As the detail's of last week's $45 million ATM heist continue to trickle out, the financial services industry is dealing with the fallout of yet another major security breach.
While banks are often the subject of highly coordinated, sophisticated cyber attacks, this crime was fairly low tech by comparison, as the crime outfit accused of the heist allegedly hacked a credit card processor that handles transactions for prepaid MasterCard debit cards. According to federal prosecutors, the eight defendants and unnamed co-conspirators allegedly withdrew an estimated $2.4 million from nearly 3,000 ATMs in the New York City area from 3 p.m. on Feb 19 and 20, and stole $40 million total during that period.
I asked Bill Stewart, SVP and lead of Booz Allen Hamilton's financial services practice about what this attack means for banks and how the industry can take a holistic approach to protecting against cyber attacks.
Bank Systems & Technology: What does this recent attack mean for banks, who have to combat such a wide range of differing types of cyber attacks?
Stewart: It means that banks must continue to work toward defending against the full range of threats. Even the most sophisticated adversaries typically exploit many of the lesser, well known vulnerabilities and use low-end attacks in combination with higher end exploitations. They do this because it typically works. Mitigating all of these issues is a difficult undertaking that requires constant focus and diligence on the part of the entire institution. Some institutions are putting in this kind of effort, but there remains room for improvement.
Bank Systems & Technology: How has the rise of technology changed cyber crime, with more people having access to advanced technology then ever before?
Stewart: Technology is making the problem much more challenging. As costs have come down, so have barriers to entry. making it easier for more adversaries to enter the game. Also, the Internet in particular is allowing information sharing among potential attackers making it easier than ever to learn about the latest attack techniques.
Bank Systems & Technology: What can banks do that they may not be doing, or what can they do better, to protect critical systems and protect against cyber attacks?
Stewart: Banks, in general terms, are leading many other parts of the industry in their ability to defend against cyber attacks. That said, there is always room for improvement given the difficulty of the problem and the fact that an adversary needs to find only one vulnerability to get in. For these reasons, banks need to ensure that they implement holistic, risk-based programs that look beyond technology but that also consider, the people and the process necessary for success. Also, because the adversaries tend to have the advantage, these banks and others need to assume that the adversaries have gotten into their networks and establish active hunt capabilities to look for and mitigate attacks.