“You have to foil the cyber criminals' business case”

This is the short version, the full article can be found here.

The Internet and the digital revolution have completely turned around how banks operate and consumers pay. This evolution also sheds new light on the security of our payment systems. How can we continue to guarantee safe payments every day and how do we stay ahead of cyber criminals? Tim Hermans (National Bank of Belgium), Niek De Taeye (B-Hive) and Kristof Browaeys (Internetbanking Security Febelfin) share their views on the subject.

The number of Internet fraud cases is on the rise again. How is this possible?

Kristof Browaeys (KB): When considering the number of fraud cases in Internet and mobile banking over a longer period, you notice a cyclical pattern of highs and lows. However, fraud never quite disappears completely. Phishing has become a business in its own right. In the past, cybercriminals would send e-mails in a dismal level of Dutch, trying to lure people to poorly copied websites. Those times are over. Nowadays, criminals buy ready-made phishing kits on the black market. Any technical knowhow is no longer necessary. You only need e-mail addresses and a fake website. The quality of fake e-mails and sites has increased significantly. We also notice that cybercriminals have widened their field of activity. Customers of smaller banks are now being targeted as well.”

Tim Hermans (TH): “The banks’ proper systems are now so secure that criminals must look for the weakest link. Sadly, in many cases this is unintentionally the customer. Consumer digital skills definitely play a part in that. Customers contact their bank less frequently and rely more on the  Internet instead. All these factors increase chances of successful phishing.”

How can those consumer digital skills be honed?

Niek De Taeye (NDT): “People are aware that they should be careful, yet some processes are just so easy to use that before you know it, it is often too late. Consumers usually prefer speed and ease of use over security. What’s more, consumers still automatically assume a safety net is available when things go south. However, banks and regulators cannot compensate everything. Awareness needs to be raised repeatedly. Ten times, a hundred times, if necessary.

KB: If someone in real life where to ask you for the keys to your house because Europe had introduced a new measure for checking locks, you would realize something does not add up. But on the  Internet, people do not seem to realize that their  Internet banking codes are just as secret as their bank card codes.”

Next year, the Payment Service Directive II will enter into force. Third parties will be legally authorized to make payments via  Internet. How does this fit in with the message to not share codes?

TH: “Third parties will indeed – at the customer’s request – be able to make payments via the current accounts of that customer. Simply sharing your codes however, will not be the case: of the hundreds of pages of text in the PSD II proposal, a sizeable section is dedicated to cybersecurity. With safety guarantees, system reliability, etc.”

KB: “The focus should particularly be placed on: “I have authorized someone to use those codes, but on my own initiative”. If someone tells you to enter your codes for one or other reason, you are not acting of your own initiative and you should be wary. These codes allow access to your money. They are not normally asked for on the phone or via e-mail.”

NDT: “One of the dangers of PSD II is what is now happening with big data and identity. By linking various identities (e-mail, Facebook, etc.) you can find out almost anything about a customer. If that happens with payment structures, very specifically targeted phishing attempts would be possible. Suppose, for instance, that you would be able to find out via Google whether a person is paying off a loan. This way you would be able to target the phishing attempts more specifically.”

Ease of use has already been mentioned. This is particularly crucial for smartphone apps. How do we guarantee a balance between ease of use and security?

TH: “Other than ease of use and security, there is also the cost factor. Different combinations are possible in this case: high cost and security, but low ease of use, high ease of use and cost, but low security, etc.   It will be challenging to find an optimal level for those three factors, as the smartphone will be the payment medium of the future. This is already noticeable in China, a market that skipped an entire generation of payment instruments. Cards are practically non-existent over there, everyone uses mobile payment. The EU however, has the instant payments initiative, allowing users to send payment to a beneficiary within seconds.”

KB: “Up until now, mobile banking has succeeded very well in finding a balance between those three factors. Many consumers consider security only to be the bank code they use to log in or to sign transactions, but in fact a whole slew of visible and invisible measures are behind it. The figures also reflect this: it is not the app that causes mobile banking fraud, but rather the fact that the fraudsters are able to obtain the codes from the users.”

NDT: “I think two things are important. First of all: identification. The easier and more secure user identification, the lower the chances of fraud. Smartphones are better equipped for this than other instruments, especially when using biometric data. However, ease of use and user experience must remain central, otherwise you risk losing the user. Secondly: artificial intelligence and machine learning to trace and block transactions. The more this can be done in real time, the more feedback you can offer the customer. If the customer signs something fishy, you can warn him.”

