Information security in financial systems
Banks and other organizations of the monetary system suffer the most from hacker attacks. This forces us to pay special attention to the organization of the information security system in the country's financial system. The main rules and regulations regarding the security characteristics laid down in the ABS (automated banking systems) are developed and implemented by the Central Bank as a banking regulator.
Information security threats specific to financial systems
At the World Economic Forum on Global Risks 2018, cyber attacks were recognized as an integral part of a single basic global technology risk.
A global trend has been identified in which computer attacks on the financial system have two goals:
- an increase in monetary losses to the economy as a whole;
- violation of the integrity and continuity of the banking system.
Attacks on the banking sector account for 17% of the total volume of hacker attacks in the world. The nature of hacker attacks on Russian banks has changed over the past year. The main risk is considered to be an unauthorized operation to transfer funds or write off funds from a customer's card or account. The reasons for such an operation may be the actions of hackers or insiders. According to FinCERT, in 2018 the volume of funds illegally debited from the accounts of legal entities amounted to 1.469 billion rubles. But in comparison with the fact that in 2015 this figure was 3.7 billion, we can talk about a significant improvement in the situation with information security in the banking system. For comparison: the amount of money lost by bank customers as a result of unauthorized debits from bank cards in 2018 amounted to 1.384 billion rubles, and in 2015 - 1.14 billion rubles.
This imbalance, when, with the strengthening of security measures, the volumes of write-offs from the accounts of companies decrease, and from the accounts of citizens increase, can be explained by two reasons:
- a general increase in the number of bank cards;
- insufficient economic literacy of the population.
But more dangerous are systemic failures in the work of a banking organization, which can slow down or stop the economic activity of clients for an indefinite period. In this situation, the key information security risks requiring attention and elimination are:
- losses of clients of credit institutions (including citizens who use banking services one-time, for example, an ATM or a transfer system), undermining confidence in the financial system as a whole, modern information technologies and the state as a regulator;
- losses of participants in the banking and credit market both in terms of their own funds and in terms of customer funds, which can negatively affect their stability and lead to bankruptcy;
- violation of the continuity of the operational cycle of the provision of banking services, which damages the reputation of market participants and creates social tension in society. Social tensions are caused by minimal disruption to ATMs or online banking systems;
- a systemic crisis in certain sectors of the banking market, provoked by systematic and massive cyber attacks.
To understand whether the interference of hackers in the operational activities of a banking organization is problematic, OSCO (an international organization that regulates money markets) has developed criteria for the proper functioning of the system:
- the ability to restore operational activities and carry out financial transactions within two hours after an information security incident that disrupted the system's performance;
- any payment must be made after a certain deadline for its completion, for example, the payment order is executed by the bank no later than the next day, and the loan payment must be credited within the terms specified in the contract, their violation through the fault of the bank threatens the client with losses, which the bank must compensate ...
If the information system of a credit institution meets these requirements, then it is reliable. Banks are obliged to take care of information security more than ordinary organizations, since they risk not only their assets, but also clients' funds. This gives rise to the need for additional regulation of compliance with information security requirements in the banking and financial system by the state.
In addition to funds from customers and banks, hackers may be interested in:
- Personal Information;
- software codes and algorithms for banking products;
- confidential information related to plans, strategies, policies of the credit institution.
The protection of these arrays of information is carried out in accordance with the requirements of regulators (FSTEC, FSB, Central Bank of the Russian Federation) and according to the financial institution's own technologies.
The types of massive attacks on companies in the banking and credit sector differ little from attacks on companies operating in other sectors of the economy, these are:
- DDoS attacks (one in four credit and financial institutions are exposed to them);
- phishing (21%);
- hacking systems (17%);
- 20% - incidents of other nature.
ABS (automated banking systems) are sufficiently protected, the largest volume of attacks falls on client mobile applications. Often hackers use such applications to inject malware - ransomware encrypting data on a mobile device and offering to decode it for a ransom. The mobile banking applications of 50 of the world's 100 largest banks are reported to have vulnerabilities, and other front-end systems that offer mobile banking to businesses are also affected. In recent years, the largest financial institutions have been introducing fraud modules into the Client-Bank system, but the risk of unauthorized transactions has not yet been fully eliminated.
