Syed Rahman, Legal Director at Rahman Ravelli, offers Finance Monthly an analysis of the implications that the FinCEN Files hold for financial services and regulators.
To use an old phrase, you shouldn’t wash your dirty laundry in public. But with the FinCEN Files it seems as if the banks have had many of their dirtiest secrets made very public. And, appropriately enough, they relate to their failure to tackle money laundering.
The FinCEN Files are 2,657 leaked documents; 2,121 of which are Suspicious Activity Reports (SARs) from some of the world’s largest banks and financial institutions. They identify more than $2 trillion in transactions between 1999 and 2017 that were flagged by financial institutions’ internal compliance officers - via SARs - as relating to possible money laundering or other crime.
Significantly, the documents beg the question why the banks did little or nothing to follow up their concerns. They are a blow to the credibility of both financial institutions and those that regulate them. The quality of SARs as well as the timing of them shows a meeting of the minimum requirements rather than any real intent when it comes to tackling money laundering. Quite how far any retrospective analysis of this conduct goes remains to be seen. But any identifiable failings could prompt civil or criminal proceedings.
Estimates put the leaked SARs as being a mere 0.02% of the total filed to FinCEN (the US Financial Crimes Enforcement Network). Yet while they may be a small percentage of the full picture, they raise big concerns about the lack of thorough checks being made by banks and the implications of this.
These concerns have made the news for a variety of reasons and in a wide range of reports. But while the headlines about facts, figures and prominent personalities are all worth absorbing, our main focus in all of this needs to be on the inadequacy of the system – or the operation of the system - that has allowed money laundering on such a huge scale. The FinCEN files would seem to indicate that we are at a tipping point when it comes to the banks and money laundering: either governments put more resources into the agencies who are supposed to investigate SARs or they work with the financial institutions, regulatory agencies and law enforcement bodies to repair or even replace what appears to be a system with serious fault lines running through it.
Estimates put the leaked SARs as being a mere 0.02% of the total filed to FinCEN.
There has been recent tightening in the UK and US of legislation in relation to laundering. In the UK alone, we have seen implementation of money laundering directives, creation of the National Economic Crime Centre, the arrival of unexplained wealth orders and account freezing orders and government commitments in its Economic Crime Plan. Yet it appears that more needs to be done. The fact that more than 3,000 UK companies appear in the FinCEN files cannot be ignored. This is more than any other state, and confirms the UK’s unwanted title of most favoured location for money launderers.
At this stage, it is perhaps too early to say with certainty precisely how the blame should be shared out. The fallibility of the system, the shortcomings of the banks and law enforcement’s lack of action or resources appear to be the prime suspects. Closer scrutiny of the individual SARs in question – if and when they become available – may help identify exactly where responsibility for this lies.
Yet wherever the finger is pointed, those who face criticism may well be able to point to mitigating circumstances. In terms of resources, there is no doubt that the SARs regime is placing huge strain on the National Crime Agency’s UK Financial Intelligence Unit (UKFIU), whose job it is to process them. April 2017 to March 2018 saw UKFIU receive more than 450,000 SARs. And while banks and other financial institutions may be criticised, they can point to the fact that by filing the SARs they have complied with their statutory requirements. If, in the wake of these leaks, these requirements are not deemed adequate or effective then another approach – even a whole new way of tackling the problem – may need to be devised. But at the very least a lot of thought needs to be given to the allocating of more resources to the existing approach.
The Law Commission has recommended certain improvements to the UK SARs regime; most notably including a call for them to be made more useful to law enforcement. The Commission said too many reports are of poor quality, as they are mainly made primarily as a defence to any potential allegation of money laundering against the financial institution. It also said that the current system is complex, resource intensive and lacks any accompanying guidance.
[ymal]
The leaking of thousands of documents has, if anything, validated the Commission’s views. The main issue now is what is done to improve or replace a system that suits nobody other than those it is supposed to be working against.
Having both been incorporated in 2018, Prevail Partners and Intelligent Sanctuary are relative newcomers to the financial services sector – but the teams behind them certainly aren’t. Their new partnership combines military and international crime agency asset tracing, due diligence, fraud and money-laundering capability that could set a new standard in the civilian market.
Rather than limiting investigations to scouring social media or publicly available records, the partners utilise investigative tradecraft and cyber forensics, supplemented with fintech-based data collection tools, to pursue evidential trails across international borders. Intelligent Sanctuary CEO Jonathan Benton and Prevail Partners CEO Damian Huntingford discussed this unconventional approach to due diligence and asset tracing during an interview with Finance Monthly.
Both chief executives came from high-ranking jobs in what they called their ‘previous lives’. Jonathan is a former senior police officer and Head of the UK’s International Corruption Unit, while Damian is a former Special Mission Unit Commanding Officer and OBE recipient. Both are able to draw upon more than 20 years of experience in their fields, and their teams are just as capable; Prevail Partners staff have backgrounds in UK Special Forces, and Intelligent Sanctuary team members have each spent more than a decade in financial investigation or litigation.
