10 October 2013

YOUR PROVIDER IS HACKED, YOU'RE ASSURED OF NO FINANCIAL LOSS. BUT ARE YOU SAFE?...

[UPDATED 20th FEBRUARY 2014] In the aftermath of the Santander and Barclays KVM hacks, @GrahamCluley kindly invited me to post my comments on his blog.
A few weeks on, I have some updates which you may find interesting…


With all this talk about cybercrime rings targeting UK banks using social engineering techniques to install KVMs (keyboard video mouse) to spy on staff and steal money and information, one has to simultaneously praise the cooperation between law enforcement and the banks for leading to the arrest of the criminals involved and wonder at the overall and wider implications of such crimes...
In both instances mentioned, the organisations affected made it very clear that no customers would have suffered financial losses as a result of the crimes. This is of course no surprise, as under UK law, consumers are protected from such fraudulent activity and if money was ever taken from their accounts, they wouldn’t have had to incur the losses. In the case of Barclays, it was reported that they recovered most of the money, but how much? And what else was potentially siphoned off?

Well, I have asked those very questions on a number of open forums and, as you would expect, it did generate a bit of interest. One comment that surprised me was the following one:

Respect that there are a few unanswered questions here but let us be a bit realistic that this case would form part of a criminal investigation and any public post mortem should be undertaken after the criminals are behind bars. All the points are raised and sharing of data is key, but it is my own opinion that it would not serve to disclose information at this stage.” (sic)

My reply is, whilst I do understand the need to respect secrecy whilst criminal investigations are being undertaken, this doesn’t exclude treating affected parties (e.g. the customers) with due care and attention and providing them with relevant and helpful advice so they can protect themselves in the absence of any UK regulatory framework compelling breached organisations to do so…


So why should you care?

I have long been an advocate of convergence of information security, risk management and fraud (see my earlier post), but it seems that with some notable exceptions I have personally come across, this is by no means standard practice yet. The result is that these areas generally operate in silos and the real cost of fraud, or the real cost of cybercrime, can never be truly assessed.

As an example, if we look at this year’s Annual Fraud Indicator by the National Fraud Authority June 2013, Identity fraud totalled £3.3 billion in 2012 and affected 27% of the UK adult population. Furthermore, 8.8% (4.3 million) of UK adults were a victim, with those who actually lost money (2.7 million) losing an average of £1,203 each...

A very kind South Korean gentleman recently contacted me to ask why UK banks do not offer client security protection for online banking as a matter of course as this is a regulatory requirement in South Korea. The best answer I could come up with is that whilst many banks offer something like Trusteer Rapport to their online banking client, it is not mandatory. So why do they do it? Well, put simply, in the absence of regulation, offering the service for free to clients is cheaper than the cost of fraud that would ensue were they not to offer it… Perhaps cynical, but I’m sure I’m not far off the mark…

The overall cost of fraud in any country should compel us to try and determine the real impact of such crimes.


Impact on the banks

In both breaches mentioned in this article, customer information was sniffed for a period of time. This means that fraudsters may have got hold of financial details (e.g. debit card details, bank account numbers, etc.). The banks may have had to re-issue payment cards to their customers, and the associated cost is not insignificant (how many cards? cost per card? etc.). In addition, how did they inform customers and how much did this cost? And how much money wasn’t recovered? 
Determining the cost of fraud is a complex matter (and indeed, organisations make substantial provisions for this), and more transparency will raise awareness.
There is also the additional concern of customer churn, and whilst some have made valiant attempts to quantify this (ref. Ponemon UK Cost of a data breach), real apportionment is very difficult to achieve. For bank customers specifically, switching your financial life has never been a pleasant experience. However, with the UK announcement that consumers are now able to switch bank accounts in just seven days this may become a real risk to banks after a data breach. And for the doubters, ultimately, the customers will choose, and a recent article highlighted that 36% of UK consumers consider ID fraud their biggest risk… Banks (or any organisation handling personal details) may very well pay heed to this (especially in view of the impending EU data breach disclosure laws)… 
And if this not enough, the Financial Conduct Authority (FCA) recently issued clear guidelines on data security (Chapter 5, and specifically box 5.2 “Five fallacies of data loss and identity fraud”) and here where specific advice is given on key logging devices (Box 6.9), physical security (Box 6.12) and training awareness (Box 6.2). As Consumer Credit is moving from the Office of Fair Trading (OFT) to the FCA by April 2014, their consultation document clearly sets out in chapter 12 the proposed enforcement rules in tackling financial crimes.

My take on this: whilst the FCA still very much (and rightly) focuses on Anti-Money Laundering, it plans to be tougher on protecting customer information and tackling ID Theft.

Impact on the individuals

Whilst individuals suffer no immediate financial loss in such cases, it all comes down to what was sniffed. What information did the criminals get hold of? It could have been names, email addresses, dates of birth, phone numbers, account numbers, addresses, balances, security questions and answers, etc...

Whatever was harvested by the criminals is probably as we speak sitting in underground markets, waiting to be used by criminals to commit ID Theft (e.g. apply for financial services products, launder money, courier theft, etc.), which will affect an individual’s credit rating without their knowledge. This is why by law in the US, breached organisations have to provide one year free ID Theft protection (and this would be very welcome in the UK!).
Going back to the aforementioned UK bank breaches, were consumers reassured that they will not be victims of ID Theft as a result of this crime? The matter of liability remains unclear. Let’s look at the Barclays Official Statement:



Hmm... First of all, we don’t actually know what data was taken. We only know that consumers did not suffer immediate financial losses as a result. We certainly don’t know whether they will not suffer any losses in the future as a result of their identities potentially being stolen following this breach. I let you decide whether consumers have been left in the dark in that respect. And for those who’d like to know how to respond efficiently in the event of such crises, have a look at this post...) 

[20th February 2014 Update] It is interesting to note that such crisis events, aside from the potential technology implications and vulnerabilities, there are always organisational and procedural considerations... In other words, it has come to light that the Barclays KVM attack was actually facilitated by a rogue employee who allowed the criminals to install the KVMs in the first place. Which brings me neatly to the fact that education and awareness is still failing in most organisations as it seems to be merely driven by compliance and regulation... I am sure colleagues of the rogue employees would have noticed unusual behaviour, but perhaps existing processes didn't allow for easy reporting and involvement... Only surmising, of course...

So let’s ask the following questions:
  • What information was taken?
  • What information have customers been given to help them monitor this?
  • Is there a help line?
  • What happens if a customer is subsequently victim of ID Theft?
  • Who can they talk to for advice?
  • What are the processes in place?
  • Has this potential fraud been quantified?
And finally, the ICO has been at pains to deny any bias against public sector organisations, so one hopes that in both cases, the ICO was fully involved with the banks and law enforcement and that they have determined that private individuals and their PII are not at risk of, say, future ID Theft. It would be nice to know this for sure but detailed information is not forthcoming (so if anyone knows, please share...).

In the absence of advice to consumers from the banks, law enforcement and the ICO, if you think you may have been personally affected by the breaches (even if you didn’t lose any money), here are a few pointers you could follow:
  • Check whether your email account(s) has/have been compromised here (Thanks Troy Hunt!)
  • Change the password on your email account (and don’t reuse it elsewhere)
  • Change the password on your bank account and change your security questions
  • Use two-factor authentication on your online accounts where provided
  • Make sure your anti-virus software is up-to-date and active
  • Monitor your credit rating and credit activity regularly to make sure no one is using your identity fraudulently

After all, your digital identity is your life, so be good to yourself...
Until next time...