Since the late ‘90s in Canada, bank robberies have been on a decline; between 1998 and 2008, such incidents decreased by 38 percent, according to a report by Statistics Canada. While robberies are still a risk factor for banks and financial institutions across the country, time and technology have brought other security risks to the forefront.
Fraud, while not a new risk factor, is rapidly changing and now encompasses a wide-range of possibilities, such as internal and external fraud, card-skimming or ATM fraud, and other cyber fraud. With the explosion of online banking and continual offering of new online/mobile services, fraud remains one of the main security risks for banks.
Cybersecurity, which overlaps with fraud in many instances, is another risk that has expanded and continues to increase in complexity, encompassing outside or inside cyber attacks, ransomware, and sophisticated phishing campaigns.
Yet another recent risk is social activists, disrupting retail banking hours or threatening bank executives. Activists have made headlines for chaining themselves to banks and blocking entrances in protest of banks’ financing of the Dakota Access Pipeline, for example.
At the corporate level, financial institutions in Canada are interested in doing whatever they can to protect data centers and other sensitive areas in those buildings, say industry sources. At the retail level, financial institutions are interested in keeping their customers, staff and assets safe, while facilitating quick, efficient investigations.
To combat these changing and evolving risks, industry sources are seeing several trends in security measures at both the corporate and retail levels, including an increased sophistication of systems, such as surveillance and access control.
“The biggest trend I would say for the past decade is the growth in video surveillance,” says Richard McMullen, partner - security solutions at FCi in Ottawa, Ontario, which provides security to a number of credit unions in its area. Technology, including IP as well as better storage options, have enabled banks to retrieve and manage clearer video faster than ever, as well as ease and quicken investigations into fraud and other incidents.
At the retail level, surveillance can help with investigations and overall security of vaults or safety deposit rooms, as well as vagrancy in vestibules and ATM areas, which is a problem for many banks during the harsh Canadian winters.
On the access control side, industry sources are seeing expanded use of analytics and biometrics, as well as a shift away from PIN codes and cards.
Banks are looking at more sophisticated access control. There is definitely a move away from PIN codes since they can be shared, so we are seeing things as simple as a keyfob or another way to uniquely identify a person, notes Peter Dyk, P. Eng. and director of product management and engineering at Tyco Integrated Fire and Security in Mississauga, Ontario.
Some of the technologies being deployed for access control at Canadian banks today include fingerprint scans, iris scans and facial recognition. For example, some bank facilities have implemented in-motion facial recognition technology to save time in high-traffic areas, as well as tighten security.
Many industry sources say that multi-factor authentication is another trend that continues to develop in the banking sector. At the retail level, there is a move toward multi-layer security in places such as safety deposit box rooms. Such measures use one form of security or authentication to get into the room or area, and another to gain access to the actual box.
“On the physical security side, I would say that this trend has been around a bit longer than on the [online] side of things,” says Carol Osler senior vice president of TD Bank Financial Group. Toronto, Ontario. “I think you are seeing a fair bit of multi-factor authentication on the mobile banking side too as we try to strengthen security controls, so you may see things like iris scan and voice scans there as well.”
What to Do with the Data?
As IP devices and advanced systems continue to proliferate, there is tremendous amount of data going through financial institutions. This leads to perhaps the biggest security trend right now within banks and that is integration of systems and data mining. The combination of data from systems and technologies can make a significantly impact combating fraud and facilitating investigations.
While sources say physical integration of security systems – such as access control, surveillance and ID management – is a trend that continues in this space, the unification and dissemination of the data from all these systems across locations and departments is seen as increasingly important for this market, particularly as it relates to fraud and cybersecurity.
“Most of the banks have built their systems with an enterprise focus, but a more recent trend is how do we take all that data and compute it in a meaningful way to give us something to respond to,” Osler says. And, the key word here is meaningful. “The construct of physical and cyber security is still mostly separate because they are both very big jobs, but from a policy and oversight and sharing of data perspective, those two areas are definitely coming together around response, threat and risk assessments in most banks.”
A Communicative Community
On the one hand, the size of Canada’s national banks make it a challenge to implement systems or technologies enterprise-wide, particularly newer or less cost-effective products. However, the consolidation of the country’s banking system makes it well-suited to communicate with one another, share best practices, and facilitate government conversations when it comes to security issues.
“When we look around the world, Canada does have an advantage over those jurisdictions with a fragmented approach to regulation. Canada’s national banking system provides consumers with the same protection and security regardless of where they live. In addition, banks are able to work with national law enforcement and national regulators to address security issues that could take place in multiple provinces and territories,” says Andrew Perez, manager, media relations at the Canadian Bankers Association (CBA).
Through CBA, banks throughout the country communicate with each other, as well as with government and law enforcement. “We all have members that sit on committees and share common problems, resolutions and new ideas,” Osler says. She adds that the CBA provides a good lynchpin for allowing banks to share common information that doesn’t interfere with competitive requirements and allows banks to also get a very real perspective on trends and other issues.
With a very rapidly changing landscape of fraud and other security risks, all of these trends and industry movements – including more sophisticated systems, multi-factor authentication, and data mining – ultimately allow banks to respond quickly when necessary.
“From an overall security perspective, banks and security departments are well positioned to manage threats, however, a challenge that remains for all banks is the speed and persistency from fraudsters to circumvent controls as well as the speed of transactions. We have to continue to look at all aspects of vulnerabilities through traditional lenses but also beyond the obvious. Much more so than in the past, we must remain nimble and react quicker than ever,” Osler says.
