Using external data storage and third-party digital technology clearly puts banks in the hacking radar, European Central Bank’s supervisory arm director general Korbinian Ibel told reporters.
Compromising on device hygiene will result in accidents "especially in the cloud," Ibel told Bloomberg. Even though cloud services are better-protected compared to in-house systems, they are "juicy targets" for hackers because of the business.
The warning came from first-hand experience.
Unauthorised third parties hacked ECB’s banks’ integrated reporting dictionary (BIRD) website, stealing email and other contact information on 481 subscribers and prompting the bank to shut down the website indefinitely.
"The breach succeeded in injecting malware onto the external server to aid phishing activities. The external BIRD website has been closed down until further notice. Neither ECB internal systems nor market-sensitive data were affected," said an ECB announcement last week.
SC Media UK reported earlier this month that the financial services sector is on its toes after reports of more breaches and security shortfalls internationally in the wake of the Capital One disclosure.
"The financial services sector is frequently targeted by malicious attackers, due to the nature of the data it receives, shares and manages. The European Central Bank (ECB) is the latest victim," said Egress CEO Tony Pepper
"It’s important the 481 BIRD subscribers who have had their details compromised be extra vigilant going forward. The compromised email addresses that have been taken from the server could be used in future phishing attacks by malicious actors, enabling them to gain further pieces of personal data or trick recipients into downloading malware to their systems," he warned.
Financial institutions are increasingly becoming targets of watering hole attacks, where their websites are hijacked and are used to pollute visitors’ browsers, said Rick McElroy, head of security strategy at Carbon Black. "This tactic is increasing in the wild as cyber-criminals recognise the implicit trust consumers have in bank brands."
The BIRD subscribers should be on the lookout for any message that seems suspicious, with telltale signs such as incorrect branding or poor grammar, said Pepper. "In addition, they shouldn’t click on any suspicious links contained in these emails; instead, they should hover their mouse over it to see if the address matches the link displayed or if possible, open the site via another window."
Europe has been relatively safer from a hack as large as Capital One. However, things may change as European banks undergo digital transformation to cut costs and make up for the revenue dip from lower interest rates, said the Bloomberg report. Recent reports by SC Media UK show that cracks are already visible. And having a standard defence system in place hardly guarantees immunity.
"Financial institutions like The European Central Bank typically have a more robust cyber-security posture than peers in other verticals. However, this does not make them immune to cyber-attacks," said McElroy.
"While cyber-attack simulations using red teams like the ones the European Central Bank deployed, are good in theory, they are limited in scale and not nearly comprehensive enough to conduct a thorough assessment of third-party risk," said Laurie Mercer, security engineer at HackerOne.
"Hacker-powered security, or crowd-sourced security, can provide that degree of scalability due to the number of hackers involved in continuous testing of an organisation’s attack surface," he suggested.