Cybersecurity in Banking

Chapter One: Introduction

Background to the Study

Information and communications technology (ICT) has become a vital pillar of modern knowledge-based economies. New technologies, skills, and procedures are the drivers of the new information society. According to Del Gaudio et al. (2021), technologies improve the productivity and competitiveness of businesses while expanding markets and creating new opportunities for employers and employees. However, the use of technological devices, systems, and networks exposes businesses to different risks, thus the need for investment in information security. AlGhamdi, Win, and Vlahu-Gjorgievska (2020) defined information security as the protection of information, systems, devices, and networks from third parties' access, use, disruption, modification, disclosure, and destruction, and ensuring that the data and systems are always available, confidential, and of high integrity. In the digitally connected financial world, inadequate information security will be akin to putting people's and banks’ confidential and financial data at risk. In this sense, risk refers to security breaches resulting in personal embarrassment, financial ruin, stolen trade secrets, and other serious consequences (Akhtar, Sheorey, & Bhattacharya, 2021). Malevolent users can exploit the technologies. In addition, banking technology infrastructure could become a target of organised crime and other malpractices. This paper investigates how the banking industry can develop an effective cyber security strategy, as well as the challenges of adequately protecting against potential cyber-attacks.

Digitally connected networks, such as those in the banking and financial sectors, are vulnerable to a variety of threats. According to Ferdousi (2020), vulnerabilities in software applications can expose the system or network to attack from outsiders. The third component can generate malware that allows unauthorised access and modification, jeopardising the integrity, availability, and confidentiality of ICT systems and networks. Additional threats to information security are privacy breaches, e-mail spam, electronic warfare, cyber terrorism, pirated computer viruses, and industrial espionage (Uddin, Ali, & Hassan, 2020). Businesses can no longer ignore cyber threats due to the consequences they pose to the business's critical infrastructure as malware becomes more sophisticated. Accordingly, businesses and countries should implement proper information security management as part of their due care and diligence. The reliance of the banks on information technology to perform basic functions has increased the value of ICT to these businesses (Eisenbach, Kovner & Lee, 2022). Some of the IT-based transactions in modern banking include internet and web transactions and money transfers. Major banks conduct millions of electronic transactions in a single day (Herrera Luque, Munera López, & Williams, 2021). These huge volumes of digital transactions expose these banks to fraud and cybercrimes.

Confidentiality and integrity should be prioritised in good banking IT systems. Employees should be able to access services from remote locations, but they should also have confidence that an unauthorised third party will not gain access to their data or financial information (Del Gaudio et al., 2021).Confidentiality, security, and integrity of bank accounts improve the trust and satisfaction of customers. It is important to note that banking IT systems enhance the efficiency of employees’ activities and customer transactions. Unfortunately, remote access to a banking network exposes the bank to numerous vulnerabilities, creating difficult security challenges for the network administrator (AlGhamdi, Win & Vlahu-Gjorgievska, 2020). As a result, the banking information security system should identify cyber threats from electronic transactions, develop appropriate policies to respond, and implement ICT security on electronic transactions by the business and its customers.

Statement of the Problem

Cyber-attacks against banks and other financial institutions are becoming more rampant, widespread, and sophisticated. While the major financial institutions generate the most headlines in terms of cyber-attacks and risks, smaller financial institutions such as credit unions, money transmitters, community banks, and third-party service providers have also experienced breaches in the past (Uddin, Ali, & Hassan, 2020). The increasing frequency and severity of cyberattacks can be attributed to unfriendly states seeking intelligence, hackers disrupting systems, cyber gangs, and other organised crime groups. These criminal groups take over accounts and funds, facilitate ATM thefts, and use other mechanisms (Herrera Luque, Munera López, & Williams, 2021). The falling cost of technology has also coincided with the increase in cybercrimes, as it has become easier and cheaper for criminals to seek new ways of perpetrating cyber fraud. The black market for stolen data also encourages wrongdoers. Ferdousi (2020) showed that the highly interconnected banking systems and networks also pose cybersecurity challenges. Although there is no perfect solution to cybercrime, banks should always strive to minimise and manage cyber threats to ensure safe and secure banking systems.

Research Objectives

The objectives of this study are:

i. To assess the ICT security threats facing financial transactions in cyberspace.
ii. To discuss the factors that influence cyber security threats in the banking sector.
iii. To create a cyber-security model for banks' adoption of ICT security on electronic transactions

Research Questions:

This research answered the following research questions:

1. What are the security threats that banks face when offering electronic services in cyberspace?
2. What are the factors that influence the security threats associated with electronic banking transactions?
3. How do banks respond to the identified cyber security threats?

Significance of the study

The findings of this study are important for various stakeholders, including government policymakers, banking sector management, and the general public. The policy makers will use the findings to identify the weaknesses of the IT implementation procedures and recommend improvements. The findings could assist top bank executives in understanding the benefits of allocating budget and resources to the ICT department and investing in appropriate cybercrime technologies. It helps bank managers prioritise ICT security and increase management’s involvement in ICT security. It will also benefit the general public by increasing their understanding of cyber security practises and how to avoid cybercrime cases and issues.

