But Oerting, with no small dose of grudging admiration, says his adversaries excel at something that can’t be addressed with deep pockets or killer software: They’re superb networkers. “The organized crime groups in cyber are sharing much better than we are at the moment,” says Oerting, a Dane with a square jaw and the watchful eyes of a cop who’s investigated the underworld for 35 years. “They are sharing methodologies, knowledge, tools, practices—what works and what doesn’t.”
Now he and his counterparts at other big banks are doing some networking of their own. Oerting, who led the European Cybercrime Centre in The Hague before joining Barclays in 2015, has assigned some of his people to join allies from four other big U.K. banks at an operations center in London’s Canary Wharf complex. They sit side by side with police officers from the U.K. National Cyber Crime Unit.
The idea is that this industry-government “fusion cell,” the Cyber Defense Alliance, will let the sleuths swap tips, techniques, and hunches the same way the bad guys do. “To do this right, you need to have trust,” Oerting says. “If I give information to another bank about my breaches, I don’t want to see this on the front page of the newspaper the next day.”
The effort, the first of its kind in the U.K., mirrors a similar initiative in the U.S. called the National Cyber-Forensics and Training Alliance, a nonprofit in Pittsburgh that brings together academics, corporate security executives, intelligence operatives, and law enforcement officials. Barclays has also installed an analyst at Interpol’s cyber investigations unit in Singapore.
Joining forces marks a big change for institutions long reluctant to share information about their IT systems, let alone how they’re compromised. They’ve decided they better reboot that mindset fast if they want to counter the online onslaught assailing their walls. In the second quarter of this year, cybercriminals tried to inject more than 1 million malware programs into financial companies worldwide, a 50 percent jump from the same period in 2015, according to Kaspersky Lab, a global cybersecurity company.
JPMorgan Chase, HSBC, and the Federal Reserve Bank of New York have all been cyberjacked in some way in the past couple of years. So has Swift, the cross-border payments messaging network that constitutes the global economy’s circulatory system. No surprise, then, that banks are throwing a lot of treasure at the problem. JPMorgan Chief Executive Officer Jamie Dimon said in September that he expected the bank’s $600 million annual outlay on IT security to soar to $1 billion in the next few years.
Yet cyberthieves are getting wilier by the day. In so-called man-in-the-middle attacks, they pretend to be trusted organizations to trick targets into sending them money or data. That happened in February when unidentified fraudsters sent fake Swift messages to the New York Fed, directing it to wire almost $1 billion from the accounts of Bangladesh’s central bank to accounts they controlled. The fraudsters got away with $81 million before the authorities caught on. As many as a dozen other lenders may have been similarly targeted.
A rapidly escalating scheme is “ransomware,” where criminals use viruses to seize virtual control of a company’s computers and refuse to release them until they’re paid off, invariably in bitcoin. Then there are “whaling attacks.” By using sophisticated e-mails that pretend to be from a trusted friend or institution, frauds trick top corporate executives into divulging personal details. Thieves can then impersonate the execs and direct subordinates to transfer company funds to their own accounts.
Even projects that bankers believe are top secret turn out to be far from it. A major U.S. lender recently learned that a supposedly unknown prototype for its new online portal had become a hot topic in a chat room used by criminals. Hackers were already testing malware on the site, says Alastair Paterson, the CEO and co-founder of Digital Shadows, the cyberdefense company that uncovered the scheme.
Many of the instruments in such skulduggery are free or for sale on the web. Password-cracking programs with names such as Hashcat and Medusa have become staples of the digital toolkit. Thanks to bitcoin, it’s easy to buy more sophisticated penetration code and even ready-made hacks on the dark web, the subterranean layer of the internet untouched by conventional search engines.
Cyber attacks are becoming even more spectacular. In September, Yahoo! disclosed that hackers had stolen the names, passwords, birth dates, and other personal data of more than 500 million users. Governments, organized crime gangs, and hacktivists have never been better equipped to damage a bank’s most valuable asset: its reputation.