It is this unique kind of professionalism that has set the partners apart from the traditional firms and made them less prone to misconduct, according to Jonathan. “There's been parliamentary enquiries into the way investigators conduct themselves in the private sector,” he said. “There's been untold cases overturned because of the way people have conducted themselves. But I was a former senior police officer. Damian's a former senior military officer. And we have genuinely operated at the top of our game and have reputations and understand risk and how reputation can be lost -- not just for us but our client as well. And therefore, there is a very strong core value about what we do and how we do it.”
[ymal]
For the two firms, the partnership was a natural fit. Both company heads knew of each other as highly regarded professionals in their past careers, and the character of both organisations blended effectively. “We both know from our previous careers that there's often a difference between what might be legally permissable and what you're actually comfortable doing,” Damian said. “I think, as leaders, that’s something we’ve wrestled with numerous times at the pointy end.”
Already, their methods have been exceptionally effective. Between them, the two companies have traced, frozen or secured over $8 billion of misappropriated funds from business leaders and heads of state alike.
Damian credited the success of their ventures to their already-existing network of international connections and their ability to ‘command the cyberspace’. “That can involve, for us, other techniques around social media monitoring, and on occasion in the right instance there could be components of human intelligence, and even a physical dimension to that, providing it's appropriate to that particular jurisdiction,” he explained.
This multi-source intelligence has allowed Prevail Partners to pursue the fraudulent activities of a litany of high-profile individuals – among them Jan Marsalek, former COO of now-collapsed fintech firm Wirecard, who came to the company’s attention while conducting an enhanced due diligence investigation into the firm on behalf of a FTSE 250 company. “There were several red flags raised on that individual,” Damian said, “specifically pertaining to financial and reputational risk around him and his association with Wirecard.”
Through their investigations, Prevail Partners uncovered several transactions made by Marsalek using an avatar in the video game Second Life, which has in the past been used as a tool for financial fraud. This prompted a follow-up investigation, which uncovered further transactions between Marsalek and individuals in Russia, China and other nations that raised yet more flags. Though Prevail Partners’ warnings were not ultimately heeded, they were aware of Wirecard’s dubious financial activities long before news of its fraudulent operation emerged and Marsalek went into hiding.
“We both know from our previous careers that there's often a difference between what might be legally permissable and what you're actually comfortable doing.”
Fintech executives are far from the only subjects of Prevail Partners’ and Intelligent Sanctuary’s investigative work. Their teams have also tracked former Libyan Prime Minister Gaddafi’s looting of his state’s wealth, leading to $2 billion worth of funds being frozen through sanctions, and identified a global network of illicit assets in excess of $1 billion used by former Egyptian President Mubarak and his confidants. Dismantling complex financial fraud is a challenging and morally rewarding endeavour, which both CEOs identified as a key motivator in their decision to re-establish themselves in the private sector.
“My old world was about chasing down corruption and trying to uncover the pernicious side of it and recover the money that is laundered through the UK,” Jonathan said. “Well, we can still do the same thing through the private sector. In fact, I'd go as far to say in many ways probably more efficiently, because civil litigation is swifter, it can provide opportunity for early settlement, it's not conviction-based – requiring the conviction first and then recovery. So it's also about the ability to still do good, but in a commercial space.”
With both companies’ capabilities now working in tandem, we can expect to see Prevail Partners and Intelligent Sanctuary continuing to set new standards in asset tracing and due diligence going forward.
A study has made a link between powerful bank CEOs and the risk of money laundering. Syed Rahman of business crime specialists Rahman Ravelli considers the research and argues that prevention is everyone’s responsibility.
It may not please certain figures at the top of a number of financial institutions, but research has linked powerful bank CEOs with money laundering dangers.
According to researchers at the University of East Anglia, banks that have such CEOs and smaller, less independent boards will probably take more risks and, as a result, be more prone to money laundering than those with a different concentration of power at the top.
The researchers’ study examined a sample of 960 publicly-listed US banks for the period from 2004 to 2015. The study’s results showed that money laundering enforcement was associated with an increase in bank risk. From its findings, researchers stated that the impact of money laundering is more pronounced where a powerful CEO is present – and is only partly reduced by the presence of a large, independent executive board. They concluded that banks that have powerful CEOs attract the attention of regulators engaged in anti-money laundering efforts, and that this is especially the case if the bank’s board of directors is small and lacks independence.
The study has been viewed by some as the first to demonstrate that money laundering is a significant driver of bank risk. This effectively means that it can take its place alongside business models, ownership structures, competition in the marketplace and regulation as having an impact on risk.
