US prosecutors have just charged a Russian hacker group called “Evil Corp” with stealing $100 million from institutional and individual bank accounts over the course of a decade.
The group fielded a piece of malware – “Bugat” – that used keylogging software to harvest personal and financial information and created fake banking webpages where victims would unwittingly enter their passwords. While some of the transactions were frozen after banks noticed they were unusual, many weren’t.
It’s clear that banks are lagging on cyber security, and their large, bureaucratic nature makes it difficult for them to keep up with the ever-evolving nature of cyber crime.
So should banks hire hackers?
“It is always important to have expertise involved in identifying, developing and deploying new approaches to combating financial crime,” Dr Richard Harmon, managing director of financial services at Cloudera, told Investor Daily.
“There clearly need to be safeguards and contingency plans put in place with these ‘experts’ to reduce a firm’s exposure, but many have been extremely helpful with several of our customers – including regulators.”
Hackers bring a great deal of expertise to the table that is often lacking in large institutions and can be an invaluable tool for determining weaknesses in cyber security infrastructure.
But while it sounds good, it’s not that simple.
Regulations prevent banks in many parts of the world from hiring convicted criminals, and hackers with the most comprehensive knowledge of cyber crime are those who are most likely to have engaged in it. That eliminates a good amount of useful expertise.
Hiring hackers also poses a number of reputational risks and could raise difficult questions were a security breach to occur.
That said, there are plenty of hackers who don’t have criminal records. Some banks maintain in-house teams of penetration testers tasked with simulating attacks, and several groups offer “ethical hacker” certification.
But if banks do take the step of hiring hackers, they should only do it as a stop-gap measure.
“My personal view is that the value of this type of expertise will diminish over time as more modern financial crime platforms get deployed into production,” Dr Harmon said.
Dr Harmon believes those financial crime platforms will be heavily data-driven and employ the latest advances in machine learning and artificial intelligence to monitor, detect and prevent criminal activity.”
“Criminals are also constantly innovating, and criminal networks are pervasive in their determination to identify and exploit business vulnerabilities,” Dr Harmon said.
“Their ability to constantly evolve means new dynamic approaches are required to disrupt the cycle of financial crime.”