Definition of Terms

Cybersecurity - Refers to actions a person or organisation takes to protect systems, networks, and programmes against digital attacks.

Cybercrime - Refers to activities that involve the access, manipulation, and destruction of data, the extortion of users’ money, and the interruption of normal business processes by remotely or digitally attacking devices, systems, or networks.

Electronic transactions - Refer to selling or purchasing goods or services over electronic networks or the internet.

Malware - Refers to intrusive software developed by cyber criminals or hackers to steal or destroy computers, electronic devices, systems, and networks.

Chapter Two: Literature Review

Electronic transactions have become an important pillar of banking businesses as the world continues to advance technologically. These advances have considerably changed conventional banking practises as banks around the world adopt electronic transactional banking (Del Gaudio et al., 2021). The previous relevant literature on cyber threats to banking electronic systems was critically evaluated in the literature review. It describes banking sector innovations and their implications for cyber security in the sector. It examines the banking sector's vulnerability to cyber threats and how banks can improve their cyber security.

Cybersecurity Threats

Information technology security entails safeguarding data and information systems against unauthorised access, use, disclosure, disruption, modification, and destruction in order to ensure availability, integrity, and confidentiality (AlGhamdi, Win, & Vlahu-Gjorgievska, 2020).Customers’ search for convenience has led to the massive evolution of electronic transactions as banks strive to cope with the increasing customer demand. With this dynamic evolution, banks are now hugely exposed to various threats as they grow in sophistication. Akhtar, Sheorey, and Bhattacharya (2021) indicated that banking systems are becoming vulnerable to attacks from all over the world. The threats to banking systems range from infiltrations of their infrastructure to data breaches and spear phishing. Online threats vary, and they target any organization, large or small. In this regard, a "cyber-security threat" can be defined as any malicious act seeking to steal, damage, or disrupt data or the digital life of the organisation (Ferdousi, 2020). The most common examples of cyberattacks include denial-of-service (DoS) attacks, data breaches, and computer viruses or malware.

A cyberattack against any organization's digital devices can be launched via the Internet. Uddin, Ali, and Hassan (2020) described cyberspace as the virtual space where digital activities take place, including the designing and implementation of digital weaponry intended to hurt organisations and individuals. Cyber attackers have varying intentions, including causing nuisance, stealing financial and digital resources, harming the organisation’s infrastructure, and threatening human lives. Around the world, cyber-attacks have resulted in electrical outages, failures of military hardware and software, and national security breaches (Eisenbach, Kovner & Lee, 2022). These attacks can also result in the theft of sensitive and valuable data, such as medical and financial records, from unsuspecting people. Some of the attacks disrupt computer networks and make important information unavailable. As a result, Herrera Luque, Munera López, and Williams (2021) concluded that cyber-security risks were present in all organizations. In this regard, all organisations using digital devices or resources should invest in some form of IT security controls. Business leaders, including bankers investing in digital business initiatives, must acknowledge technology-related risk choices and how to respond to them.

For the banking businesses to remain profitable, the banks should embrace new transactions to help them perform their different strategic priorities. However, the available technologies for electronic transactions are not secure. As such, electronic and online payment systems are susceptible to various security risks. According to Akhtar, Sheorey, and Bhattacharya (2021), there are several risks that surround electronic transaction systems, thus putting sensitive customer data such as account details and PIN numbers under serious threat of tampering. Uddin, Ali, and Hassan (2020) classified cyber-security threats into three main categories of intent, i.e., financial gain, disruption, espionage, and theft of data. In terms of attack strategies, Ahsan et al. (2022) identified several options that attackers can use. For example, a phishing attack is an email-borne attack involving tricking the email recipient into disclosing confidential data or downloading malware by clicking a hyperlink on the message. Spear phishing is a more complex form of phishing where the attacker studies the victim and impersonates a person they know or trust. The "Man in the Middle" (MitM) attack involves the attacker establishing a position between the sender and recipient of electronic messages, thus enabling them to intercept them and change them in transit (Eisenbach, Kovner & Lee, 2022). The sender and recipient are made to believe that they are communicating directly with one another.

An external party can insert a malicious code to extract the card details when the customer is entering them, so banks must invest in efforts to ensure confidentiality and integrity. A Trojan is a type of malware that disguises itself as standard software and then releases malicious code into the host system (Eisenbach, Kovner, & Lee, 2022). Ransomware is an attack that entails encrypting data on the target system and demanding a ransom before letting the user access the data. The attacks could range from low-level nuisances to serious incidents, such as lock-downs of the entire system. Attacks on Internet of Things (IoT) devices are another common type of attack. IoT devices such as phones and portable computers are vulnerable to different kinds of cyber-attacks (Walker-Roberts et al., 2020). The attacker may target these devices to access certain types of data from the person or organization. These devices contain data such as social security numbers, geographical locations, and other private information. Malware can also be sent to mobile devices in the form of Mobile Apps. Attacks embed malware in app downloads, mobile websites, and text messages (Happa, Glencross, & Steed, 2019). Once the device is compromised, they can access the information that they need.