[ymal]
It is perhaps surprising that previous research on banks’ risk-taking has not explicitly homed in on the possible effect of money laundering, especially as regulators have made no secret of the importance they attach to tackling it. But now, it could be argued, is an appropriate time to make that link. The increased numbers of cross-border transactions – and the sheer scale of many of them – have made banks more vulnerable to money laundering. Regulators are carrying out ongoing assessment of money laundering risks posed by organised crime and those with terrorist links while states – many of which have had obligations placed on them in recent years – are increasing their use of sanctions against countries, organisations and individuals.
The banks that do not recognise and respond appropriately to this state of affairs could well find themselves suffering fines, claims against them and significant reputational damage. Such outcomes are the logical consequences for any bank that can be shown not to have done all it could or should to minimise the dangers of money laundering.
It is worth noting, at this point, the researchers’ argument that the size and independence of a bank’s board can mitigate the impact of money laundering on bank risk but cannot fully compensate for the possible adverse effects. Aside from the study’s conclusions, what also needs to be emphasised is that the shape of fraud and money laundering is constantly changing and developing. As the risks posed by money laundering grow, the regulators adapt to rise to the challenges and the banks themselves have to meet their obligation to identify and assess the risks to which they are exposed. Just as importantly, the banks need to ensure that those risk assessments are kept up to date.
Such procedures can and will, of course, be instigated by those at the top. But regardless of the concentration of power in the upper echelons, once those procedures are in place the bank needs to make sure that its employees understand and comply with them. Those procedures need to be subject to regular monitoring, review and, when necessary, revision to ensure they are effective in countering the threat posed by money laundering. Banks have many methods available to them to ensure this is achieved. It almost goes without saying that banks will have a money laundering officer to supervise all anti-money laundering activities. Investing in anti-money laundering controls involving artificial intelligence (AI) technology is another approach, as it can support enhanced due diligence, transaction monitoring and automated audit trails. But what cannot happen is that the CEO or the board simply issues an edict about the wish to prevent money laundering: genuine prevention will only succeed if it is adopted and carried out by all levels of personnel.
Investing in anti-money laundering controls involving artificial intelligence (AI) technology is another approach, as it can support enhanced due diligence, transaction monitoring and automated audit trails.
The standing of a CEO in a bank and the relative power of its board may well have an impact on the risk posed by money laundering. But a bank will always be vulnerable if its approach to tackling that risk is not embraced by all levels of its workforce.
A report from BuzzFeed and other outlets on Sunday cited documents leaked from the US Financial Crimes Investigation Network (FinCEN) which indicated suspicious transactions being conducted through numerous banks, alleging that banking officials allowed criminals to shuttle money through their organisations.
Around 2,100 suspicious activity reports (SARs) were leaked, along with over 17,600 other records, which are being collectively referred to as the FinCEN files. They cover roughly $2 trillion in transactions between 1999 and 2017.
The documents were shared with the International Consortium of Investigative Journalists (ICIJ) and have been combed for evidence of wrongdoing. Among the revelations known so far are signs that HSBC enabled fraudsters to move millions of dollars of stolen money around the globe even after learning of the scam; JP Morgan allowed a company potentially owned by an FBI-wanted mobster to transfer over $1 billion through a London account, and a confidant of Russian President Vladimir Putin may have been using Barclays Bank in London to dodge sanctions imposed across the West.
Documents also revealed that the UK was known to the intelligence division of FinCEN as a “higher risk jurisdiction” comparable to Cyprus, and that the husband of a major Conservative Party donor was being secretly funded by another Russian oligarch close to Putin.
Shares in HSBC dipped by 4% in Hong Kong after the leaked documents came to light, the bank’s highest stock fall to date.
Anti-corruption organisation Transparency International UK said the leaked SARs “repeatedly cite weak money laundering defences in the UK financial sector as a major problem”, with chief executive Daniel Bruce adding that the revelations “are a damning indictment of the system that is supposed to prevent the UK and other financial centres becoming havens for dirty money.”
[ymal]
John Dobson, CEO at anti-money laundering specialists SmartSearch, also commented on the content of the FinCEN files. “This is nothing short of a betrayal for all those thousands of businesses doing their bit in the global fight against money laundering and financial fraud,” he said.
“We speak to customers in the UK and the US day-in, day-out, who are all working hard to make sure they have the best tools and technology available to prevent money laundering, and to be compliant with the law. While at the same time, if these documents can be believed, one of the world’s biggest banks has effectively turned a blind eye and enabled criminals to take full advantage.”
In a statement, HSBC said “All of the information provided by the ICIJ is historical.” As of 2012, the bank said, “HSBC embarked on a multi-year journey to overhaul its ability to combat financial crime across more than 60 jurisdictions.”
Other banks implicated in the FinCEN files have also issued statements.
