Payment protection: security and the cyber threat

security payments

‘No organisation is safe from the cyber threat’. This UK press headline appeared in the wake of well-publicised security breaches at telecoms group TalkTalk and power utility British Gas in October and sums up a widely-held view on the vulnerability of all organisations to determined hackers, says Graham Buck, editor at GTNews.

The list of cyberattack casualties includes some of the biggest multinational corporations, proving that size offers no protection, while the reputational damage that follows a successful attack can extend far beyond financial loss.

Shortly after the TalkTalk attack, Britain’s electronic spy chief suggested that it was time for the government to intervene in the cybersecurity industry. “It is time to take a hard look at whether the international market for cyber security is working sufficiently well,” Robert Hannigan, director of GCHQ, told business leaders. “Something is not quite right here.”

Over the other side of the Atlantic, US organisations have proved equally vulnerable to attack. In late 2013, just before the post-Thanksgiving and pre-Christmas shopping system, a hacker installed malware in the securities and payments system of the Target retail chain, designed to capture the credit card details of shoppers at all of its 1,800 stores. A similarly audacious attack on the Home Depot chain in September 2014 saw hackers steal 56m credit card numbers and millions of email addresses.

This article first appeared in our Payments Revolution magazine


In the same month, JP Morgan Chase revealed that a data breach discovered by the bank’s security team in late July (but only halted in mid-August) had compromised the data of 76m US households and 7m small businesses. Late November saw the most publicised security breach of all, when a hacking attack from North Korea forced Sony Pictures Entertainment to shut down its computer systems, although in this instance the primary objective was not to steal money.

These episodes have at least persuaded the US that it is time to adopt Chip and PIN technology, more than 10 years after its launch in Europe. A deadline of 1st October 2015 was set for all US merchants to instal credit card machines that accept Chip and PIN and for credit card companies to issue chip-enabled cards to all consumers and business customers. However, reports ahead of the deadline suggested that up to half of the US population didn’t know what a Chip and PIN card was.

Meanwhile, the limits of protection provided by PINs are reflected in card fraud losses by the UK banking sector, which in 2014 lost nearly £480m – a figure only surpassed over recent times in 2008. There are predictions that PINs will be obsolete in the UK by the end of the decade; David Webber of mobile payments software firm Intelligent Environments says that their demise will be because consumers are losing faith in the ability of PINs to protect their money.

Fingerprint vein reading, iris scanning and wristbands that read a customer’s heartbeat are already among alternative security measures either being trialed or used for high-value transactions by UK banks. In addition, the July 2015 UK launch of Apple Pay suggests that this contactless payment method will become increasingly popular for low-value transactions, helped by the maximum limit per payment being increased from £20 to £30 in September. More innovation is also needed to address online bank fraud, currently the UK’s fastest-growing area of crime with losses escalating from £60m in 2014 to an expected £130m-plus in 2015.


A void at board level

The GCHQ chief’s caustic assessment of the cybersecurity market has, not surprisingly, received a mixed response. “The market is providing the solutions – there is some incredibly sophisticated technology out there just waiting to be integrated into bank systems and rolled out to the public,” says Thomas Bostrøm Jørgensen, chief executive of Encap Security. “The solutions are there, but banks lack the impetus to roll these out as soon as possible.”

PSD2 (Europe’s revised Payment Services Directive) will mean that they have to implement at least two-factor authentication, but it seems banks aren’t keen to go beyond what they’ve been mandated to implement.

Ken Munro, senior partner, Pen Test Partners, also believes that the market is adequate but there is a lack of understanding at board level about the security threat and associated issues. A recent study published by Accenture supports this view; it found that nearly half of the world’s 109 biggest banks lacked a board member and one in four had only a single tech-savvy director.

“Very few banks have technologists on their boards and yet when you look at the big strategic challenges facing their business, particularly from financial technology companies, a lot of banks’ revenue is under threat from this area,” says Richard Lumb, Accenture’s head of financial services.

Seth Ruden, a senior fraud consultant at ACI Worldwide agrees. “It takes a specific skillset to understand threats to cybersecurity, which aren’t always best understood by individuals with a background in finance. You really need certified information systems security professionals (CISSPs).”

Munro also cites a lack of accreditation and qualification within the security industry, so that companies aren’t always certain the organisations offering them advice are wholly credible. As an ethical hacker, Pen Test provides penetration testing tools enabling companies to test the security of their systems. “Everyone claims to be a cybersecurity expert, but we and others are members of the Council of Registered Ethical Security Testers (CREST), which has stringent validation for the quality of tests.”

He also urges company treasurers and CFOs to check with the company’s risk manager to confirm whether there the business has a first party cyber liability policy in force.

“If the company has been the subject of a hacking breach through invoice fraud or bank account details have been stolen it’s highly likely that the incident won’t be covered by a standard commercial theft policy,” adds Munro. Cyber liability insurance coverage (CLIC) has been available for the past decade and is offered by a growing number of insurers, although many are unaware of its existence.

Faced with a growing burden of responsibilities since the 2008-09 global crisis, financial professionals might understandably be reluctant to get involved in cybersecurity risk. However, they should at least be involved in detecting and preventing business email compromise says Mark Clancy, CEO of Soltra; a joint venture between Financial Services Information Sharing & Analysis Centre FS-ISAC and the Depository Trust & Clearing Corporation (DTCC). This scam refers to bogus email communications; for example one purporting to be from the CEO when he is away from the office.

Typically, the email will instruct the CFO or another senior individual to make an urgent payment via wire transfer to a third party. If the requested amount appears reasonable, funds will be wired accordingly. As the bank has no reason to challenge the request only later will it be exposed as malicious and the original instruction as fake. An alternative scam involves fraudsters accessing the company’s email account and sending a bogus message in the guise of a company email.


Protection and response

In recent times, more security experts have suggested that the determined hacker will always find a means of breaching a company’s security – no matter how sophisticated. Defence strategy should therefore focus less on defence and more on the company’s response immediately after an attack, with an emphasis on minimising losses.

However, Encap’s Jørgensen is adamant that focusing on response shouldn’t be at the expense of protection. “Hackers and security experts will be perpetually in an arms race, and just because some skirmishes may be lost in the battle against hackers we shouldn’t stop trying to thwart their attacks,” he comments.

Clancy adds that making attacks expensive for the perpetrator and devoting more time to the handful of threats that represent more than a minor irritation are among the measures that can improve security.

“We typically face around 100 attacks in the course of a month, of which 80 don’t pose a core threat yet still take up 80% of our time,” he says. “We’d prefer to reduce that to 20% for these minor threats, so the remaining 80% can be focused on the few that are significant.”

Munro offers one final piece of advice for treasurers and CFOs. “If you think that you understand security, do you use the same password for all of your online accounts?” he asks. “If the answer is ‘yes’, you need to get and instal a password manager application. There are several very good ones, including LastPass, Dashlane, Roboform, Digipass and 1Password.”


Related reading

Leave a comment

Comments RSS TrackBack 1 comment