by Melvyn Morrison
Gino Thielemans has been focusing on cybercrime during the past twelve years as Head of Prudential IT Supervision at the National Bank of Belgium. Before joining the National Bank, Thielemans was an IT auditor at the CBFA. He also previously worked at the CERA Bank as Head of Internal Audit for financial markets, accounting, tax and logistics, and at KPMG as an external bank auditor.
Risk & Compliance Platform Europe: “What are the main trends and challenges that you encounter on a daily basis in your work?”
Gino Thielemans: “The success of the Internet has also resulted in an increase in cybercrime. The portrayal in a Hollywood movie of a lone hacker sitting in his hotel room is no longer reality. Nowadays, we are confronted with organized crime on a grand scale. To put this into perspective, the criminal groups that are attacking us even have their own research and development departments in addition to other departments focusing on operations, testing, and recruitment (e.g. for recruiting money mules to launder the money that they steal). So, we are being attacked by highly organized, well-established groups around the world. Moreover, these groups often collaborate via a kind of cyber underground where they provide services to each other in a kind of cyber economy. In addition, they also take control of a large number of computer networks (botnets) linked to the Internet and launch ‘denial of service’ attacks on banks and other players.
In the beginning, payment fraud focused on card skimming (i.e. copying the data on the magnetic strips of payment cards and withdrawing money abroad, etc.). However, the introduction of new technologies has helped us to tackle this kind of crime in Europe. During the past few years, the criminals have shifted their focus to other kinds of payment fraud (e.g. linked to online shopping, online payments, and e-banking). Whilst e-banking fraud is on the rise in Europe, Belgium is having more success in combatting this, compared with its neighbouring countries. The criminals used to focus on easy money via the obvious kinds of fraud (e.g. payment fraud and e-banking fraud), but they are now starting to make money by stealing confidential or sensitive data. They then sell this data to another group of criminals who misuse it by trying to withdraw money or make fraudulent payments.
For example, a few years ago, a lot of customer data was stolen from one bank in Asia and this bank was subsequently blackmailed. It was told that if it did not pay money into an account on an island with palm trees, the customer data would be published on a daily basis. During the past year, I am personally aware of two other cases of blackmail relating to the theft of confidential data. Although this problem still remains very limited, it is definitely something to keep under review. The theft of data relating to intellectual property is also on the rise.
Hacking is yet another worrying trend that constantly crops up in the news. The number of attacks on financial institutions is steadily increasing. The days of a bank robber walking into a bank with a gun, are long gone. Nowadays, hackers try to break into the inner workings of the bank in order to commit ‘modern-day bank robberies’. Moreover, the attacks are becoming more and more targeted. Instead of criminals launching malware (malicious software) on the Internet, and waiting to see what ‘the catch of the day’ is, we now see the emergence of malware that is designed to only attack specific targets. The popularity of social media, e.g. Facebook and Linked In, just to name a few, is providing criminals with an easier route for obtaining targeted information. For example, you can look on Facebook or on Linked In and find the names of members of staff and system administrators working at the companies you want to attack, so that you can send them an e-mail that is infected with malware, and gain access to the inner workings of the company via these people.
One of the obvious challenges that I face on a daily basis is the innovation taking place in the payments market. You can read in the press about the many new technologies and solutions such as the bitcoin, contactless payments, mobile payments, e-money, etc., that are currently being offered on the payments market. Although these new solutions are modern and trendy, in my opinion, they are sometimes evolving too quickly. Whilst they are usually reasonably robust and secure, regulators sometimes have to intervene in order to make sure that a minimum level of security is embedded within them. So it is sometimes difficult to define the right balance between the user experience and the required level of security. Although we could design a ‘bullet-proof’ solution, this would be self-defeating if nobody was prepared to use it.
In terms of social engineering, the NBB is responsible for setting the security standards for e-banking in Belgium. Our excellent working relationship with the Belgian banking industry has enabled us to jointly suppress e-banking fraud to a very low level (Belgium and Singapore are the countries with the lowest levels worldwide). However, after you have implemented technical refinements, you should not just sit back and think that this is the end of the story. After presenting the users with a splendid new device to make their e-banking secure, they still have to understand how to use it. So users can sometimes be the weakest link in the chain. More specifically, the type of fraud that we have recently been encountering is not aimed at our technical security refinements which remain intact, but focuses on the human element, i.e. the user. For example, criminals send bogus e-mails to customers pretending that they are the bank, or mislead the customers by phoning them at home (via ‘phishing’ campaigns) in an effort to obtain details from the customers. So it is also important to ensure that the users fully understand what they are doing.
Since we all want to use the latest technologies, our banks are working hard to keep their IT systems secure. The big walls (the perimeter) that we build around our systems to keep them secure are increasingly under pressure. We now expect to be able to gain access to our banks from anywhere, and we want to do this using our new devices such as i-phones, i-pads or mobile phones that are not under the control of the bank. Furthermore, since banks often use outsourcing as a means to reduce their cost base, IT systems are no longer at one location and are also less centrally managed. This means that we can no longer just build a high wall around our systems to keep the bad guys out. We need to completely rethink our security strategy, not so much in relation to perimeter security, but more in relation to the security of our internal IT systems, and indeed, the in-depth security throughout our entire IT infrastructure, in order to optimally enable different solutions to be used at different locations. We also need to be extremely well-organized in order to keep pace with the attackers. Several measures have already been implemented in Belgium to address these challenges. Since Belgium is a small country, the key people know each other, so we can benefit from the excellent co-operation and exchange of information between the regulators and the industry. This has helped us a lot. In addition, I am part of a working group at the ECB that reviews payment security, and we already have a crisis escalation procedure in place so that if things go seriously wrong in Belgium, we can inform the public.”
Risk & Compliance Platform Europe: “What can we do better in the future?”
Gino Thieleman: “One of the first things we should do is to get rid of the magnetic strip because this has caused so many problems in the past. We also need to emphasize that international co-operation is crucial, so that we can be just as well organized as the criminal groups. We should no longer think in terms of one security solution: we need to adopt a more holistic view of security that must be implemented throughout the entire transaction chain, where every component plays its part towards enhancing security. However, we will never have optimal security as long as the devices that we use to make payment transactions and to access our systems remain very vulnerable. We continue to debug the software that we use, and to plug security loopholes. Although the technologies we are presently using are very trendy, they are not always secure enough. A real challenge for the future will be for the solution providers to make sure that whatever they offer us as solutions is equipped with a decent level of security, preferably from the outset.”
Photo : Pol Leemans