The Financial Market Supervisory Authority (FINMA), Switzerland’s financial watchdog, announced on Wednesday that it had opened enforcement proceedings against Credit Suisse over a spying scandal that came to light in 2019.
In a statement, FINMA said that it would “pursue indications of violations of supervisory law in the context of the bank’s observation and security activities and in particular the question of how these activities were documented and controlled,” adding that such proceedings “can be expected to take several months.”
Credit Suisse announced that it would cooperate with the investigation “to ensure a complete and expeditious conclusion of the review of this episode and incorporate lessons learned.”
FINMA’s announcement follows the completion of a review of the bank’s corporate governance and its surveillance of former employees. The employees targeted were former head of wealth management Iqbal Khan, who was leaving for a post in Suisse Credit rival UBS, and former head of human resources Peter Goerke.
[ymal]
Credit Suisse CEO Tidjane Thiam resigned in February amid the investigations, maintaining that he was not aware of the spying operation. An internal probe by the company concluded that COO Pierre-Olivier Bouee bore responsibility, leading to Bouee’s termination.
Thiam has since been replaced as CEO by banking veteran Thomas Gottstein.
As curiosity rises around this topic Equifax has devised this educational infographic which helps answer the fundamental questions; including what a money mule is, how money muling works and how to spot ads for money mules. Equifax explores what could happen if you’re involved with such suspicious activity highlighting the severity of falling victim to becoming a money mule.
Educating the public is as crucial as ever, particularly as the latest Fraudscape report by Cifas found that in 2018, organisations reported over 40,00 cases of fraudulent abuse of bank accounts that bore the hallmark of money mule activity. This widespread issue only seems to be escalating as cases involving mule activity were up by 26% in 2018 compared to 2017.
The interactive infographic will lie within the Equifax ‘Knowledge Centre’ on their main website. This informational hub provides readers and customers with relevant content and guidance surrounding a variety of financial categories. You can read Equifax’s full interactive guide to Money Mules here.
However, not all crime is conducted directly online. Some people are tricked into giving away details over the phone or are told to use their banking app to transfer money into a safe account. This multi-channel approach means that at every touchpoint, an organization must be aware that their customers could be at risk; they need to put systems and processes in place to mitigate cybercrime.
According to a report by McAfee, the European economy is one of the worst affected areas in the world. The statistics suggest that 0.84% of Europe's GDP is affected. Looking at the UK specifically, it is estimated that the cost of cyber-crime to the UK economy is £27bn – and it is growing.
GDPR and Customer Data Breaches
One of the latest and most high-profile risks that have come to people's attention over the past 18 months are customer data breaches. Customers are increasingly aware that organizations hold a lot of their personal data and they want to be sure that it is safe. The General Data Protection Regulation was brought into place to ensure that organizations are acting responsibly when it comes to processing and storing customer data.
The financial impact of not following these guidelines, or for not having the correct systems in place, has been significant. Just months after the new regulation came into place, British Airways were one of the first companies to fall foul when 500,000 pieces of customer data were stolen, which resulted in them receiving a £183m fine.
The Financial Fallout of Cyber Crime
Before any cyber-crime has taken place, there is a significant cost to businesses that need to purchase software, implement new processes and training, and even employ new cybersecurity teams to deal with threats. For global organizations, there may also be a need to hire consultants to advise on what they need to do to keep themselves and their customers safe.
One of the consequences of cybercrime that will affect every business is the direct costs. This could be money lost by the business or by consumers. It could also be the loss of reputation to a brand. If a bank suffers a cyberattack and customers lose money, they are likely to lose confidence, which can have a huge knock-on impact on business performance and profits.
Following on from an attack, there may also be payments that need to be made. On top of losing money in an attack a business, may also need to pay out compensation, fines, and legal costs. Depending on the type and severity of the attack and the data that was lost, this can amount to millions of pounds, as demonstrated by the British Airways case.
Here Syedur Rahman of business crime solicitors Rahman Ravelli questions the effectiveness of big fines and the likelihood of criminal prosecutions in the future.
Standard Chartered has hit the headlines for the size of the fines imposed on it on both sides of the Atlantic.
But behind all the big numbers and the column inches it is hard not to wonder if such a costly slap on the wrists is now being viewed by the big banks as nothing more than the cost of doing big business.
Standard Chartered has been ordered to pay a total of $1.1 billion by US and UK authorities to settle allegations of poor money laundering controls and sanctions breaching. It is paying $947M to American agencies over allegations that it violated sanctions against six countries and has been fined £102M by the UK’s Financial Conduct Authority (FCA) for anti-money-laundering breaches; including shortcomings in its counter-terrorism finance controls in the Middle East.
These fines had been expected. Standard Chartered said two months before the fines were imposed that it had put $900M aside to cover them. But this isn’t the first time that Standard and Chartered has had to pay out for its wrongdoing.
