Cyber security firm finds cybersecurity breaches in UK Bank and refers discoveries to the regulator when the bank did nothing to fix the problem
March 8, 2015 |
Britain’s markets watchdog, the Financial Conduct Authority, was warned last July about a loophole in the cyber security of one of Britain’s biggest banks that could give hackers unfettered access to customer accounts.
The vulnerability involves a previously unidentified weakness in the two-step verification process used by the bank, whereby customers receive changing codes by mobile phone to use alongside their regular passwords.
It is similar to the flaw in bank security systems identified last month by Kaspersky. The Russian cyber security company said it had identified more than 100 banks — mainly in eastern Europe — that had been raided by cyber criminals as a result of the vulnerability. Researchers estimated as much as $1bn could have been stolen.
One of the vulnerabilities could “stop the bank in its tracks” if it were exploited successfully by hackers, the company said. The loophole allows an attacker to hijack a user’s identity and break into an institution by the front door in an exploit known as a “cross site request forgery”. The bank would find this “extremely difficult to identify”, Bronzeye told the FCA.
“Once the attack begins, identification of those who have been targeted in it may be impossible until those customers come forward to report unknown transactions,” the company said.
“The attack would circumvent the bank’s security procedures. The customer would be completely oblivious?.?.?.?the bank, for its part, would see a perfectly normal transaction.”
Other banks which use two-step verification software — a group which includes most of the biggest names on the UK high street — are likely to be vulnerable, according to the security company.
The name of the bank implicated in the case was redacted from copies of the letters shown to the Financial Times.
Bronzeye confirmed the authenticity of the letter but declined to comment on the case it detailed as it is subject to a non-disclosure agreement.
A spokesperson for the FCA said they could not comment on specific whistleblowing cases.
“The FCA is widely engaged with a large number of stakeholders on the cyber issue, and has established a large network of engagements and contacts to leverage a wide range of skills,” they said.
”We are focused on ensuring the right outcomes based on our three operational objectives. We expect firms to provide redress for consumers impacted by cyber crime, consumers should not lose out as a result of cyber crime. Management and oversight of the systemic cyber risks lie with the Bank of England and Prudential Regulation Authority supervision.”
Banks have been among the most prominent victims of cyber attacks in recent months. An attack on JPMorgan last summer compromised the personal account information of 76m households and several million businesses.
Thanks to their sheer size and their complex, layered, sometimes old IT systems, guarding banks against cyber attack is an onerous task.
The financial services industry has nevertheless been at pains to demonstrate that it is taking the issue seriously. JPMorgan has more than doubled its spending on cyber defence. In the UK, top city institutions are now among those most closely engaged with the government on improving their digital protections.
Banks are in regular contact with GCHQ, the UK’s cyber intelligence and defence agency, as well as MI5, the domestic security service, in order to share information on potential attackers and guard against damage.
[…] Cyber security firm finds cybersecurity breaches in UK Bank and refers discoveries to the regulator … […]