Mobile Retail Payments Will Exceed a Combined $220 Billion in 2017
Mobile payments are on the rise around the globe. With the increase in the amount of money being spent via mobile devices, Al Pascual, senior vice president, research director and head of fraud and security at Javelin Strategy and Research, Toronto, Ontario, says that “mobile payments will experience a rise in fraud that most stakeholders are simply unprepared for.”
The Stakes are High with Cybersecurity
Cybersecurity is a huge challenge for financial institutions. Like many businesses and corporations, banks must worry about potential breaches of their data and their clients’ data on a regular basis. However, banks are a particularly desirable target as they have large sums of money at risk along with sensitive information about their clients and their assets.
“I think our biggest challenge continues to be cybersecurity,” adds Carol Osler, senior vice president financial crimes and fraud management at TD Bank Financial Group, Toronto, Ontario. “It’s a challenge that is rapidly changing, particularly as we continue to offer more mobile services. It creates a bigger landscape for fraudsters to launch attacks and we continue to see a prevalence of cyber-related matters challenging banks.”
With the internet of things becoming an increasingly utilized way to manage accounts and banking services, fraud continues to evolve and poses a risk to financial institutions and their clients. Photo courtesy of Tyco Integrated Fire & Security
While large financial systems such as Canada and the U.S. spend millions of dollars on cybersecurity, hackers will continue to target banks large and small. In 2016, computer hackers stole $101 million from Bangladesh’s central bank. Later in the year, in December 2016, the Bank of Russia confirmed that hackers stole the equivalent of $31 million, though the criminals had tried to steal more than double that before the central banking authority stopped them and redirected the funds, reports CNN Money.
“Financial institutions are only as safe as their weakest link, and if those surrounding them with access to some of the banks’ data are not protecting themselves correctly, then they become the weak point, and that is a big risk,” says Tony Anscombe, senior security evangelist at global cybersecurity company Avast, with global headquarters in Prague, Czech Republic.
Two of the changes that Anscombe has seen in the past several years have been the introduction of ransomware (when cyber criminals hack or hold on to certain data or parts of a system, only releasing it after receiving a ransom) and targeted phishing attacks called spear-phishing (in which cyber criminals target a specific individual or department for a particular reason).
“Today, criminals are even more sophisticated than the past; the threats have evolved and become incredibly diverse,” notes Al Pascual, senior vice president, research director and head of fraud and security at Javelin Strategy and Research, Toronto, Ontario. “There’s banking malware online and in the mobile channel, criminals are leveraging remote access through social engineering and even one-time passwords via SMS text are being intercepted as criminals take over mobile phone accounts to have these messages forwarded.”
The complexity and evolution of today’s cyber threats pose a challenge for financial institutions, says Ali Ghorbani, Ph.D, director of the University of New Brunswick Canadian Institute for Cybersecurity. “What has happened in the last several years is mainly that cyber criminals have become more organized. They have moved on from general attacks to more lucrative, focused attacks, particularly in the financial sector,” Ghorbani says.
He says that being more organized has allowed cyber criminals the ability to not only make millions of dollars off of financial institutions, but also to allocate some of the money they make into research and development of even more effective cyber weapons to use. “This cycle is very lucrative and allows for a constant development of more threats and attacks, which are very hard to keep up with,” Ghorbani explains.
To this end, the size of Canadian banks (of which the largest handful have thousands of locations and overwhelmingly control the majority of assets in the country) give those banks the opportunity to invest significant money into cybersecurity, and security in all areas, for that matter. According to Andrew Perez, manager, media relations at the Canadian Bankers Association (CBA), the six largest banks in Canada (all of which are members of the CBA), have spent more than $70 billion on technology in the last decade, including on security measures.
In addition to funding, there are several paths that Canadian banks can take to help combat cyberattacks and other cyber-related risks. For one thing, Ghorbani says, formal cyber education and public awareness campaigns are necessary steps into the future.
“Human error is a big part of what is happening in terms of cyber risks, and so the public needs to be educated about what needs to be done to keep them secure. We also need to have people that understand human behavior in cyberspace and develop solutions that take into account all aspects of security,” Ghorbani says.
Ghorbani sees financial institutions turning to a multidisciplinary approach for cybersecurity and fraud prevention, including departments outside of security. “I would say one of the interesting opportunities in the financial sector is there are so many dynamic moving pieces, and it brings up the need to bring groups across the entire bank together to share data and work across intelligence in order to have speed and evolution in resolving threats and bringing about new intelligence,” says Osler of TD Bank Financial Group.
With the increase of mobile and online services offered by banks and other companies, perhaps the biggest challenge for financial institutions today is cybersecurity. Photo courtesy of Avast
Frank Palmay, P.Eng., senior counsel and national co-chair of financial services, regulatory and cybersecurity at law firm McMillan LLP, Toronto, Ontario, agrees that a multidisciplinary approach is key for organizations tackling cybersecurity challenges. “The types of attacks and threat vectors have changed, and on the technical side one of the things that has changed is, in the past, the idea was to secure the perimeter with firewalls. What’s going on now is akin to medieval towns that secured themselves with high walls. Once modern warfare found ways to go under, over or through the walls, that kind of protection was no longer sufficient, and that is what is happening with cybersecurity today,” Palmay explains.
Another way in which cybersecurity will evolve, according to Javelin Strategy and Research, is that financial institutions will continue to move toward a system where customers’ behaviors are evaluated in real-time throughout a banking session, while minimizing discrete authentication where users interrupt their activity to prove their identity.
In other words, says Pascual, “that means we will see a greater reliance on machine learning to render real-time decisions based on behavioral analytics and behaviometrics.” The two most significant challenges to realizing this approach across the board, continues Pascual, is for financial institutions to achieve internal buy-in to make the necessary investments for such technologies, as well as for vendors to improve such solutions enough to make the ROI a “no-brainer.”