In addition to classic hacker attacks, a new type of risk has emerged for financial institutions in recent years. Banking business processes are vulnerable, and experienced fraudsters can reconfigure the information system in such a way as to change the course of the process and concentrate the main profit on themselves. Business Process Compromise (BPC), as this type of fraud is called, in the banking business is most often expressed in fake money transfer orders. The damage from this type of fraud around the world has already exceeded several billion dollars. For example, about $ 80 million was stolen from the Bank of Bangladesh in this way.
The Central Bank as an IS regulator
The powers of the Central Bank of the Russian Federation as a regulator of banking activities, which, among other things, determine the requirements for information security, are established by the law "On the Central Bank" He is instructed to ensure the stability of the banking and financial system, and in this capacity he has the right to issue documents describing the requirements for information security, mandatory for banks.
The Central Bank issued the fundamental Resolution No. 683-P of 04/17/19, establishing mandatory requirements for the protection of information in order to exclude unauthorized transfers.
Also over the past few years, as part of strengthening information security in the credit and financial sector:
- regulatory acts have been adopted, according to which banks and financial organizations are required to notify the Central Bank of the Russian Federation about identified information security incidents;
- the standards STO BR BFBO-1.5-2018 on information security incident management and STO BR IBBS-1.0-2014, covering general information security issues in the financial and credit spheres;
- clarifications were issued on the procedure for implementing regulations.
This led to a noticeable decrease in the number of incidents. The Central Bank of the Russian Federation sets the most stringent information security requirements for the following software modules:
- a platform for remote identification in the Unified Biometric System (not least because of the processing of biometric personal data);
- fast payment systems;
- platforms serving marketplaces;
- digital customer profile.
Here the requirements of the regulator may be stricter than the corresponding requirements of the FSTEC RF related to the protection of personal data.
In the future, it is planned to finalize the requirements related to:
- using the Internet of Things as a new threat;
- the use of artificial intelligence and Big Data;
- the use of distributed resources technology and changes in the architecture of the IS
The Center for Monitoring and Responding to Computer Attacks in the Credit and Financial Sphere (FinCERT) assumed a significant share of responsibility for ensuring security in the banking sector. The organization has existed for more than four years, and during this period it managed to systematize the accumulated experience in the field of information security and reduce the frequency of attacks on banks and the average amount of damage caused by one hacker attack. FinCERT has developed its own automated system for processing information incidents. Banks and non-bank credit organizations can connect to the FinCERT system.
FinCERT has the right to conduct inspections of compliance with information security requirements in the banking sector. During 122 inspections conducted in 2019, about 700 violations of requirements were identified, which led or could lead to the risk of a computer incident and theft of customer money.
Features of information security systems in banks
Most banks develop their own software, from general systems to mobile applications. The Central Bank of the Russian Federation introduced an initiative for mandatory certification of all programs and updates, but it met with resistance in the financial community. Banks noted that sometimes an update must be done within 1-2 weeks after an app has been bugged, and certification will slow it down to market by months. Now in the practical activities of banks in order to prevent theft of client funds using computer technologies, the following software and technical means of information security are used:
- software tools to protect against internal and external fraud or fraud in the field of e-commerce;
- systems of multifactor authentication of clients when using the bank's services online;
- systems for monitoring information networks and remote devices capable of detecting and responding to information security incidents;
- ATM security tools that exclude unauthorized access at the physical or information levels.
Standard software security measures prescribed by regulators, the Central Bank of the Russian Federation, FSTEC, FSB are selected according to the class of the system in which the personal data of customers are processed. They provide the level of information protection prescribed by the regulator, but if the bank assumes the risk of targeted attacks, the protection must be strengthened.
So far in Russia there have been no hacker attacks on the banking system so intense that its normal life was disrupted. But regular disruptions to ATMs and online applications create tensions in society, prompting an even greater focus on information security in financial systems.