FINANCIAL HACKING FEARS GO BEYOND BIG BANKS.
TORONTO• A director of an international bank took concerns about cyber crime into his own hands recently, hiring a specialized team to covertly breach his own company’s network.
The attackers used a socalled “spear phishing” technique, baiting the bank’s employees to open an email that appeared to come from someone they knew. If they did — and clicked on the attachment — their computers were infected with malicious software, which then spread to other computers in the network. Once they were in, the expert hackers revealed themselves to the bank’s management, who they then graded on their ability to track down the infiltrators and thwart unauthorized money transfers.
“Once we … gave them hints, it took more time than it should have to find us,” says Robert Masse, a partner at Deloitte in Montreal who runs the consultant’s Canadian incident response practice, which runs such infiltration exercises for financial companies around the world.
Masse, who agreed to discuss only non- Canadian cases because he didn’t want to risk disclosing information that could identify a client in the small domestic market, said he was not surprised the international bank was not up to snuff.
“Unless you have gone through this exercise before, almost everyone is in the same boat.”
For the Canadian financial industry, the stakes in the cyber- security game are enormous. Bay Street banks and wealth management firms have access to some of the most sensitive data in the country, and access to millions of dollars in savings and investments, which makes them a natural target for hackers.
“The closer you get to the money, the more of a target you are to cyber criminals,” says David Mohajer, chief executive of cyber security firm Xahive.
But while much has been made of attacks on major firms such as JP Morgan and Sony — and government agencies, such as the $81 million heist from Bangladesh’s central bank in February — experts in the industry point to a different vulnerability: smaller firms that don’t think they are of interest to hackers, and don’t have the budgets to handle the growing cost of cyber security.
“They think they’re safe, so they’re not safe,” says Mohajer, who took a hard look at small and medium- sized firms across all industries for a Conference Board of Canada webinar in July. He and other experts in the field say smaller firms are often specific targets in the financial world because of the interconnectedness of the system: banks doing business with other banks, from trading to money transfers.
Research from global technology company Symantec suggests smaller companies are the victims in the majority of targeted cyber attacks, at 60 per cent. But these firms are less likely to have the budgets needed to hire cyber security experts or to buy insurance to cover them in the event of an attack.
The cost of protecting online data and financial services systems is large, and growing. Price WaterhouseCoopers pegged U.S. spending alone at around US $4 billion in 2014, a figure projected to climb to US$ 6 billion this year, based on a survey of more than 750 banks, insurers, and other financial services companies.
In January, the consultancy said investment by Canadian companies in safeguards against cyber security threats had increased by 82 per cent year- over- year, but still accounts for less than five per cent of overall information technology (IT) spending.
Michael Calce, a reformed hacker who gained worldwide notoriety 15 years ago as Mafiaboy, the Montreal teenager who brought down websites including Amazon, eBay and Yahoo, says he has seen evidence of the vulnerability of Bay Street’s small to medium- sized firms firsthand.
His company, Optimal Secure, was recently hired by a handful of firms with between 80 and 300 employees to conduct vulnerability and penetration testing.
Calce says he able to “crack” the data security and access the networks of all the firms, often within an hour or two.
“Each time, I would find several methods into the company and this seems very al arming to me... Across the board, it was pretty easy,” he said.
In some instances, the vulnerability was as basic as the firms not using upto- date security software or firewalls.
“It should take me more than half an hour, an hour, to get into your company,” Calce said. “That wasn’t the case.”
Like Deloitte’s Masse, Calce was reluctant to disclose names or details of incidents involving Canadian financial institutions, citing the small size of the market and fear of identifying a client.
When it comes to Canada’s biggest banks, they are “as prepared as anybody for the known threats,” says Richard Nesbitt, chief executive of the Toronto- based Global Risk Institute for Financial Services.
The large institutions cooperate with each other and work with telecom firms to fight off frequent attempts to breach their electronic systems, Nesbitt says. But the real challenge is that the threats are constantly evolving, and he, too, is concerned about the smaller firms.
“I worry more about the financial companies who aren’t the big banks — who aren’t at that level yet,” said Nesbitt, a former banker who rose to the position of chief operating officer at Canadian Imperial Bank of Commerce.
“It’ s a chess game of move, countermove, move, countermove... This is an arms race.”
