Banks are not providing enough details on cyber-attacks in order to downplay security fears, say insiders.
By Matthew BroersmaBritish banks are “dramatically under-reporting” computer attacks due to their fear of bad publicity, according to several IT security firms who provide services to them.Staff from five computer security firms that provide services and advice to United Kingdom banks said they have seen first-hand examples of banks choosing not to report security breaches, according to a Reuters report citing unnamed individuals.
Law Enforcement Left in the Dark
While the banks did not break the law, their reporting practices are overly conservative and mean the public is unaware of the true extent of the risks to which banking IT systems are exposed, the firms said.”Banks are dramatically under-reporting attacks, they do what’s legally required but out of embarrassment or fear of punishment they aren’t giving the whole picture,” said one source.Barclays’ head of information security, Troels Oerting, who joined the bank in February of last year, said banks’ sharing of data with authorities has improved since then and that Barclays provides all relevant information on attacks to regulators. Oerting was previously head of Europol’s Cyber Crime Unit.The comments will, however, add to concerns that information-gathering on computer attacks is inadequate, following a National Audit Office (NAO) report last month that found a lack of coordination in government data-gathering on breaches.
The government earlier this month opened a National Cyber Security Centre (NCSC) to help centralize computer defenses, including reporting, but the NAO said more reforms would be necessary.
Sharp Rise in Attacks
British financial institutions reported only five network-based attacks in 2014, rising to 75 so far this year, according to the Financial Conduct Authority (FCA).But IT security experts have said that such figures do not reflect the growing focus on banks and financial institutions by online thieves.They say the growing sophistication of malware such as Odinaff and Carbanak, which target banks and other financial institutions, shows a heavy investment in the coordination, development and deployment of computer attack tools.Investigators looking into the theft of $81 million using the SWIFT payment network said the attack showed a similar level of expertise.Industry observers say that as banks make it ever-easier for their customers to conduct network-based transactions, they present a natural target for online criminals.”These attacks require a large amount of hands on involvement, with methodical deployment of a range of lightweight back doors and purpose built tools onto computers of specific interest,” said Symantec in a report on Odinaff earlier this month. “Although difficult to perform, these kinds of attacks on banks can be highly lucrative.”