Cyber security firm finds cybersecurity breaches in UK Bank and refers discoveries to the regulator when the bank did nothing to fix the problem

March 8, 2015 |

An ongoing issue of controversy is what happens when a white hat hacker or cyber expert finds a hole in an organisation’s cyber security and tries to highlight the problem to the organisation.  All too often the advice is ignored.  Sometimes the hacker will expose the breach by hacking into the system and proving what he or she is complaining about. That has resulted in a criminal complaint even if the motive of the breach was pure. Such as when Public Transport Victoria showed very little appreciation when a Melbourne schoolboy hacked into its site and exposed the weaknesses in its systems.  The PTV reportedly made a complaint about the hacker to the police as reported in Hacked site reports boy to police. It is a very short sighted approach which usually guarantees poor publicity and reputational damage. It also does little to highlight the breaches in the privacy legislation, a separate issue to the complaint about a data security breach.

In the UK a different approach has been taken when a cyber security gap has been found.  Report it to the regulator.  As reported in  Cyber security loophole found at bank a cybersecurity firm Bronzeye found 22 vulnerabilities, including vulnerabilities flagged related to the system of payments verification used by the unnamed bank that requires the bank’s customers to enter a code delivered to their mobile phone in addition to their regular password details to complete transactions. It notified the unnamed bank which did nothing.  So it reported its findings and, no doubt the name of the bank, to Financial Conduct Authority (FCA).
The article provides:

Britain’s markets watchdog, the Financial Conduct Authority, was warned last July about a loophole in the cyber security of one of Britain’s biggest banks that could give hackers unfettered access to customer accounts.

The vulnerability involves a previously unidentified weakness in the two-step verification process used by the bank, whereby customers receive changing codes by mobile phone to use alongside their regular passwords.

It is similar to the flaw in bank security systems identified last month by Kaspersky. The Russian cyber security company said it had identified more than 100 banks — mainly in eastern Europe — that had been raided by cyber criminals as a result of the vulnerability. Researchers estimated as much as $1bn could have been stolen.

 In correspondence with the FCA — copies of which were seen by the Financial Times — Bronzeye, a cyber security company, said that it had identified 22 critical vulnerabilities at a large British bank, but the institution refused to engage with Bronzeye to fix them.

One of the vulnerabilities could “stop the bank in its tracks” if it were exploited successfully by hackers, the company said. The loophole allows an attacker to hijack a user’s identity and break into an institution by the front door in an exploit known as a “cross site request forgery”. The bank would find this “extremely difficult to identify”, Bronzeye told the FCA.

“Once the attack begins, identification of those who have been targeted in it may be impossible until those customers come forward to report unknown transactions,” the company said.

“The attack would circumvent the bank’s security procedures. The customer would be completely oblivious?.?.?.?the bank, for its part, would see a perfectly normal transaction.”

Other banks which use two-step verification software — a group which includes most of the biggest names on the UK high street — are likely to be vulnerable, according to the security company.

The name of the bank implicated in the case was redacted from copies of the letters shown to the Financial Times.

Bronzeye confirmed the authenticity of the letter but declined to comment on the case it detailed as it is subject to a non-disclosure agreement.

A spokesperson for the FCA said they could not comment on specific whistleblowing cases.

“The FCA is widely engaged with a large number of stakeholders on the cyber issue, and has established a large network of engagements and contacts to leverage a wide range of skills,” they said.

”We are focused on ensuring the right outcomes based on our three operational objectives. We expect firms to provide redress for consumers impacted by cyber crime, consumers should not lose out as a result of cyber crime. Management and oversight of the systemic cyber risks lie with the Bank of England and Prudential Regulation Authority supervision.”

Banks have been among the most prominent victims of cyber attacks in recent months. An attack on JPMorgan last summer compromised the personal account information of 76m households and several million businesses.

Thanks to their sheer size and their complex, layered, sometimes old IT systems, guarding banks against cyber attack is an onerous task.

The financial services industry has nevertheless been at pains to demonstrate that it is taking the issue seriously. JPMorgan has more than doubled its spending on cyber defence. In the UK, top city institutions are now among those most closely engaged with the government on improving their digital protections.

Banks are in regular contact with GCHQ, the UK’s cyber intelligence and defence agency, as well as MI5, the domestic security service, in order to share information on potential attackers and guard against damage.


One Response to “Cyber security firm finds cybersecurity breaches in UK Bank and refers discoveries to the regulator when the bank did nothing to fix the problem”

  1. Cyber security firm finds cybersecurity breaches in UK Bank and refers discoveries to the regulator when the bank did nothing to fix the problem | Australian Law Blogs

    […] Cyber security firm finds cybersecurity breaches in UK Bank and refers discoveries to the regulator … […]

Leave a Reply