By Eliot Beer
Recent hacker attacks against Middle Eastern banks have raised questions about the effectiveness of their online security. Eliot Beer asks if they are doing enough.
|~|security-rib200.jpg|~|Ribeiro: "I think there is more that banks could be doing to combat attacks."|~|Since the first banks appeared, thieves have tried to steal from them. However, following the rise of internet banking, criminals have had a new way to take advantage of financial institutions, especially those with poorly-executed online security.
For most banks, though, security is at the very top of the agenda for their online offerings. But with the ingenuity of hackers ever increasing, are banks in the Middle East doing enough to counter this growing threat?
Within the last few months, hackers have made concerted attempts to breach the security of at least four regional banks, including Mashreq Bank, Commercial Bank of Dubai (CBD), National Bank of Abu Dhabi (NBAD), and National Bank of Dubai (NBD). These attacks have ranged from traditional hacking, in the case of CBD, when its home page was defaced, to so-called phishing attacks against Mashreq Bank. To date, none of the reported attacks have been successful in breaching their targets’ core banking systems or stealing funds, but some security analysts speculate that banks may not disclose attacks for fear of bad publicity and loss of confidence, although this situation may now be changing.
“It’s interesting to see that we’re now in a situation where there’s quite a lot of self-disclosure by the banks on these attacks,” says Kevin Isaac, managing director of Symantec Middle East. “We sent out a letter at the start of 2005 to many banks in the region warning them of the increasing level of threats; this was not a popular move with some parties at the time.”
Isaac believes the reasons behind the apparent increase in attacks can be traced to improvements in detection systems, as well as increases in bandwidth and connectivity throughout the Middle East and an increase in hacker activity generally. As to the question of whether banks are doing enough to counter these threats, Isaac says the security surrounding banks’ core systems are now well protected, but they have a security gap when it comes to educating their end users, and working with each other to stop fraud, as well as adopting new methods of securing customer access channels.
Possible options for increased security include technologies such as two-factor authentication, one-time passwords and on-screen keyboards to prevent keystroke logging programs. Two-factor authentication involves the use of a token or other external devices, which transmit a constantly-changing code to the computer, confirming the identity of the user. This technology is becoming increasingly popular — online payments service PayPal recently announced it is to issue tokens to a large number of its customers.
Rinaldo Ribeiro, IT security manager at CBD, one of the recent victims of an attack, says banks do need to do more to secure online banking sites, including considering new security techniques such as tokens. He has recently joined CBD from Brazil, and says there is a greater willingness to cooperate among banks in the Americas, although he is still getting used to the Middle East.
“From what I have seen here so far, I think there is more that banks could be doing, to combat hacking and phishing attacks, partly just because new attacks are being created everyday and we must keep improving our security level,” says Ribeiro. “At CBD, we take security very seriously, and this is why we have changed our website hosting provider, although in fact our last provider had no involvement with our online banking service.”
Tamer Gamali, chief information security officer at National Bank of Kuwait (NBK), says the situation in the Middle East, is changing, but slowly. Formerly head of security services at KPMG Kuwait, he believes the key issue for online financial security in the region is that banks do not have enough qualified personnel who are aware of what the risks are working in their security departments.
“The upshot of this is it becomes much harder to get the necessary funding from senior management, because the threats are not identified and explained properly,” he says. “A lot of banks build security systems then leave them, and don’t consider how to mitigate against future threats. And for banks which have locally-built security applications, I think there’s a reluctance to have the source code regularly reviewed for potential weaknesses — an expensive but vital process, which a few banks, including NBK, do undertake, but most don’t.”
As regards customers and their ability to unwittingly reveal access information, Gamali sees this as an issue where banks must balance ease of use with effective security, possibly considering physical measures such as tokens or code cards instead of ever-more-complex password systems. He says a key advantage for physical security combined with passwords is the extremely low probability that both systems would be compromised at the same time, thus preventing all but personalised attacks.
Amir Rashid from eCompany in the UAE agrees that banks have to do more to deal with online attacks. The Etisalat subsidiary has introduced a number of initiatives to help tackle the growing problem, but Rashid says banks and other financial institutions are not making much use of them. eCompany administers anti-fraud schemes from both Visa and MasterCard in the UAE, which banks can opt into to help verify users online.
“At the moment, hardly any banks in the region are using these programmes, even though they have been available for some time now,” says Rashid. “I think it’s hard for banks to make a case to say they are doing enough to combat theft online when there are solutions available which they are not making use of. There is action we can take at eCompany and Etisalat, but the banks need to work with us and implement proper security and anti-fraud procedures to deal with these issues properly.”
Gamali’s opinion is that the best option for banks in the region is to work with security consultants not tied to any one vendor, to assess the weaknesses and vulnerabilities of a system effectively. The NBK security officer says this is currently a problem, due to the lack of security consultants based in the Middle East, but that ultimately it is the most effective way to ensure their customers are safe to bank online.
“As banks, we can secure our systems, but we must make sure our customers’ systems are secure, that their access channels are secure, and that it is as difficult as possible for criminals to acquire their login information,” he says. “In the end, we could say ‘use our online banking at your own risk’, but I don’t think anyone would use our system: we need to ensure security for our customers.”