Posted by Kalyani M. on Sep 25, 2013
The banking world has set out some of the tightest online security measures for secure banking transactions on the web. But as hosts of private customer knowledge, account numbers, and assets, online banking services are prime targets for hacking, leaks, and attacks. One of the best ways for banks to secure their information is to remap their services using the private development framework Crypton while exclusively storing and syncing sensitive data to a secure cloud service provider.
Recently a Santander bank branch in London was the victim of a sophisticated cyber-attack worthy of the silver screen. London police in conjunction with PCeU, Scotland Yard’s e-crime unit, detained twelve men on suspicion of conspiring to steal data and money from the bank. One of the suspects allegedly posed as a maintenance engineer and was able to install a keyboard video mouse device (iKVM) to a branch computer, which enabled the group to seize the desktop contents of the device through the bank’s network. According to PCeU Detective Inspector Mark Raymond, “This was a sophisticated plot that could have led to the loss of a very large amount of money from the bank, and is the most significant case of this kind that we have come across.”
Santander responded through a spokesman, which assured customers that their assets were still safe. According to a statement the bank claims, “Santander was aware of the possibility of the attack connected to the arrests. The attempt to fit the device to the computer in the Surrey Quays branch was allegedly undertaken by a bogus maintenance engineer pretending to be from a third party. It failed and no money was ever at risk. No member of Santander staff was involved in this attempted fraud. We are pleased that we have been able, through the robustness of our systems, to prevent the fraud and help the police gather the evidence they needed to make the arrests.” But according to Dr. Eerke Boiten from the University of Kent, the failed plot should be cause for concern for all banks as it shows a ramped-up level of criminal sophistication. Boiten says that the iKVM “captures all the information that goes to the screen, keyboard and mouse. If you manage to get it installed inside the computer, it gives you a way of contacting the device through a remote computer. This is what people use for controlling a big server remotely. You basically can control a computer inside that bank branch. With one such device you can do as much damage as an individual teller can, within the bank. This is not just one guy trying to install this thing and see if he can get through to the Internet.” The foiled attempt at digital theft shows that thieves are willing to exploit any and all weaknesses in security, whether physical or digital.
This case of attempted theft has caused a wave of concern to ripple through the tech security world. According to senior security researcher at Kaspersky Lab David Emm, “Like many other hacking attempts, the game plan of the hackers in this case was to be able to get information on transactional and customer data held on the computers within the bank to use for financial advantage. This attempt should remind organizations that a holistic approach needs to be taken toward security. It’s not just the IT security methods that need to be scrutinized, but the people within the organization as well.” Banks should make sure that all employees are brought up to date on security protocols and that no unauthorized personnel are allowed near branch devices.
As McAfee CTO Raj Samani says, “These arrests prove that the ease with which anybody can conduct what is described as a very significant and audacious cyber-enabled offence requires limited technical knowledge and [a] questionable moral compass. Simply plugging in a physical device that can be [acquired] from any number of legitimate outlets demonstrates that the bar required to be a ‘cyber-criminal’ is probably at its lowest level.” The fact that banks and security experts can’t agree on the level of sophistication that this foiled plot poses should worry customers that expect strong security measures for their assets. Through creating completely private infrastructures on Crypton and uploading sensitive information to a private cloud, banks can ensure that data is kept safe, even when accessed remotely from approved users.
Keeping Customer Data Safe With SpiderOak
For most banks, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave data and private company info wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides banks with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users can tailor the service to fit their needs.
SpiderOak protects sensitive customer data with 256-bit AES encryption so that data, files, and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, banks can rest easy knowing that their customer data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and enabling a secure mobile workforce.