Instead of robbing bank branches, criminals are resorting to cyber attacks. Their gateway is usually not banks or insurers themselves, but rather their service providers. What this means for customers.
According to the financial regulator BaFin, cyber attacks are a major danger, especially for financial institutions. The incidents have been increasing for years, BaFin boss Mark Branson said today at a press conference in Frankfurt. “Disruptions do not have to occur at banks or insurers themselves; problems at their IT service providers can also affect the entire system.” According to Branson, companies have outsourced more and more tasks to them in recent years. And with that there are ever greater dependencies.
The concrete impact this can have was shown in 2023 by a cyber attack on the account switching service provider Majorel, which works with a number of financial institutions such as Deutsche Bank or the direct bank ING, based in Frankfurt. According to media reports, the data sets of over a hundred thousand customers were stolen.
Sometimes 100 tasks outsourced
According to the bank, tens of thousands of customers at ING alone were affected. Their personal data was published on the Darknet, including their first name, last name and account number, according to a statement: “The affected customers were immediately informed and informed about the precautionary security measures taken.” The bank now wants to thoroughly investigate the incident and remains in close contact with the IT service provider.
The background was a security gap in the MOVEit software program. According to BaFin, thousands of companies worldwide were affected, including numerous German financial institutions and insurers. The financial supervisory authority therefore wants to check more closely in the future which processes service providers are commissioned to carry out. According to BaFin, on average ten tasks are outsourced per company, although for some companies there are over a hundred.
BaFin requires banks to have emergency plans
According to Mark Branson, this creates service providers who are almost indispensable for the financial industry and difficult to replace. “They have to get used to very close monitoring,” emphasizes Germany’s top financial supervisor. And they would have to cooperate with the supervisors. However, there have been some bad experiences there in recent years.
The financial regulator also requires the cooperating banks to have an emergency plan if IT service providers are unable to operate due to an attack. Until now, this often doesn’t exist. In addition, BaFin organizes crisis and emergency exercises and simulates hacker attacks to find out where the supervised banks and their IT service providers are most vulnerable. Last year alone, the IT of twenty financial institutions was examined as part of an audit. If the auditors found security gaps, they would order capital surcharges.
The trail ends at the ATM
There are also private companies that attack banks on their own behalf to uncover vulnerabilities, such as the Frankfurt company Nviso. Cooperation partners could also play a role here, says department head Nico Leidecker: “If I know that a service provider works for this bank, I could pretend to be that service provider and send emails to a bank employee.” This could potentially get him to open an attachment, download a file containing malware and execute it.
According to Leidecker, this is one way criminals can gain access to a banking network and, in the long term, account transactions. They could manipulate them and transfer money from one account to another. In the end, they could withdraw it from an ATM – this way the criminals’ tracks could be covered. The IT security expert says they often come from abroad: “But thanks to artificial intelligence, they can still write emails in error-free German.”
Victims of cyber attacks get their money back
If criminals gain access to account or credit card data through data leaks, they could try to use it for online purchases or to pay by direct debit, according to Frankfurt consumer advocate Katharina Lawrence. She therefore advises consumers to carefully check their credit card statements and account transactions. “If you find any transactions suspicious, inform your bank immediately and file a criminal complaint with the police,” says Lawrence.
If someone can be proven to have fallen victim to a cyber attack and this has resulted in unauthorized direct debits, Lawrence says consumers will get their money back. You could therefore contact your bank retroactively for up to 13 months. They then have to reimburse you the amount.
Ursula Mayer, HR, tagesschau, January 23, 2024 5:00 p.m