Seven years ago, it paid a $667M fine in the US. Like its latest US penalty, it related to alleged sanctions breaches. At the time, it also entered into a deferred prosecution agreement (DPA) with the US Department of Justice and the New York county district attorney’s office over Iranian sanctions breaches beyond 2007. That DPA would have expired by now but has been extended until April 2021 in the wake of the latest allegations.
Will this be the end of Standard Chartered’s problems and the start of a new allegation-free era? It is hard to believe so. But it is fair to point out that it is not the only bank to be hit by huge fines for wrongdoing and then be found to be repeating its illegal behaviour. Which is why it is hard to believe that fines are having any real impact on the way that some of the biggest banks function. If they are prepared to keep paying the fines and / or giving assurances about keeping to the terms of a DPA while reaping the benefits of breaking the law it is hard to see the cycle of behaviour changing.
Let’s be clear, any failure by Standard Chartered to abide by the terms of its DPA could see it facing criminal prosecution. And any bank’s weak approach to money laundering is now increasingly likely to be pounced on by the authorities. The Standard Chartered investigation was a co-ordinated multi-jurisdictional effort by the FCA, the US agencies and the United Arab Emirates. And while Standard Chartered’s full cooperation with the FCA saw it receive a 30% discount on its fine, relying on cooperation to gain a lesser punishment cannot be viewed as a safe approach.
The authorities around the world that investigate the activities of banks and other financial institutions are now more coordinated than ever. They have more legal powers than ever before and are unlikely to be reluctant to use them against those in the financial marketplace that come to be seen as repeat offenders.
There is no clear indication or evidence that the era of big fines may be about to pass or that the authorities are set to view convictions as a more effective deterrent to financial crime than hefty financial penalties. There may also be difficulties when it comes to corporate liability which, in the UK, requires proof that those involved in the wrongdoing are sufficiently senior to be considered the ‘controlling mind and will’ of the company.
But if fines continue to be ineffective in curbing the behaviour of certain banks it can surely only be a matter of time before the authorities rethink their approach to enforcement.
For much of 2017, tech news headlines were dominated by the wide-reaching and incredibly costly effects of ransomware. WannaCry and NotPetya infected thousands of computers, holding their data hostage and demanding that the user pay a significant sum for it to be returned to them. These attacks didn’t just affect general users, but businesses and national infrastructure as well, resulting in damage to reputations and a significant loss of capital due to downtime. But in 2018 we find ourselves faced by a different kind of threat, one that arguably hides in plain sight: cryptojacking. Cryptojacking sees malicious actors run cryptocurrency-mining software in the background of a user’s computer without their permission or knowledge. This can have a serious financial impact on a company, with a combination of costs in electricity and lost productivity being enough to be of a concern to financial teams in charge of budgets, as well as the issue of reputational damage associated with unknowingly aiding criminal activity.
Different Shades of Cryptojacking
These attacks generally come in two forms. Firstly, cryptojacking malware works in a similar way to other malware variants, oftentimes with hackers sneaking cryptocurrency miners into software (ranging from apps on a smartphone to videogames on the world’s largest PC gaming platform) which then runs in a computer’s background processing. Cryptojacking malware can gain access to core systems through a variety of attack vectors, including out-of-date applications and operating systems, like Windows XP. In one instance of a cryptojacking malware attack, hackers created a botnet (army of connected devices) of cryptominers, dubbed ‘Smominru’ by security researchers, which exploited over 520,000 machines – that's nearly as large as the Mirai botnet that nearly ‘broke the internet’ in 2016. This attack amassed nearly $2.3 million in the Monero cryptocurrency.
The second form of cryptojacking is far sneakier: ‘drive-by’ cryptojacking attacks can be performed on any device using a web browser. Simply put, these attacks happen when web pages infected with a so-called mining script are open on a user’s computer. The website will then, without the user’s knowledge or consent, mine for cryptocurrency using their PC. Attackers can then use the power of the user’s Core Processing Unit (CPU) to mine for currency – though the criminals lose access immediately when the user leaves the page. A recent, high-profile ‘drive-by’ attack saw 5,000 websites affected by the cryptojacking malware. The attack also infiltrated websites belonging to the UK Information Commissioner and several NHS and local council services.
