How to defend against cyber attacks in open-banking environments

At the FuW FinTech Forum 2019, which took place on March 14, experts from the banking industry met in order to discuss digital transformation in the finance sector. In keeping with the “beyond banking” motto, we had the opportunity to highlight Cyber Security issues in open banking.

Cyber crime in the world of open banking can be compared with a medieval castle: attackers attempt to force their way inside, and not just via the main gate. On the contrary, attacks come from multiple sides at the same time, with the attacker looking for an open window, building tunnels and even launching airborne attacks. To date, banks have been solid castles, and almost impossible to take over. As a result of open banking, banks are now opening up their systems and sharing data with third parties – the castles are opening their gates to attackers.

Cyber risks in the area of open banking

We already know about ecosystems opening up: American social media services such as Facebook and WhatsApp are showing the way and have provided insight into their APIs for quite a long time. They thereby create added value for their users, such as new opportunities, more comfort and the connection of services. However, banks have significantly more sensitive assets than social media services.

“Cyber crime is the greatest threat to every company in the world” – Ginni Rometty, CEO and President of IBM

A report published by the Cyber Security companies Carbon Black and Optiv Security in March 2019 shows that cyber attacks against banks and financial institutions have again increased: 67% of the responding institutes reported an intensification of cyber attacks during the past 12 months. At the same time, attackers now also give up less quickly. At 32% of the institutions that had been attacked, the hackers were not discouraged by preventive measures. On the contrary, attackers responded with countermeasures and tried to lay siege to the banks.

Assets act as a magnet for cyber crime

Transaction data available in open banking can say a lot about an individual. If someone hacks into the system, they can find out my identity. They can see who I am: if I am and when I got married, how much I earn, and when I changed employer. They have a detailed insight into my assets. The attacker can identify my medical health status and see when I was at the doctor, what medications I buy at the pharmacy, and how often I need them. Do I eat healthily? Where do I make purchases? Do I exercise? What means of transport do I use? Where do I go on holiday? How big is my carbon footprint?

Banks hold a bundled concentration of assets. They know a lot about their customers and should make these data usable in a positive sense. However, if these data fall into the wrong hands because of a cyber attack, it is not only the benefits of their use that are lost, but the reputation of the bank is also ruined in the long term. The reputational damage would be irreversible.

The modern bank robber is a hacker

Bank robbers of the past, who opened a safe in person, no longer share similarities with modern robbers. The robbers of today sit with a laptop on a yacht, a sofa, or in a garden and easily and persistently hack into banks from there. They are looking for

• money, regardless of whether this is in the form of dollars, francs, euros or cryptocurrencies,
• identities, which can be sold on the Darknet or used for social engineering attacks,
• data, which can be monetised in many places,
• availability, that is the possibility of disrupting the availability of the bank, hindering operational business activities using denial-of-service attacks and then later blackmailing the bank or its customers and partners.

Hackers try to penetrate the system from all sides: they will try to force entry, for example, through the bank’s internal network, interfaces to the partners in the same ecosystem, customer devices and the internet infrastructure. 32% of the financial institutions surveyed for the Carbon Black and Optiv Security report had experienced so-called island hopping during the past year. Because of open banking, the gate to the castle is open, even if only by a chink. So how can banks protect their assets effectively?

Effective Cyber Security in open banking

Just insuring themselves against cyber attacks is the wrong approach. The food company Mondelez insured itself in the USA against failures of its IT systems for the insured sum of USD 100 million. Nevertheless, the insurer, Zurich, refused to cover a claim resulting from Mondelez suffering a NotPetya cyber attack. The reason given was them citing an exclusion for “hostile or warlike action in time of peace or war”. Mondelez has now filed a lawsuit against Zurich. The case could set a precedent for insurance against cyber attacks.

Banks can achieve more effective Cyber Security by using a multi-layer defence system consisting of various components, including:

• Raising of awareness: awareness of cyber crime should be increased among customers, employees, IT and partners.
• Education: not only the IT department, but customers and staff should also be trained about Cyber Security.
• Risk management: assets, threats and processes should be analysed, and appropriate risk management should be used.
• Crisis management and recovery: a functioning incident management procedure should be designed, implemented and tested.
• Pen testing: both IT as well as processes should be subjected to penetration tests to identify possible weaknesses.

A functioning Cyber Security approach in open banking can only be achieved if all the participants in the ecosystem play their part, from customers and advisers to the API partner, employees and IT. A central focal point here is having the required awareness. Why not start training your employees today? We are happy to support you in building a sustainable education strategy.