The digital age has seen banks drawn into an intense, brain-melting, 24/7 real-time strategy game against cyber criminals and the cyber curious. Harriet Rees, Head of Data Science, and Simon Waring, Chief Information Security Officer, at Starling Bank, discuss tactics.
As more and more of us trust our finances and transactions to digital technology, an ongoing war of attrition is taking place between the global banking industry and cyber crooks.
It’s a 24/7 conflict with constantly changing battlefields and rules of engagement. Could the next raid on your personal data be initiated by your kettle or fridge freezer by virtue of their connection to the Internet of Things? Will biometric advances enable criminals to render redundant still-evolving security measures, like fingerprint recognition, as even your body parts become too vulnerable to counterfeiters to be considered secure authentication? And will any smart phone be safe from increasingly sophisticated malware?
This is the financial technology arms race that’s usually conducted behind closed doors. It’s one in which the boundaries between ‘good and evil’ are sometimes blurred for legitimate, tactical reasons.
Take ‘bug bounties’. A small-but-growing number of financial institutions are now willing to crowdsource ‘curious’, as opposed to malicious, hackers ( ‘security researchers’ , to give them their sanitised title) to test the defence of their systems. They are rewarded for disclosing any weakness they detect in what have become known as bug bounties.
Starling Bank runs a responsible disclosure programme, as Harriet Rees, Starling’s head of data science, explains.
“The disclosure programme is essentially a break- the-bank programme where we invite people to try to break through the security systems. If they can, it allows us to then see where a potential vulnerability would have been.”
The scale of the problem the industry faces is hard to ignore. Between 2017 and 2018, £1.2billion was stolen through digital scams and fraud in the UK alone. About a third of that (£393 million) was through personal details illegally obtained to make online payments, according to banking trade organisation UK Finance. Incidents of card-not-present (CNP) fraud grew by 49 per cent, while card ID theft leapt by 117 per cent.
So, the conundrum now faced by banks is how to retain customers’ confidence in the security of their digital systems, while continuing to make the user experience as fast and simple as possible.
Getting that balance right is especially critical to newcomers like Starling, which in 2017 became the first digital challenger in the UK to offer an app-only current account with a full banking licence using Cloud-hosted technology that it developed in-house, hosted by Amazon Web Services with Google as back-up.
Key to Starling’s open banking business model is its Marketplace, which allows select third party providers to link directly with its 820,000 customer accounts over the Starling application programming interface (API). In addition, Starling offers a number of external integrations over third party APIs. Rees says protecting it from cyber attacks has been a key concern from day one, and is constantly evolving. For instance, in March this year, Starling started to rollout 3D Secure, a one-time password system for online payments by its customers, ahead of the imminent introduction of new EU anti-payment fraud regulations that make such systems compulsory.
“Fighting cyber fraud and cybercrime is important in every industry today, but we are a digital bank, so it’s our number one concern, and something that our customers feel confident that we are handling appropriately,” says Rees.
The bank benefits from a purpose-built, dedicated interface that securely identifies every third party accessing customer data; the credentials of each third party are unique to them and the level of access they are granted is also unique to them, giving the bank maximum visibility. Starling would argue that, effectively, makes it more secure than methods used by some other banks.
Thinking the unthinkable
Organisations that have embraced open banking have accepted that a castle and moat approach is no longer enough and the temptation to ‘do security by obscurity’ not an option.
Instead, Starling’s penetration testing (or pen testing as it’s known) is a combination of sophisticated technology and psychology that combines the best human and artificially intelligent brains. And it is conducted both internally and using external specialists, who are parachuted into the most sensitive areas of the system to see what damage they can do in a controlled environment.
“If we’re thinking like fraudsters and hackers, we have the right mindset, and can then try building the controls to prevent that happening before it happens for real,” says Simon Waring, Starling’s chief information security officer. He explains that automated programmes are used to carry out much of the grunt work of internal testing but Starling’s software engineers also have to think outside the box – for example, to see what an misplaced letter in a numerical field for a telephone number might innocently unlock. It’s all about revealing the known unknowns in data security.
“We know that this is an evolving space and we always have to be one step ahead of any cyber criminals out there,” adds Rees.
The bank’s born-in-the-Cloud infrastructure gives it a distinct advantage in that regard, says Waring.
“We’ve been able to implement controls a lot more consistently across the board. When we’ve done it once and know it’s working, we can keep testing it in an automated fashion,” he says.
“Being in the Cloud gives us all the tools we need to do that. We’re able to take metadata that shows how our data is used and feed that in to AI and machine learning algorithms to detect anomalies.The Cloud allows us to do that at scale. We can plug into different systems, analyse that data to work out what’s being used where and, if something’s not right, we can drill down on it to find out what’s going on.
“We will keep developing our own internal systems, based on Cloud technologies, and the longer we keep doing that, the better we’re going to get at it.”
Mindful of multi-target attacks, like Wannacry which immobilised systems worldwide, Starling is one of many financial institutions globally that are employing external security machine learning software. It monitors Starling’s and many other banks’ meta data and alerts them to emerging threats, even devising patches to eliminate them before a bank falls victim.
Rees adds: “Today, we have masses of data to sift through and analyse, and that allows us to work in a way which is preventative of these sorts of attacks, rather than solely reactive.
“Learning from industry-wide trends, we can put measures in place before they’ve even happened at our door, to make sure that we’re prepared when they do arrive.”
Rees foresees that technology will continue to revolutionise what banks do for their customers, opening up previously unimaginable services. Just last month, Starling added two apps to its Marketplace that help its growing number of small business customers protect their own systems against cyber attack. Insurtech Digital Risks offers cyber insurance targeted to the needs of small and medium-sized enterprises (SMEs), while the CyberSmart platform identifies a business’s digital weaknesses in less than 60 seconds and recommends fixes using a simple online dashboard. It also helps customers achieve Cyber Essentials government certification.
“It’s very exciting to be a financial institution like Starling at the moment, because there’s just so much going on in the fintech and wider banking space,” says Rees. “The challengers have elevated what customers expect from their banks. We now see some of the incumbents rising to that challenge; features we launched a few years ago are appearing in their apps. Do we see it as a threat? No, we welcome it. It’s better for all of our customers. The challenge for us is to keep innovating and keep up the pressure!”