Cisco UK & Ireland Blog

The Bonnie and Clyde tactics are over: Why banks have been told to “Raise their Security game now”

October 7, 2016

If you wanted to rob a bank at the start of the 21st century, you could expect to haul in around £20,000 in a single take. Hardly an insignificant sum, but instead of being able to splash out on a yacht in Lake Como, your budget would be better suited to a Ford Mondeo on the M25 (with seat warmers though).

A bit of moderate living for six months, and you’d need to be thinking about plotting your next heist.  Robbing a bank could hardly be called early retirement planning for the population lacking morals.

In an era of impressive looking vaults, ‘dye packs’ (small radio-controlled explosive devices hidden inside the money) and, the underlying problem, a lack of physical cash kept on premise, robbing a bank was often the last thing on the mind of a criminal who wanted to make money fast.

And the truth is, even in bank robbing’s heyday of the early 20th century, Bonnie and Clyde’s crimes never made them rich.  Despite folklore turning them into anti-establishment conquerors, history’s star crossed gangsters preferred the petrol station and corner shop approach rather than banks; mostly scarpering away with between £5-10.

At least the cinema going audience has consistently shown high levels of appreciation for heists with million pound payloads, carried out by characters with immensely chiseled jaws that you couldn’t help but root for.  But there’s a reason why the fun was in the actual heist, not the spending spree afterwards…and it’s because there often wasn’t much spending to be done.

Cut to August 2016, and Reuters have issued the following warning to every bank and financial institution in the world:

“Raise your Security game now.”

The reason?  There has been a seismic shift in the way bank robberies are planned and orchestrated, and the exponential rewards on offer for the perpetrators.

For example, in March 2016 there was a partially successful, but hugely sophisticated cyber attack campaign against a bank in Bangladesh.  The crooks never had to step foot in Bangladesh, as the majority of the heist was carried out remotely. In the end $81m was successfully stolen, from an initial target of $951m.

The reason that target was missed was due to one of biggest weapons against any cyber criminal: the ability to spot a typo. One of the places the thieves were trying to send money to, the ‘Shalika Foundation’, was spelled “Shalika Fandation”.  This raised an alarm that stopped the rest of the transactions going through…Brings a whole new significance to the term ‘Grammar Police’ doesn’t it?

The official warning however, is that this is going happen to banks again – imminently and often.

This is because banks are holding more than just cash these days. They are carrying vast amounts of incredibly valuable personal data about their customers which is stored online. That data, if not adequately protected, can be sold to the highest bidder.  And this is where the money really lies.

Once your data is stolen, the cyber criminals head onto the ‘dark web’ to find a buyer.  If, for example, 100 credit card details are stolen as part of a bank heist, the bid for those details can be anything from £500,000 to £1m.  The winner of the bid can then use the credit card information to buy whatever it is they like, so the money chain can last for a while.

That of course means that, since every business is processing data, every business has become a bank.  Once cyber criminals found a way to monetise data via the dark web, it raised the stakes for everybody.  Which means everybody has to have IT Security firmly on their agenda.

Data can be stolen via a variety of ways, but one of the easiest way to let cyber criminals in is through a weak link in your IT infrastructure.

A lot of organisations wouldn’t be able to say exactly what’s connected to their network, and why and how it’s there.  This is less than ideal, but of course, how do you know what you don’t know?

James Cronk, Cisco’s Global Director of Financial Services Industries, articulates the issue of coping with a complex infrastructure like this:

“[It’s like] a patchwork quilt of old and new technologies, with a significant amount of legacy IT, multiple security vendor solutions (few of which speak to each other), a vast number of applications (for use by staff and customers), and thousands of devices trying to access the network at any given time.

“Hackers thrive in complex systems. They make their business from finding the cracks and gaps, pursuing the weak links in our systems so that they can steal valuable data and profit.

“One cybersecurity goal these companies should focus on is to improve visibility and simplify their architecture. Getting to a point where they only need to see a cyber threat once, before instantly defending against it everywhere on their networks, has to be their goal.”

Read more in the article ‘’Financial services is where the money is..’

Visibility and Control

If you are responsible for a bank, or indeed any business that looks after customer identities (and you’re faced with a hacker who can spell) here’s a few questions you should be asking yourself:

  • What is important to us as a business that we need to protect?
  • Do we know what’s going on in our network? Do we have suitable controls?
  • Can we track a threat should it make its way into our infrastructure?
  • Do we have a plan for RansomWare?

For an insight into how to spot any gaps in your IT infrastructure, take a look at ‘The Suspicious Seven: A Network Visibility Checklist’

In 2016, it’s not just the physical doors you need to protect.  It’s the virtual ones too.  And this means looking at your IT infrastructure, and identifying where there might be some gaps.

It might not make the best Hollywood movie plot, but it’s the best way to protect your customers, and protect your reputation.

For more information, take a look at our article, ‘Security in Financial Services: Managing the Complexity of Digital Transformation’

Leave a comment