Financial companies are responding by dispatching their personnel to learn the dark arts of the digital world and share their knowledge with colleagues. On a recent morning, about a dozen men and women are tapping on computers in a training center near Cambridge, England, as part of an “ethical hacking” course taught by 7Safe, a British cybersecurity company. The pupils, a mix of corporate IT guys in jeans and polo shirts and hoodie-clad coders from a “white hat” collective called Hacker House, are working through a series of penetration tests on a fictional entity dubbed BeSureBank.
One of the trainees, a young would-be cyberconsultant, is using a tool called Metasploit to expose BeSureBank’s IT specs in a process called enumeration. In minutes she’s scrolling through a catalog of the bank’s databases, ports, operating software, and, best of all, the usernames for all the accounts on the network. Next she starts cracking the passwords for those accounts by employing John the Ripper, an open source program that computes character combinations until it finds a match.
Soon enough she’s logging in to the system with the administrator’s password. The consultant surveils another user’s keystrokes in real time and figures it could be a senior executive at BeSureBank accessing a sensitive database. “I’m sniffing the keystrokes,” she says to herself. “So that’s cool.”
The lesson concludes when all the trainees launch a “payload,” or virus, into BeSureBank’s system and take it down in a simulated DDoS attack, or distributed denial of service. In the real world, this type of assault mobilizes networks of hijacked computers called botnets to overwhelm the target. Such operations are on the rise in finance. On the morning of Jan. 29, a payday for many employees, unidentified hackers launched a DDoS attack on HSBC’s U.K. site and took it offline for a few hours until the bank could repel the incursion.
During a break in the class, a couple of corporate security directors grumble that their jobs aren’t getting any easier when so much data is flying out the door of their companies. It’s an important point. Every day employees at any number of companies take their work home with them on laptops, smartphones, and tablets. They log in to their banks’ networks from trains, conferences, airport lounges. So, too, do customers and myriad fintech startups that are increasingly augmenting banking services with innovative offerings of their own. In January 2018 a European Union law, Payment Services Directive 2, will require lenders to let outside companies access their customers’ accounts and connect their applications to the banks’ own systems.
Banks, in other words, will start to look less like isolated fortresses and more like open-border platforms hosting numerous apps and services, like Google’s Android system. While digitization may be the future, it poses a major security migraine. “Every time there is a new app or a new channel opened, that provides criminal opportunities,” says Jamie Saunders, the director of the U.K. National Cyber Crime Unit. “Banks are taking enormous care to design security into their apps, but as the technology evolves, the criminal will evolve, too, and vulnerabilities will open up.”
By then, Oerting plans to be drawing strength from his networking push and the next generation of cyberdefenses. He helps select and mentor promising startups in the accelerators that Barclays runs in Tel Aviv, London, and other cities. He’s championed Post-Quantum, a startup that recently went through the bank’s U.K. accelerator program. Post-Quantum’s military-grade encryption for instant messaging, which has been tested by NATO, is being eyed for deployment to top Barclays bankers. The company also protects digital documents by splitting the “master keys” needed to unlock files into pieces and distributing the code to different keepers. That way, “when a hacker comes in, there’s nothing to hack,” says Andersen Cheng, Post-Quantum’s CEO and the former chief operating officer of Carlyle Group’s European venture fund.
For all the whiz-bang technology and talent at Oerting’s disposal, he’s still paranoid something terrible might happen now that we’ve entered the age of the spectacular attack; just look at how Russian hackers reportedly made off with e-mails from the Democratic National Committee during the U.S. presidential primaries. “My nightmare is to wake up one morning and realize we’ve lost data for millions of credit cards, or a huge amount of money, or in-boxes of e-mails for top executives,” Oerting says. “There is no such thing as absolute security.” At least by working together, the banks hope they’ll be in a better position to improve their odds.
© 2016 Bloomberg L.P