The fact that cryptojacking lucratively operates “under the radar”, as well as crypto’s rise in popularity, has meant that the number of reported cases of cryptojacking rose by more than 600% in Q1, 2018. Cryptojacking is very hard to detect, particularly if criminals use currencies like Monero which is famous for its level of privacy. Like other cryptocurrencies, Monero uses a public ledger but the difference is that Monero’s is obfuscated to the point where no one can tell its source, amount or destination. For these reasons, it is a popular choice for cybercriminals, including cryptojackers. ‘Drive-by’ attacks are easier to execute than other cyberattacks and, from a cybercriminal’s perspective, can have a higher ROI as they only have to hack one website in order to target all visiting devices. As of the 9th July, 2018, over 30,000 websites have been infected with malicious crypto mining scripts, including sites belonging to Tesla and Aviva. Finally, crypto-mining criminals aren’t relying on users or organisations choosing to transfer money in order to regain access to their data or systems as in the case of ransomware attacks; instead, they are able to mine for as long as the malicious script is running. Experts are even arguing that cryptojacking could soon overtake the use of ransomware because it is simple, more straightforward and less risky.
Running out of Energy: The Effects of Crypto-Mining
The effects of cryptojacking on a PC should be fairly noticeable. Mining for cryptocurrency runs complicated equations which are time and processor intensive. Tell-tale signs are if a device starts acting uncharacteristically sluggishly, or if its fans seem overactive. If the affected device is a laptop the battery will drain noticeably quicker. These symptoms can go undetected, however, particularly if devices are still operational and users don’t think to alert the IT help desk.
Some may argue that cryptojacking is thus just a minor nuisance and a largely victimless crime, but in fact the damage comes from just how energy intensive it is. While the immediate effects may not be as crippling as a large-scale ransomware attack, costs build up because cryptojacking can slow down systems and destroy technology, which are costly on their own but can also lead to downtime. Drains on electricity can also cause incredibly high bills, and are bad for the environment. The electric cost of cryptojacking (Coinhive in this case) on just one desktop computer was 1.212kWh of electricity over the space of 24 hours. According to the Energy Savings Trust, the average cost of electricity in the UK per kWh is 14.37p, so this would cost 17.42p per day, or £5.22 per month. For an organisation made up of hundreds (if not thousands) of computers, this could quickly become very expensive. In some cases, cryptojacking has also been known to completely destroy IT equipment due to the heavy and unrelenting strain that the hardware is put under by mining software. Organisations need to tackle cryptojacking head on in order to protect IT hardware and software, save on extra energy costs and ultimately retain business that may be lost due to downtime.
A Layered Defence against Cryptojackers
To prevent these attacks, organisations need to make sure that everything on their network is monitored and checked regularly, from PCs to websites. And when using third party tools, they should put protections into place and not link directly to source codes (the behind-the-scenes workings of what makes any computer program function) which aren’t their own. Businesses should also invest in resources for IT and security teams that give them a holistic view of what is going on in their environments, because they can’t protect or defend against threats they don’t know about. Finally, a layered approach to cybersecurity reduces attack surfaces, detects attacks that do get through, and helps cybersecurity professionals to take rapid action to contain malicious activity and software vulnerabilities. The financial outlay on a layered cybersecurity solution might seem costly, but finance teams in charge of investing in technology should see this as a critical insurance policy against cyberattacks that could completely cripple a business. Investment in cybersecurity is nothing compared to what cryptojacking could cost an unprotected organisation.
Users, including financial teams who are often targets of cyberattacks, can also do their bit to stop the spread of cryptojacking. It’s important not to download files from suspicious websites, or open attachments from email addresses you don’t recognise. Furthermore, users can protect themselves online through the use of browser plug-ins that block attempts from websites trying to hijack their PCs.
However necessary it may be to introduce precautions, what ultimately might end up being the cure for cryptojacking is cryptocurrency itself. At time of writing, Bitcoin has just experienced a crash of a little under $1,000 in just shy of 24 hours. This volatility – particularly if crypto continues its downward trend since Bitcoin peaked at $19,783.06 in December 2017 (it is currently at $6,431.70 less than 10 months later) – might put criminals off. If cryptojacking can no longer prove to be profitable because the investment in the tools required is not matched by the reward, then it may well be the markets that solve the cryptojacking issue.
While market volatility is out of the control of individual businesses, what is within their means is the ability to shore up their infrastructure. Hackers are at the cutting edge in their attempts to exploit any sort of flaw that exists in a system’s makeup and cryptojacking is currently the shiniest plaything in their toy box. The positive outlook however is that cryptojacking can be protected against with the right tools and mind-set. Out-of-date applications and operating systems are a favourite attack vector for bad guys, but they can easily be fixed. It is the responsibility of IT and Security teams, along with key decision makers who are in charge of purchasing, to stop them. By investing in cybersecurity technology, as well as training users, organisations defend against cryptominers trying to gain access to precious resources and can help to make cryptojacking a less attractive prospect for hackers.
There is a rush to improve speed, convenience and user experience in financial interactions, but at what cost to security?
While for the most part bankers are positive about their ability to improve their financial performance in 2018 and beyond, evolving risks – particularly cyber risk – are no doubt preoccupying their thoughts. A recent report by professional services firm, EY, puts cybersecurity as the number one priority for banks in the coming year, and it comes as no surprise, especially with Britain’s National Cyber Crime Unit data showing 68% of large UK businesses across sectors were subject to a cybersecurity attack or breach in the past 12 months.
