Cyber-criminals are increasing attacks on Australian banks and using more sophisticated methods, says a report by computer giant Dell, suggesting heightened cyber-security vigilance and spending by financial institutions and the federal government is justified.
Dell SecureWorks, the IT security subsidiary of Dell, found that Australia is the third-most-targeted country from 17 examined in a report on banking “botnets”. The term, which combines the words robot and network, refers to internet-linked computers that maliciously launch repetitive tasks designed to damage information systems.
“Threats are becoming more sophisticated, incorporating emerging technologies, advanced cryptography, and resilient infrastructure to resist surveillance and disruption,” says the report, published on Friday.
Dell says 80 per cent of global attacks are on financial institutions in the United States. The United Kingdom is the next-most-targeted market, then Australia. Attacks in Asia are increasing and cyber attackers are also targeting bank customers as banking moves to mobile.
“With banks continuously moving to the mobile platform for payment and banking applications, cyber-criminals’ interest in targeting mobile banking services has increased.”
Pallav Khandhar, a senior security researcher at Dell SecureWorks, said one technique growing in popularity involves hackers attempting to lure victims to download and install malicious banking applications while the user thinks they are merely updating their bank application. “This then allows attackers to intercept banking sessions on [the] victim’s mobile, allowing them to steal banking account credentials and/or money from their victim’s account,” Mr Khandhar said.
After Commonwealth Bank of Australia’s interim results earlier this month, chief executive Ian Narev told Fairfax Media that cyber-security is a matter of national importance and the government is showing a high level of understanding about potential threats. Cyber-security should not be seen as an issue of competitive advantage, he said, and it is crucial for banks, telecommunications companies and government to work together on resilience measures.
“Now you can imagine in the same way as there people for a long period of time have unfortunately tried to break into branches, there are always going to be people who want to have a go against all sorts of institutions from a cyber perspective,” he said.
“Anybody in a big company or public institution will tell you there is an ongoing level of activity … and we watch that very carefully and make sure we are well positioned to react to that, and we are.
“That is why we are investing tens of millions of dollars in making the bank as safe as it possibly can be and that is going to be one of those categories of investment that never goes way.”
CBA and UNSW join forces
CBA has joined forces with UNSW to overhaul its cyber-security curriculum and build an education centre as part of a $1.6 million five-year partnership.
The federal’s government’s innovation statement pledged $22 million over four years for a new “cyber-security growth centre”.
Reserve Bank of Australia governor Glenn Stevens said last year “the already considerable resources devoted to IT security will grow further as awareness increases of cyber risk and its consequences.”
The Australian Prudential Regulation Authority works with banks on penetration testing, vulnerability management and wants banks to adopt a systematic approach to managing and securing operating systems and software.
In the United States, JPMorgan went public last year about attacks that resulted in one of the largest data breaches in history, which some sources blamed on Russian authorities seeking retribution for US-led sanctions.
In late 2012, intruders caused major disruptions to the online banking sites of Bank of America, Citigroup, Wells Fargo, US Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC. These were largely “distributed ‘denial of service’ attacks”, where hackers direct huge volumes of traffic onto a site until it crashes, thereby denying customers service.