With a shift in activities from the more traditional IT supports to mobile applications with instant/contactless payments, the criminal activities are shifting as well. One constant in cybercrime is change.
According to the European Commission’s Special Eurobarometer 423 on Cyber security6 (February 2015): “Internet users in the EU remain very concerned about cybercrime. When asked how concerned they are about experiencing or being a victim of different types of cybercrime, Internet users are most likely to say they are concerned about identity theft (68%) and discovering malicious software on their device (66%). Internet users also express concern about being the victim of bank card or online banking fraud (63%)”. The Symantec report7 of 2015 mentions that targeting the real names, the ID numbers, the home addresses, the financial information and finally the date of birth are among the top five data breaches identified in the number of incidents in 2014.
The EU institutions broadly recognise cybersecurity as a key priority within the European Agenda for Security8 or within the Single Supervisory Mechanism9. Securing the data of its clients is one of the banks’ top priorities. For the banking sector, it is key in order to avoid undermining the confidence of the public in payment systems and infrastructures. Likewise, in the capacity of banks to protect the data of their customers, especially, when consumers have become highly sensitive to privacy issues.
Opportunities for banks and customers
• Cybersecurity resilience is not something new for the banking sector. Its strong capacity to be resilient to cyberattacks is essentially based on the fact that banks realised at an early stage that security was fundamental for their customers and essential for delivering secure services. Based on the existing know-how this awareness allows the banking sector to increase trust among customers in the new innovative digital services it offers.
• The banking sector benefits from an important infrastructure enabling a flow of secured information on the possible threats. Given this efficient infrastructure, banks can put in place appropriate countermeasures, and consequently, are well placed to secure the interest of their customers in the face of the global cybercrime phenomenon.
• The European Banking Federation believes in the success of public–private partnerships to fight cybercrime and to prosecute perpetrators. In 2014, it signed a Memorandum of understanding (MoU) with Europol (EC3). In this agreement, both organisations exchange information and work on awareness of specific threats to the sector.
Barriers to a successful cybersecurity system
• TheCriminal modus operandi are becoming more and more sophisticated (phishing techniques and the spread of a multitude of banking malware variations/permutations). In 2013 a record number of breached data cases occurred in terms of identities exposed in the sector. The banking sector needs to adapt fast and continually. This implies costly investments.
• Criminals act from countries in which judicial cooperation has traditionally been limited and consequently it is difficult to track them down or/and gather evidence to arrest them. It is therefore critical to enforce public-private partnerships in order to set-up an operational cooperation able to investigate online frauds and prevent future financial crimes. For this purpose, Europol launched in 2014 a joint cybercrime task force (J-CAT) dedicated to strengthening the fight against online crime across the world. The members share intelligence, align priorities and gather data on specific criminal themes from national repositories to propose targets for investigation. The J-CAT is trying to coordinate international investigations against major threats (with the underground fora and malware, including banking Trojans, among the top targets). Considering the risks, it is imperative to balance the need for privacy and security with new digital services according to the risk appetite.
• The current Data Protection Directive and the future General Data Protection Regulation are restricting direct sharing of Indicators Of Compromises (IOCs) with personal information between banks. The EBF would advocate a more proactive and efficient way to share incidents between banks. Organised financial industry fora already exist which share IOCs but could be improved by being allowed to exchange IOCs with personal information. In addition, the EBF would like to see a one-stop-shop mechanism when a notification is requested, as currently banks have to notify several authorities in different countries at the same time. Aggregation of incidents in a single point of contact when they occur in several countries within the EU, and outside, needs to be fast and efficient from the legal point of view.