The head of the Investment Industry Association of Canada raised the alarm about cyber crime last year, acknowledging that many Bay Street firms weren’t as prepared as they should be.
“Our focus, really, is making sure our small and medium sized ( dealers) are secure,” says Susan Copland, managing director of the IIAC. “Because a breach at one firm affects everybody, not just through reputation but through the interconnec- tions of the system.”
A Ju l y report from Symantec said Canada ranks among the top 10 countries targeted by ransomware attacks, a popular tactic of cyber criminals that was on public display this summer when the University of Calgary’s network was infiltrated. The hackers installed malicious software known as ransomware that froze the university’s network, and demanded payment to restore access. The school paid $20,000. The Symantec report also said a Canadian bank, which was not i dentified, was among the top 20 targets of so-called Trojan attacks. And a 2015 report from Heimdal Security said 15 Canadian banks were targeted by a malware campaign aimed at accessing client login information during online sessions.
In another case, referenced in a white paper published last year by Xahive, hackers r e por t e dl y at - tempted to lure customers of international banks including Bank of Montreal, Royal Bank of Canada, and National Bank of Canada to fake websites.
Those who track online offences and attacks say it is impossible to get a complete picture of the vulnerabilities in Canada because financial institutions are unlikely to reveal hacks unless they are forced to do so.
“Many organizations tend to take security seriously only when they have been hit by a cyber event or if they are required by regula- tion to have a certain level of preparedness,” says Satyamoorthy Kabilan, director of national security and strategic foresight at the Conference Board of Canada.
Canada’s main bank regulator, the Office of the Superintendent of Financial Institutions, and the Investment Industry Regulatory Organization of Canada, which polices investment dealers, don’t specifically require reporting through legislation or regulation.
They say serious breaches should be reported, however, under the broad expectation that financial institutions report any event that has the potential to materially affect their safety, soundness, capital or viability.
Over the past year and a half, Canadian financial institutions have voluntarily reported “frequent” attempts to breach their systems, according to OSFI, including infiltration tactics such as phishing, where the hacker tries to trick users into disclosing log- in credentials, and distributed denial of service (DDOS) attacks, in which a flood of messages generated by a hacker jams an online service so legitimate users are unable to access it.
“None have been successful,” OSFI spokesperson Sylviane Desparois told the Financial Post in an emailed statement.
In some cases, the financial services firms may be unknowingly inviting the very attacks they must then thwart, says Calce.
Publicizing names, email addresses and detailed job descriptions of teams of employees on company websites makes it easy for hackers to employ a favourite technique called social engineering. Calce said the information is exploited by hackers to link employees who would frequently email one another in order to trick them into opening attachments with malicious software.
“I can craft a very nice email to you based on who you’re connected with … and the second you click that link, you’re screwed,” says the reformed hacker. “I have full access to their network and basically I can do whatever I want at that point.”
Regulators in the United States are trying to hold companies responsible for lapses in cyber security that put internal client information at risk of exposure by fining them. Regulators in the European Union are planning similar measures beginning in 2018.
For the moment, Canadian regulators are making their expectations known, but are leaving vigilance largely in the hands of the financial institutions.
“We don’t have mandatory requirements for reporting we do expect our dealers to reach out to us as a normal course if there was a serious breach that affected any area of their operations that we should be concerned about,” says Wendy Rudd, senior vice- president of regulation at the Investment Industry Regulatory Organization of Canada.
The broker- dealers that report to I I ROC, which range from the capital markets divisions of the country’s biggest banks to small independents, have not reported any serious breaches to date, she said.
But more i nformation could become known as the regulator sifts through the results of mandatory self- assessments circulated earlier this year. The plan is to give each firm a “report card” from IIROC that spells out how they compare to peers in terms of preparedness and responses to cyber threats.
“The self- assessments are being reviewed and will help determine at a high level the current state of preparedness of the investment firms we regulate,” Rudd said this week.
Calce says he believes Canadian financial institutions have benefitted from luck rather than preparedness when it comes to avoiding headline-grabbing hacks, based on what he has seen.
“I’ve been doing quite a lot of work in Toronto, and the results are really quite alarming,” the reformed hacker said. “It’s like the budgeting is focused elsewhere, and they’re solely relying on a very small IT department, or even if it’s a large one, it doesn’t seem like their main focus is on security.”