CYBER ATTACKS ON THE FINANCIAL SECTOR – SHOULD CISO BE FIRED OR WELL-EQUIPPED!
The recent cyber attack on the financial sector has hit the media headlines, spreading waves of fear and terror amongst customers. The dilemma has put investment minds to think on serious terms that in a country of 220 Million, only 20+ banks are operating with 25M+customer base merely; and whose security remains at stake round the clock due to ongoing and emerging attacks. For this, banks should start putting serious efforts to cope up with current situation which may worsen cases of Identity Theft and Money Laundering, providing the benefit of the doubt to culprits/hackers.
If such incidents continue, imagine the panic created if everyone started withdrawing their money and piling it at home in cash … this may lead to national level crisis especially if a country is surviving already in bad economic condition. Now it is the hour of need for Banks to grow up their identities from typical financial service providers to Digital Financial Service Provider/Partner and put their best efforts for the protection of their customer valuable assets especially their personally identifiable digital information and the Money finally!.
Being an industry security professional, there are certain recommendations to overcome the state of instability.
Must Read: How to get a career in Cyber Security?
How to Stay Safe -Financial Institutions Security:
- Debit cards should not offer by the default visa master option to reduce its attack surface unless asked by customers.
- Online or POS transactions should never be allowed without multiple authentications. For this purpose dual-factor authentication to be enabled i.e. a combination of “what you are on ATM or PoS” in addition to “what you have” and “what you know” e.g. debit card number, one-time user pin number or fingerprint verification etc.
- For adults, such verifications should be made mandatory and for senior citizens could be considered optional.
- Services like 3D, VBV should be enabled to protect the end user via USSD code etc or through insurance e.g. Emirates NBD is already using 3D technology on their credit cards.
- International transactions should be ONLY enabled on a needs basis but never be activated by-default to win customer base. A better idea could be to offer customer-centric self-portal that may help customers to notify their banks before their international departure /arrival and activate or deactivate the service accordingly.
- Banks should run massive security awareness campaign for their customers, utilizing all communication platforms – the same way they run SMS campaigns to promote discounted pizza and fizzy drinks using their credit cards.
- Banks should monitor security trends in real-time and should understand end-to-end transaction and processing flows. A centralized platform should be established where BI Business Data Analytic/intelligence, security monitoring, incident response, fraud management and NOC collaborate and create an integrated intelligence to enhance their think tanks …presenting a clear correlated picture to visualize of a current threat situation like e.g. “Our ATMs are down or slow! Whether it is because of router breakdown or there is some targeted financial cyber fraud, or could be the APT attack, sucking information and taking into Dark Web”.
- Must Read: USB Firewall for true Cyber Security
- Banks should have their own forensic lab and skilled staff especially the IRT teams.
- PCIDSS verification should not remain hanging on the wall waiting for its renewal but should present a picture of real compliance and enforcement. At present, it is our local dilemma that an international franchise landing to local market eventually drops standards according to local cut-rate trends and standards rather than bringing them up-to mark.
- Focused technical Cyber Security Audits and security testing should be conducted in addition to Financial Audit. Moreover, such audits should be conducted by only those companies who have relevant expertise in this domain; otherwise, the banks will end up with useless security issues such as “missing log and access control reviews” in their million-dollar reports presented by Big 4 Auditing companies.
- CISO is specialized area/JD and such position should not be misused/filled to promote people working in technology for a long time.
- Firing CISO at the time of the incident will not work for face-saving of higher management. The CISO should have relevant security expertise as well as business knowledge with enough team members, and must directly report to BoDand/or CEO/CTO to avoid conflict of interest with other units.
- A better idea could be to welcome, international Pakistani talent for such esteem positions, rather than just to fulfil Beaurocraticalformalities to satisfy regulatory compliance clauses. Remember if the first ever computer virus can be invented by Pakistani, then brilliant cybersecurity force could be made by Pakistan to secure its financial and strategical infrastructure.
- National CERT at Banking level to be established to explore trends in advance and better coordination among all banks.
- The regulator should have their own CISO with the team to command and control all banks and enforce security regulations. Traditional state bank higher management with ONLYfinancial background can’t understand and enforce information security in practical terms.
- Also, similar to GDPR, Regulators should enforce financial penalties for all banks in case of a cybersecurity breach.
How to Stay Safe –Customer’s Security:
Customers to always remember! Your bank cards are your identity and it is one of your most valuable assets. If your identity is stolen, you can lose not only money but may face a legal prosecution due to your card misuse and may become the victim of serious consequences such as involvement in terrorist or money laundering activities. Here are certain recommendations to protect yourself from the ongoing wave of cyber-attacks.
- Bank cards security should be assured in the same way as you are concerned about your CNIC copy and its potential misuse in the frauds.
- Replace your old card with the new one after some time as there might be a risk of it being leaked on dark-web.
- Use only secure ATM machines which are not installed in isolation.
- Use those banks for the online transaction which are using multiple factor authentication e.g. adding a beneficiary must require, one-time pin code on SMS, email etc.
- Use ONLY low-limit credit cards for online shopping.
- Avoid using your card at small merchants for shopping. Remember your card can be copied, misused, leaked and sold out by any of the Merchant and POS staff with a malicious intend in mind.
- Better to pay hard cash to POS/Merchants especially if you are paying through debit cards and nearby ATM is there.
- Your bank or the police will never call you to ask for your 4 digit PIN or your online banking password, or for you to transfer money to a new account for “Anti Fraud reasons”.
- Never disclose your four-digit card CVV PIN, ATM PIN or passwords to anyone, including the bank or police.
- Keep on changing your ATM card PIN number on regular basis.
Stay Safe, Stay Secure!
Mehzad Sahar is Cyber Security Professional holding 20+ years Cyber Security experience and has served in key organizations as CISO”