It’s a mounting problem, and the financial services industry needs to fight back. We’ve picked out the four key ways of countering the continuing threat to banks’ cybersecurity – and it’s a case of fighting cyber with cyber.
- Artificial intelligence
Like it is in retail and manufacturing, for example, artificial intelligence (AI) and advanced analytics will play a key role in banking moving forwards.
And the financial services industry is looking to this technology to play a major part in the prevention of cyber attacks, reducing conduct risk and improving monitoring to prevent financial crime. Mitigating such external and internal threats is critical to both business continuity and limiting operating losses, and so AI shouldn’t be overlooked as a key tool in reaching this goal.
- Electronic identification
In order to meet the regulatory technical standards, which will be enforced in September 2019 as part of the European Union’s PSD2 payments legislation, the number of transactions requiring two-factor authentication will rise in the coming months.
What has been deemed by the industry as “Strong Customer Authentication” will be required, and this should result in payments and account access relying on customers providing and using a combination of the following: something they know, like a password; something they have, like a phone or card; and something they are, such as a fingerprint.
More factors equals more security is the industry theory here.
- Biometrics
Which leads us neatly on to point three: biometrics. This push for two-factor authentication and new electronic identification will pave the way for more biometrics use. With some of the largest players in card payments, including Mastercard, investing heavily in such solutions, we expect others to start to follow suit.
As Ajay Bhalla, President for global enterprise risk and security at Mastercard puts it: “The use of passwords to authenticate someone is woefully outdated, with consumers forgetting them and retailers facing abandoned shopping baskets.
“In payments technology this is something we’re closing in on as we move from cash to card, password to thumbprint, and beyond to innovative technologies, such as AI.”
- Blockchain
According to the EY research report, 20-40% of financial service providers are investing in Blockchain now and are planning to increase investment, while approximately the same percentage are investing now but planning to reduce expenditure.
Either way, it shows that Blockchain is very much on the agenda for banks. The main attraction of Blockchain is that it creates an indelible audit trail which is distributed across multiple servers, so there’s no single weak link for cyber attackers to target. This provides banks with unparalleled transparency and increases trust.
Blockchain also has the potential to make a complex global financial system less complicated and reduce the number of middlemen involved in the transferring of money.
So, that’s the technology on offer, but what are the next steps?
Unless banks collaborate more with their peers, or improve their use of the wider ecosystem, the required investment in advanced technologies to address issues of growing cybercrime will be substantial and could strain their ability improve financial performance and grow their businesses.
And, as bank leadership teams focus on investing in the relevant people and technology – and it is the combination of both that’s crucial here – to enhance cybersecurity, they may struggle to find the right skill sets or the right methods for integrating cyber experts into their organisations.
Raising their knowledge of the technology available to help stem the tidal wave of cyber threats is a key requirement for banks, if they don’t want to end up washed up on the shore as a result of their defences being breached.
Cryptocurrency values have risen and fallen in spectacular fashion over the last year and while financial watchdogs are looking to tighten the regulatory grip on how cryptocurrency trading operates, some traders have already profited from the volatility in the new currencies – and they’re not the only ones. Below Martin Voorzanger, EclecticIQ, explains for Finance Monthly how criminals are making the most of the current crypto sphere.
Another group making profits from the turbulent cryptocurrency market is cybercriminals. In fact, last year there was a marked increase in cryptomalware reports and breaches of crypto exchanges and it’s clear that 2018 will be no different. After all, where there is money, there is crime.
The future ‘bank job’
In some cases, criminals are adapting tried and tested cybercrime techniques – such as hacking email accounts, social engineering and spoofing emails – to prise digital coins out of the hands of those that own them.
For example, in late 2017, criminals pulled off the classic bank heist – with a twist. Making off with approximately 4,700 Bitcoins (valued at the time as $70m) in a raid on digital currency exchange, NiceHash, hackers gained access to the company’s payment services through an employee’s PC. The organisation described the attack as “sophisticated social engineering”.
Hackers found a similar route into Bithumb – South Korea’s biggest cryptocurrency exchange – earlier in 2017. Again, the weak link was an employee – and this time it was their home computer which was compromised. While, in this case, no currency was stolen, a vast amount of personal computer data was. Despite Bithumb suffering no real, initial monetary loss, the theft of sensitive personal data can actually be even more damaging to a business. In this instance, Bithumb stated that no passwords were stolen, but customers reported receiving calls and emails that scammed them out of funds, ultimately resulting in financial loss for Bithumb and potentially an irreversibly damaged reputation.
