Cybersecurity threats aren’t just a theoretical problem for financial services institutions. They hit banks, hedge funds and wealth management companies every day. But what do they look like when they happen and what ramifications do they carry?
Kaspersky Lab, a cybersecurity and anti-virus provider based in Moscow, interviewed more than 800 representatives from financial services institutions around the globe and found that the average cost of a cybersecurity breach to a these firms is US$926,000.
Sometimes, all an attacker needs to steal this significant amount of money is a convincing phone manner. In 2015, London, U.K.-based Fortelus Capital Management LLP was duped out of £740,000 after a caller, claiming to be from its bank, warned of possible fraudulent activity. The Fortelus chief financial offer used the firm’s smart card security system to generate access codes for the caller, who then transferred the money out of the company to a variety of accounts, court filings revealed.
“Fortelus didn’t require as much preparation time as some other attacks,” says Eldon Sprickerhoff, founder and chief security strategist with Cambridge, Ont.-based security firm eSentire Inc.
Although some attacks rely on such instances of social engineering, others are far more sophisticated, Sprickerhoff says. For example, in February 2016, reports surfaced of an attack that siphoned US$81 million from accounts at Dhaka, Bangladesh-based Bangladesh Bank.
In that case, attackers used the login credentials of bank employees to access the Society for Worldwide Interbank Financial Telecommunications (SWIFT) money transfer network, who then asked the Federal Reserve Bank of New York to transfer almost US$1 billion in funds from Bangladesh in more than three dozen separate payments to a variety of banks in Asia.
The attackers took pains to cover their tracks, even installing malware at the bank that would stop its printers from producing transaction reports, buying them valuable extra time. The only reason that the bank managed to halt most of the money transfers was because one of the attackers had misspelled the recipient in one of the fraudulent requests, the Shalika Foundation, as “Fandation,” causing staff at the New York Fed to query several transfers.
SWIFT subsequently revealed that a second bank in Asia had been targeted — and Vietnamese bank Tien Phong also revealed that attackers had tried to transfer US$1.1 million from its coffers.
More recently, in late 2016, attackers hijacked and altered an undisclosed Brazilian bank’s entire Domain Name System (DNS) infrastructure (the networking resource that tells web browsers how to find their computers). The attack redirected the bank’s web domains to phony servers that pretended to be the bank’s online services. Attackers even took over its email servers so that the bank couldn’t contact customers and warn them not to log in.
The attackers then watched as customers logged into the fraudulent website; the fraudsters then stole those usernames and passwords, sending them to a computer in Canada while also infecting the customers’ computers with malware.
The attackers managed to subvert the bank in this way by compromising the hosting company that provided its DNS service. “That’s a well-co-ordinated attack,” says Sprickerhoff. “They duplicated infrastructure, and had it all ready to go.”
Some attacks give attackers an edge in financial markets, but may not necessarily directly hit financial services firms themselves. One example was the hacking of Associated Press’ (AP) Twitter account in April 2013. Hackers used the account to issue fake news about an attack on the White House. This sent markets plunging for a few minutes until AP corrected it, creating ample opportunity for a sneaky short trade.
Another more sophisticated attack was called FIN4. Operating since at least mid-2013, the campaign targeted senior executives at more than 100 companies using social engineering techniques to get their email credentials. Attackers watched emails for inside information about events that will move markets, particularly in health-care and pharmaceutical firms. This enabled the attackers to execute front-running trades and make a profit.
These cyberbreaches can sometimes result in hefty penalties. In October 2013, Wellesley, Mass.-based wealth-management firm GW & Wade, LLC shouldered a US$250,000 fine from the U.S. Securities and Exchange Commission (SEC) for not properly protecting client funds. The previous June, an attacker hacked a client email and used it to request that the wealth manager transfer US$290,000 to a foreign bank account.
How did the crook get away with it? The firm had violated the “custody rule” that requires investment advisors to maintain proper safeguards for client funds. Specifically, the fir had used pre-signed letters of authorization as the basis for account transfers, the SEC said.
Sprickerhoff complains that regulations north of the border are far less stringent, or punitive: “I don’t think I’ve seen anything resembling that kind of disciplinary action [in Canada].”
Nevertheless, financial services institutions that don’t properly secure their systems and educate their people run the risk of direct financial losses and potential reputational damage. Thus, companies that take cybersecurity seriously today could avoid becoming an unfortunate headline tomorrow.
Up next: What to do if you’ve been hacked.