In September 2012, six major American banks came under attack by hackers, and customers could not gain access to their accounts or pay bills online. The attacks did not affect customer bank accounts, but the rash of so-called distributed denial-of-service, or DDOS, attacks such as these against major financial institutions have forced them to step up their game in combating such threats.
DDOS attacks are becoming more frequent and sophisticated, according to the 2013 annual report of the Financial Stability Oversight Council. The council and cybersecurity experts have outlined a number of ways the financial service industry can mitigate the risk. They also say consumers need to be better educated about cybersecurity.
Danny Miller, national practice leader for cybersecurity and privacy at Grant Thornton LLP, worries that at some point, cyberattackers will begin to disrupt the ability of targeted banks to conduct business.
“They don’t really have to shut down a bank’s website for a long period of time,” Miller says. “What they could do — and what it appears their strategy is — is to do it using guerilla tactics. In other words, they’re doing small, concentrated attacks that make it look to the rest of the world that the banks are not able to control their infrastructure and protect themselves.”
Miller says hackers have developed sneakier methods for doing their worst damage. For example, they’ll use insiders to steal information from one department at a bank while security experts are distracted by a cyberattack on another department.
Individual consumers and investors add to the problem with risky behavior such as accessing their personal banking information via unsecured Wi-Fi connections and inadvertently leaving clues about their passwords — think birthdays and pet names — on social media sites, says Jerry Irvine, a member of the National Cyber Security Task Force.
A joint effort of the Department of Homeland Security and the U.S. Chamber of Commerce, the task force involves members of the public and private sectors sharing information about security risks and prevention strategies, says Irvine, who is chief information officer of Prescient Solutions, an information technology outsourcing firm in the Chicago area.
The Financial Stability Oversight Council report encourages these types of public-private partnerships, along with better cooperation with the banking sector and 15 other industries to help decrease cyberthreats.
Cybersecurity legislation needed
In his May 2013 testimony before the Senate Committee on Banking, Housing and Urban Affairs, Treasury Secretary Jacob Lew called for a bipartisan effort to pass comprehensive cybersecurity legislation that would enhance the sharing of information among banks.
Todd McClelland, an attorney with Alston & Bird LLP in Atlanta, advises financial institutions, retailers, payment processors and other clients on information security issues. His firm represents several clients who have a stake in proposed cybersecurity legislation.
“It seems that there’s always some bill pending in front of Congress legislating additional cybersecurity standards, additional risk assessments or the like,” McClelland says.
A February 2013 presidential executive order tasked the National Institute of Standards and Technology — an agency of the U.S. Department of Commerce — with producing a new framework to improve cybersecurity for the nation’s critical infrastructure. One of the agency’s goals is to standardize the measures financial institutions use to control cybersecurity risks. The NIST aims to have the final framework for guidelines ready to roll out by February 2014.
Miller says each bank needs to first identify its most important information and then focus on securing that information from both external and internal threats. As a consultant, Miller advises banks to securely delete any customer information they don’t need to store, while tailoring their security policies to fit each category of data they decide to keep.
As for consumers, Miller says, “If you don’t need to share information … don’t.”
Make sure you understand how the financial institution is using your information, who it is sharing it with and how long it plans to keep it in its database, Miller says. And if you’re able to opt out of having your information stored, you should.
“The longer they keep it, the more likely it is going to be stolen and exposed,” Miller says.
Irvine adds these tips:
- Use a complex password of 10 or more characters. It should be alphanumeric, uppercase and lowercase, and have special characters.
- Be wise about selecting and answering security questions. If a site asks for your mother’s maiden name, which a hacker might easily discover by checking out your Facebook page, use another one. Pick someone you haven’t seen since elementary school. You can lie on your security questions — just remember them.
- Don’t create the same password for all of the sites you need to access.
“If you use the same password on Facebook and LinkedIn and other social networking sites and then you use it on your banking site, you might as well just be taking the money out and giving it to the hackers yourself,” Irvine says.