridge, frets that hackers could cause mayhem if they were to aim DDoS attack at banks’ crucial infrastructure instead of their websites. “If 20,000 machines started hammering British payment gateways on the last weekend before Christmas, people wouldn’t be able to shop except with cash,” says Mr Anderson.

Another risk is that hackers may graduate from crude DDoS attacks to more sophisticated ones that secretly penetrate banks’ systems and then steal or delete data. “From what we’ve seen … the threats haven’t been life-threatening,” says one regulator. “At the same time we want to be ahead of this curve. The fundamental challenge is that the risk morphs quickly and can be difficult to detect.”

The official responses include increasing regulators’ oversight of banks’ computer systems and war-gaming attacks on banks and the networks that connect them. Yet much remains to be done. At the moment banks have little incentive to share information on attacks and vulnerabilities with regulators or competitors. Supervisors also appear to be unwilling to talk publicly about their concerns or about investigations into lapses by banks, such as the systems failure in mid-2012 at the Royal Bank of Scotland that left many customers unable to carry out transactions.

One step is for regulators explicitly to acknowledge that an IT failure at one bank can spread financial instability or undermine trust in payment methods such as debit cards. They could then grade banks publicly on the quality of their systems and force them to improve things if they fall short of required standards.

But that approach raises another, thornier question: whether governments should just force banks to invest more of their own money in cyber-security, or whether they should devote their own resources to protecting banks from attacks by enemy states and their surrogates? “No one in the United States is expected to provide for their own air defence,” points out Richard Bejtlich of Mandiant, a computer-security firm. “We have an army to repel a land invasion, so who is out there protecting the cyber lanes of control? Nobody. It is a free for all.”

0 comments:

Post a Comment