BFSI VISION | Cyber Security


Girish VS

Managing Editor, BFSI Vision

Risking the Bank

The Banking, Financial Services and Insurance sector has been a champion of security – data, physical and cyber. Millions have been spent on creating the right security environment for the institution to perform. Regulators have added their might to the effort by prescribing norms. After all this, we believed the data and transactions are secure.

But alas. That is not to be so. There are innovative ways in which people steal data. We had written about one such innovation – the Gameover Zeus (September 2014) - a peer to peer botnet that was seemingly taken down by a massive international effort led by FBI – dubbed Operation Tovar. But the man who created the Trojan is still free and coming up with a better version. The sad part is the machines which were compromised are still compromised. Think of it, if the newer version builds in a self-destruct process which deletes the entire data if it cannot contact the command-and-control server. A new threat.

It seems the troubles for BFSI sector just got bigger. Cyber security, as implemented by firms are based on securing the companies IT assets against an intruder. But in a recent report, experts have warned that securing the companies IT assets is not enough – hackers can still sneak in through the supply chain! Last year the US retailing giant Target was attacked by a malware that stole the credit card details of more than 40 million customers were hacked. In all it lost data from more than 70 million customers. And surprise, surprise…. The malware entered Target’s systems through the access granted to a supplier!

And if you thought phishing is passé, we have a new sport in action – spearphishing – where the criminal will study the behavior of the firm’s employees through their social media sites and design messages that will have a higher click rate. But for every criminal attack, there is a fix – a US based cyber security firm – Ionic Security – uses an innovative feature for its encryption- it asks the data owner permission every time someone tries to read the data.

Looks like the suppliers and even their suppliers could be the new hacking route. And we are still risking the bank – through their vendors!