Another type of cyber-security threat is a data breach. A "data breach" refers to the theft of data by a malicious actor. Some of the motives for data breaches include identity theft, embarrassing the institution, and espionage (Ahsan et al., 2022). Additionally, operational risks make numerous electronic transactions a significant threat. Operational breaches target digital signatures, public key encryption, cryptographic techniques, firewalls, and access control. These vulnerabilities increase the threat that banking systems face in the contemporary world from invisible enemies. However, the banks also face threats from the inside, i.e., insider threats. Walker-Roberts et al. (2020) defined insider threats as deliberate, malicious activities undertaken by the current employees where the privileged users of the systems gain unauthorised access, co-opt other users’ access privileges, and enable attacks on the systems. The reasons for these insider attacks could include gaining access to the company’s competitive advantages, blackmail, and disgruntlement (Maschmeyer, Deibert, & Lindsay, 2021). Unlike external threats, internal threats are more complex, as the perpetrators are more conversant with the banking system.

Another threat to banking electronic transactions is cyber espionage. Unauthorized computer spying is referred to as "cyber espionage" (Happa, Glencross, & Steed, 2019). Cyber espionage involves the deployment of viruses that clandestinely observe and destroy information on the computer systems of government organisations or other organizations, such as financial institutions. In 2014, the United States reported massive cyber-attacks on JP Morgan Chase and other banks, resulting in the compromise of data for 76 million households and 7 million business accounts (Maschmeyer, Deibert, & Lindsay, 2021). Digital transactions have recently become vulnerable to distributed denial-of-service attacks. A denial-of-service (DOS) attack attempts to make the system, machine, or network unavailable for the intended users. Distributed denial-of-service (DDOS) is a type of DOS attack targeting several compromised systems (Maschmeyer, Deibert, & Lindsay, 2021). Banking institutions are becoming viable targets of DDoS attacks, where traditional physical servers and data centres are attacked, leading to an increase in maintenance costs, reduced efficiency, and inconveniences.

ICT Security Threats in Electronic Transactions

Multiple studies indicate that as banks embrace emerging technologies in electronic transactions, they are also assuming several security threats and vulnerabilities. These security threats are attributed to outside factors and the internal bank’s ICT security controls and strategies designed to address the security flaws (Ahsan et al., 2022). While cyber threats cannot be eliminated, they can be managed. Management of cyber threats encompasses periodic reviews of systemic interdependencies and how they influence various critical infrastructure sectors. Human factors also form another challenging component of IT security. Employees' ignorance of the company's security policies, for example, can jeopardise customer data. Demirkan, Demirkan, and McKee (2020) explained that the banking IT security system must prioritise the protection of customer data and ensure that no one can fraudulently access the personal information of customers, employees, and other stakeholders within the bank. Demirkan, Demirkan, and McKee (2020) added that fraudsters use ignorant employees, including customer care agents, to compromise data from unsuspecting customers. Moreover, customers have become increasingly vulnerable due to the increase in mobile banking services.

While laws are designed to deter online criminal activities, the changing and dynamic cyber world makes it increasingly difficult to track and apprehend criminals. As such, the existing laws need constant review to accommodate the evolving nature of cyber threats and attacks (Hasanova et al., 2019). There is a need for stiffer penalties for banking actions that put customer data at risk. Currently, studies show that the information security strategies implemented by banks and governments are insufficient for dealing with threats. Due to this, electronic transactions or services that banks offer are vulnerable to many risks. According to Cilliers (2020), the risk of fraud is one of the primary threats that these transactions face. It is important to note that the computing devices use a person’s identity for authorization in the form of security questions and passwords. These authentications are not fully proof when determining the person’s identity. For example, as long as the password and the security questions match, the system will not care about the person on the other side (Wazid, Zeadally, & Das, 2019). If someone else knows the password and answers the security question correctly, they will be able to access the account.

Risk of payment conflicts is another threat to electronic transactions. The electronic payment systems are automated, implying that humans are not involved in their handling. As a result, the system is prone to errors when handling large volumes of transactions and large amounts of payments on a regular basis with many recipients (Ali, 2019). The user of these systems must, therefore, continually check the payments to ensure everything is accurate. Failure to countercheck the payments may result in payment conflicts due to anomalies or technical issues. Electronic transactions are also vulnerable to backdoor attacks. Backdoor attacks refer to the type of attack that allows the attacker to access the system by bypassing the normal authentication mechanisms. The mechanism works effectively in the background and hides from the user, thus making it difficult to detect or remove. In addition, electronic transaction systems could be vulnerable to denial-of-service (DoS) attacks. DoS attacks refer to a type of security attack where the attacker acts in a manner that prevents the legitimate user from accessing the system (Cilliers, 2020).

[...]