Yet another Freedom of Information Act request submitted to the Financial Conduct Authority (FCA) has exposed cyber weaknesses in the financial services sector. Whilst the FCA refused to deal with several specific questions on grounds of confidentiality, it confirmed that in November 2018, four different UK banks were the target of cyber hackers. In total, £1,169,758.82 was stolen from customer accounts, due to the exploitation of a well-documented weakness in mobile telephone networks.
Signalling System 7
The November 2018 attack was perpetrated by exploiting a weakness in mobile networks’ Signalling System 7 (SS7). In summary, the SS7 protocol defines how network elements in a public switched telephone network exchange information over a digital signalling network. SS7 also facilitates communications between different mobile telephone networks (such as when roaming abroad) and can allow hackers to read text messages, listen to telephone calls and use mobile phone mast triangulation to track the whereabouts of users.
Mobile devices used by the banks’ customers to log into online banking became compromised; the hackers sought to intercept two-factor authentication codes, which are commonly used by mobile banking systems at the point of user access. Once intercepted, it is believed the hackers may have redirected the victim’s telephone numbers to telephone lines controlled by them, meaning that upon an access attempt by the hackers, the authentication coding would trigger a verification call from the bank to a telephone number that the hackers themselves controlled. Once falsely verified, the hackers had access to the customer’s bank account and sought to effect money transfers, in many cases totally clearing the accounts.
An accident waiting to happen?
It is clear that security vulnerabilities in the SS7 protocol were widely reported before 2018, raising the question of whether or not this was an accident waiting to happen.
In 2014, security researchers in Germany uncovered issues with the SS7 protocol at a hacker conference in Hamburg. Shortly thereafter, the security researcher Karsten Nohl publicly demonstrated the remote surveillance of US Congressman, Ted Lieu, (who was in California at the time) from a television studio in Berlin, by exploiting the SS7 protocol. Congressman Lieu later called for an oversight committee investigation into SS7 vulnerabilities.
Then, in 2017, Germany’s O2-Telefonica network was the target of a two-stage attack, in which the method later thought to be used in November 2018 was successfully deployed to empty bank accounts.
Finally, in March 2018, advice was published for the detection of SS7 protocol vulnerabilities through the use of open-source monitoring software, some eight months before the November attack.
It is not known whether or not the banks in question were aware of the precise vulnerabilities in the SS7 protocol. We wait to see whether the FCA takes any enforcement action and/or whether the banks are able to justify the security protocols which they had in place at the material time.
FCA and ICO leading charge on cyber and data security
In the last few days, we have published several blog posts following two successive announcements by the ICO concerning hefty fines for breaches of the GDPR. Whilst the FCA has not itself imposed any sizeable fines against financial institutions since October 2018 (when £16.4m was levied against Tesco Bank), the regulators are clearly clamping down on information and cyber risk.
In a joint statement, the FCA and ICO have confirmed that the GDPR does not impose requirements which are incompatible with the rules contained in the FCA Handbook. On the contrary, many requirements are common to both frameworks and the two regulators have made clear that they will work closely together.
Whilst the ICO will continue to regulate compliance with the GDPR, these requirements are also something the FCA will consider under its own rules. A good example of this are the requirements of the Senior Management Arrangements, Systems and Controls module, which oblige financial institutions to establish, maintain and improve appropriate technology and cyber resilience systems. Furthermore, under the Senior Managers and Certification Regime (SMCR), senior managers will be held to account for inadequate cyber resilience.
In a bid to improve its security and comply with looming antifraud legislation, Lloyds Banking Group has just announced it has struck a deal with a cyber security start-up to add an extra level of verification for all transactions over £30. The Payment Services Regulations 2017 which implement the revised Payment Services Directive 2015/2336 can be found here and are due to come into force in September 2019.
At any rate, it is clear that Financial Institutions are facing an uphill struggle when it comes to the fast-moving world of cyber-crime, including the need to keep up with industry regulators as well as legislation. We suspect it will only be a matter of time before the cyber security world is shaken up once more.
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.