‘Faceless terror’ stalks SA banks — and clients
● As local banks scurry to get ahead in the digital race, increasing the digital touch points at which they engage their clients, the surface area for exposure to cybercrime in South Africa grows.
All of the big banks, which released financial results in the past month, said digitisation was a strategic priority. On average their branch networks shrank across the continent, as more clients turned to digital channels, but ATM footprints grew, according to a sector analysis report by EY.
Though the threat of a Bonnie-and-Clydestyle shootout in a bank branch may be reduced, card payment systems and ATMs continue to expose banking clients to risk.
But banks are not only vulnerable at the client interface. Secure as their systems may be, these are not impenetrable to data breaches.
In 2012, Postbank lost R42million in a three-day hacking spree, and in 2016, Standard Bank lost R300-million from its system at 1 400 ATMs in Japan, through cloned cards.
According to the Allianz Risk Barometer report, cybercrime remains the greatest risk to South African businesses in 2018.
Globally, the threat of “cyber hurricanes” has the potential to sweep through hundreds of companies in a single attack. Such attacks may not only interrupt business but pose reputational risks to companies.
But unlike natural disasters, which exhibit patterns over time, for which one can prepare, cyberattacks grow in complexity.
Data protection rules are also due to intensify. In May, the EU will enforce its General Data Protection Regulation, applying to all companies processing the data of EU citizens. If a company is found to be negligent, it may be fined about 4% of its global turnover.
In this climate it is no surprise that Ernest van Rooyen, financial services partner at EY, found cybersecurity to be one of the top three issues bank boards in South Africa were grappling with.
“I think a substantial amount of money is invested by banks to protect their systems and to assess where they may be vulnerable . . . banks run very complex and vast systems so the perimeter to defend is a very large perimeter,” Van Rooyen said.
Research by the Kaspersky Lab found the financial sector was vulnerable, with attacks on ATMs growing globally in 2017. ATM-targeting malware, with a step-by-step user guide, was being sold on the DarkNet for a few thousand dollars, said Kaspersky principal security researcher Sergey Golovanov.
To guard against this threat, local banks have joined forces to protect clients, though their individual security systems may differ. This effort is spearheaded by the South African Banking Risk Information Centre.
“The threats that the industry is faced with are aligned to global threats,” said Sabric CEO Kalyani Pillay. “The ease and speed of digital communication platforms make it possible for criminals to perpetrate their crime with anonymity.”
To try and combat this faceless terror, banks and other companies are enlisting specialists to help them prepare for the worst-case scenarios.
Craig Rosewarne, managing director at Wolfpack Information Risk, said these simulation exercises were conducted with the most senior figures in companies. “You’ve got to think evil and, I guess, do good if you want to make your defences more realistic.”
Though card and ATM fraud is prevalent, not all attacks are financially motivated. Sometimes the targeted prize is information to aid identity theft or shame companies.
In 2016, in South Africa, credit card fraud was up 13% to R374.4-million, while debit card fraud grew 3.1% to R343.5-million.
Marius de la Rey, customer channels and distribution CE at Barclays Africa, said vigilance was also required of mobile networks.
You’ve got to think evil and do good if you want to make your defences more realistic