What is a good approach to best the criminals?

KB: “Speed of action is one of the most important factors in stopping a phishing attack. It has a discouraging effect. If criminals sense things are heating up, they give up. You have to break their business case. But don't fool yourself, two months later they will be ready with a new attack. It’s a game of cat and mouse."

Is there enough consultation on the subject between various parties in Belgium?

TH: "There is a lot of coordination, especially for critical infrastructure. The existing mechanisms are regularly tested and fine-tuned. There are also specific initiatives, such as the Financial Sector Cyber Council (FSCC) that was created in Belgium and works closely with the Centre for Cybersecurity. The FSCC seeks to raise awareness, support frameworks for cybersecurity and resilience and remove legal and regulatory hurdles that hinder good initiatives. Hopefully, this will result in even more collaboration between financial infrastructures, such as red team tests at sector level."

What is the attitude of the banks towards these red team tests or ethical hacking?

TH: “Many banks in the financial sector already do this individually, but I think it would also be interesting to set up initiatives that span the whole sector. If all institutions were to be subjected to more sophisticated attack scenarios, which insights could we gain that could help us at sector level?

KB: “Febelfin actively shares information on and best practices for cyberattacks. We always say there is no competition in cybersecurity. Because you can bet on it: what bank X is going through today, bank Y will have on its plate tomorrow. And the lessons learned by bank X, often apply perfectly to bank Y.”

Ethical hackers who signal vulnerabilities in IT systems do not always get off scot-free. How do you feel about this?

KB: “Belgian banks have been using ethical hacking for a fairly long time. But we only work with renowned consultants who hack at our command. We do not work with hacking collectives and we also do not have a button on our website you can click so you can hack to your heart’s content, all while being legally safe. It’s still a grey area. Besides, consultants working as ethical hackers are not cheap. Eliminating the grey area would allow smaller companies to take part in ethical hacking as well.”

NDT: “With B-Hive we often work with small fintech start-ups and the first thing we tell them is to make sure your cybersecurity is top-notch. Even more so if you want to be a competitor or disruptor to the banks. You often see that those types of companies are able to grow undisturbed for a while, but eventually gain enough critical mass to catch sight of hackers. If their security is not fully fine-tuned by then, they are lost. A scale-up cannot survive such an attack.”

What added value does B-Hive aim to create within cybersecurity?

NDT: "B-Hive prioritizes a centralised approach and centralised solutions. Why not shape the landscape and decide what to cover together? The days of only having to install antivirus software and being sufficiently protected are over. Technology is moving so fast. Now, banks are combining big systems that can tackle most of the cases. In addition to these systems, they use small, very sophisticated methods to close the remaining security gaps. They can work together on that, even at international level."

Phishing…

  • Through phishing, cybercriminals try to obtain pin codes or log-in codes for  Internet banking.
  • Sometimes they ask you to send your bank card.
  • In most cases, you receive an e-mail with a link directing you to a fake website, such as a fake version of your bank's website.
  • One tip: your bank will never ask you for your codes. Do not share your codes.

What can we learn from abroad?

TH: "Penetration tests are mostly routine in every financial institution. However, developing a harmonised sector-wide approach with highly sophisticated scenarios and access to the latest knowledge is much less standard. We can learn more about this. Suppose there is an attack on the financial messaging system or the banks' proper systems, what would be the impact on its stakeholders?"

NDT: "Israel has a cybersecurity director who reports directly to the prime minister and who is responsible for the complete end-to-end cybersecurity for the entire country, sector-wide. He keeps an eye on established technologies, but also monitors emerging technologies. For this reason, it is interesting for military cybersecurity experts to switch to the private sector. Many cybersecurity companies in Israel are founded by former Mossad staff members. The same goes for the US. In Belgium, this is more difficult, partly because we are not a military superpower and not really involved in a conflict. Nevertheless, there is something to be said for a national approach to cybersecurity.

The Belgian Centre for Cybersecurity also reports to the prime minister.

TH: “That’s true and is proof to me that the problem and severity are really being recognized.”

Final thoughts?

TH: "We mostly talked about the dangers and risks of digitalisation, but it is mainly an opportunity. Connections between systems, faster payments, lower costs, etc. Those are positive points that would not be possible without digitalisation. The benefits far outweigh the drawbacks."