Wednesday, 25 January 2012

Banks Unite to Battle Online Theft

his month, security officials from Wall Street financial firms, including Morgan Stanley and Goldman Sachs Group Inc., are expected to meet with researchers from the Polytechnic Institute of New York University to discuss the creation of a new type of center that would sift through mountains of bank data to detect potential attacks, people familiar with the situation said.
At the same time, Bank of America Corp. has begun hosting experts from other major banks at quarterly informal roundtables, in which the rivals try to devise solutions to cybersecurity threats, according to other people.
Both initiatives are designed to encourage banks to work together to better protect against hackers, whose efforts to shut down electronic operations and steal money or customer data pose a growing concern for the industry. Sony Corp., the Central Intelligence Agency and Citigroup Inc. are just a few of the firms that cyber-rogues have targeted over the past year.
Online attacks have increased sharply over the past two years and financial institutions are among the most likely targets, according to a new survey by PricewaterhouseCoopers LLP, the consulting firm. Avivah Litan, an analyst with Gartner Research, expects financial companies to increase spending on fraud detection and customer authentication systems by as much as 12%, to $1 billion, over the next two years — a record.
While many bank officials agree with the information-sharing in principal, some are concerned that doing so could provide rivals with too much insight into their operations.
At the NYU-Poly meeting, for instance, some bank officials are expected to make the case that banks should scour their own data internally, rather than provide information to outside researchers, people familiar with the matter said.
Representatives for Morgan Stanley and Goldman Sachs declined to comment.
"The mentality of the banks has been, 'Let's do everything internally because we don't want to give anything away,' " said Peyman Mestchian, a managing partner with Chartis Research in London.
But hackers are forcing banks to abandon that old go-it-alone mindset in favor of a more-inclusive approach, executives said.
"We realized that just as the fraudsters collaborate with each other, we as an industry must collaborate," said Keith Gordon, a Bank of America senior vice president of security.
A graphic example of just how vulnerable banks are to hackers occurred in 2010, when security experts from major financial firms gathered in San Francisco for a conference.
As panel after panel discussed cyber threats and how to guard against them, hackers carried out a real-life attack. Using what has come to be known as the Zeus Trojan — a type of software that infects computers and covertly tracks keystrokes to steal personal data — thieves penetrated bank computer firewalls and stole millions of dollars from their customers.
The security experts attending the conference emailed each other furiously on their BlackBerrys and agreed to meet in person to discuss the threat, according to a person who was there.
"That was the first time I remember people feeling open to talking about these threats," this person said.
At the most-recent meeting hosted by Bank of America in late summer at its New York offices, executives discussed a type of online espionage that involves a long-term pattern of persistent hacking attempts known as "advanced persistent threats."
That approach figured in recent hacks against RSA, a unit of EMC Corp., and Sony and are considered by most professionals to be the leading cybersecurity threat of the day. Bank of America declined to comment.
Banks also are working with Internet service providers in new ways to better authenticate email traffic to prevent hackers from impersonating employees and gaining access to customer data. Rather than forcing the ISPs to make an educated guess about which emails to let through, banks have started providing them with data that helps them better verify the messages, according to Kelly Wanser, whose company eCert Inc. acts as a clearing house for such data.
Sharing might be discouraged in other parts of banking, because of possible antitrust implications.
But the practice has been mandated in the world of cybersecurity since 1998, when President Bill Clinton issued an order requiring the public and private sectors work together to protect critical infrastructure such as the financial system.
In response to that order, financial firms created an industry group called the Financial Services Information Sharing and Analysis Center to encourage banks to work together. Still, it is only recently that banks have begun to lift the veil.

No comments:

Post a Comment