While, bitcoin and other cryptocurrencies may have been designed with security in mind through the blockchain platform, to keep their crypto assets and data safe, organisations can’t rely on this alone. Yes, blockchain is notoriously difficult to tamper with, however opportunist criminals have found something much easier to compromise – the computers and employees within exchanges.
It is for this reason that organisations must exercise more caution and ensure all security technology and practices are fit for purpose. Good security hygiene should always be front of mind in finance matters – whether it’s around cryptocurrency or not.
A new kind of ‘botnet’
Potentially more worrying than these older, but still successful, cybercrime tactics, is when criminals start to adapt new techniques specifically with the intention of defrauding holders of crypto assets. One of the methods that is becoming popular with criminals in a bid to exploit digital currencies is cryptojacking – where cybercriminals take over employees’ computers to secretly mine cryptocurrency. While the method itself has been around for some time, the surge in the value of cryptocurrencies means mining coins has become an incredibly enticing prospect for criminals. And although each infected device can only mine a small amount of value, criminals are collecting enough machines to create data-mining ‘botnets’ which collectively, can deliver a large profit.
While cryptojacking in itself may not carry the destructive payload of ransomware or other malware, it still represents a device compromise and one which, at best, affects the performance and longevity of devices and, at worst, provides an open doorway for more destructive threats, such as ransomware.
Furthermore, it’s not just the cryptocurrencies themselves that are under threat of attack. Worryingly, earlier this year, security firm Radiflow reported that a European water provider had been compromised. This attack represented the first public discovery of cryptocurrency mining malware in the systems of a critical national infrastructure organisation proving that criminals are no longer just after currency – they want power.
The threat to cryptocurrencies is real and growing - whether the end game of the criminals is financial gain or to disrupt critical infrastructures. Indeed, Microsoft warned earlier this year that it has seen a surge in currency-mining malware infecting Windows PCs in enterprises around the world. The company believes this could be the work of external criminals or, equally, insiders with access to company systems.
Ultimately, while cryptocurrencies themselves are secure, the exchanges and the systems that surround them are not. Humans remain the weakest link – whether intentionally or not – criminals continue to use the same tried and tested vectors of attack and humans are still just as vulnerable to being conned or manipulated by social engineering.
One thing is for certain though – cybercrime activities in this area will not decrease anytime soon. Organisations need to make sure they have the correct security measures in place, including ensuring that employees understand the threats associated with social engineering, to best protect against this new kind of threat.
Last weekend, British shoppers were predicted to have spent almost £8bn on Black Friday sales – nearly four percent higher than last year. While this busy shopping period is certainly good for the British economy, it raises concerns about the opportunities for scammers and cyber criminals. Ross Brewer, VP and MD EMEA at LogRhythm, discusses for Finance Monthly below.
Indeed, all eyes have been on who – and there will be some – will fall victim to hackers’ increasingly persistent and clever tactics. Retailers are prime targets because of the confidential data they hold – whether it’s bank details, email addresses or personal information. There’s absolutely no doubt that cyber criminals will have tried to take advantage of the past week’s online sales peaks to access networks unnoticed or execute malware that has been sitting on the network for months. Retailers have a lot to prove when it comes to showing consumers that they are taking modern-day threats seriously.
As we only saw this week with Uber, it isn’t always a breach that makes headlines, it can be how it’s contained and disclosed. In such a competitive industry, retailers rely heavily on loyalty, which means reputation is key. They need to understand the true value of the data they hold and take the necessary steps to protect it.
Monitoring and detection is key
It’s hugely important that retailers are investing in tools that continuously monitors networks for any signs of a compromise. Indeed, online activity and network communications between components in the card processing chain need to be tightly controlled; a process that is specifically mandated by PCI-DSS. With time increasingly of the essence, it is also critical that, rather than simply scanning for threats and raising an alarm if something suspicious is identified, these systems are able to deliver actionable insight with supporting forensic data and contextually rich intelligence. Not only does this ensure that the right information is delivered at the right time, to the right people, but it guarantees that the appropriate context will be attached, significantly decreasing the amount of time it takes to detect and respond to threats.
Most retailers know by now that they cannot afford to take shortcuts when it comes to cyber security. With breaches now a case of when, not if, it’s essential that they are on high alert at all times – particularly during busy shopping periods. Despite growing concerns over the cyber threat, consumers are spending more and more money in store and online each year, but retailers cannot take this for granted. It only takes one data breach to damage a company’s reputation, hinder future sales and/or disrupt pending investments and deals.
The good news is that security intelligence has become so advanced that companies can now automatically detect a compromise as soon as it happens, enabling security teams to stop a cyberattack before any damage is done. With GDPR only a matter of months away, enterprise organisations and retailers are feeling the pressure to identify, mitigate and disclose an attack at the time that it happens. Only with rapid detection and response capabilities will retailers be able to take cyberattackers head on and protect their customers.
