ENISA and the cybercrime battle

3 July 2012

The threat landscape for European banking remains as unpredictable and dangerous as ever. Professor Udo Helmbrecht, executive director of ENISA, tells Future Banking where anti-fraud teams should focus their activities.

With the evolution of new banking channels comes the need to be prepared against attacks and to be nimble enough to react effectively when breaches occur. Cloud computing and social networks, for example, can open the door to many innovative threats from organised crime that compromise financial systems and defraud institutions and customers.

"The question is how to secure mobile devices, and for ENISA, this is where big challenges lie."

ENISA, led by its executive director Professor Udo Helmbrecht, is casting its net widely in an effort to get financial systems as close to 100% secure as possible. Perfection, he admits, is never going to be attainable, but he's always trying to win the war through cumulative battles.

Banks and financial institutions have, as he says, "high visibility" when it comes to attack but, despite significant vigilance by many, he still doesn't believe there is enough industry-wide strategic cohesion on cybersecurity, particularly given the speed at which criminals can develop new techniques.

Cross collaboration

So there are calls to redouble efforts to strengthen European and international collaboration in much the same way that BIAN's service-orientated architecture (SOA) is helping to integrate banking services across Europe.

"ENISA is casting its net widely to get financial systems as close to 100% secure."

"This is a good approach," says Helmbrecht about the SOA initiative. "It's a central point for updated knowledge and cooperation, and promotes dialogue between different European institutions in the banking sector like service providers and software vendors to promote security."

He remains confident, in the light of current efforts by the European Commission to collaborate with, for example, the US Department of Homeland Security and Europol, that disparate governmental and market systems can be coordinated in order to combat cybercrime. ENISA recently published a report urging all EU Member States to agree on a definition of cybersecurity that precisely targets common objectives within the EU.

Cross collaboration between industries, however, wouldn't necessarily be an effective way forward.

"In Europe, we are looking at common market challenges," says Helmbrecht. "So we're looking at internet security and cybercrime. If you go to the military, for example, this is Nato and much broader and not in the focus of the Commission. Industries are more tailored to sectors. With the energy industry's integration structure, it's different from manufacturing and banking. So you have more discussion cross-sector-wise rather than across industries, depending on the topic."

Specific to banking, the principal security challenges for many chief information officers continue to be credit card theft and phishing attacks. Although these kinds of attacks are decades-old, Helmbrecht emphasises that ENISA still has to be vigilant, as there is always more to do to secure infrastructure.

A case for biometrics

An emerging focus is on biometric security. Fingerprinting and face recognition are commonly integrated into passport and border controls but implementation in other fields has been slow.

"Disparate governmental and market systems can be coordinated in order to combat cybercrime."

"I think what's missing is having a broader deployment of biometrics," says Helmbrecht. "If you look today at the technology used in banking, you have advanced chip and PIN. But with biometrics, which has proved to give better IT security, it isn't deployed enough currently."

ATMs, for example, offer the opportunity to introduce biometric elements on bank cards and in the cash machines themselves. The fundamental question is at which point the balance between the risk and the cost of combatting it makes it worthwhile for CIOs to sign off the investment.

Helmbrecht sees the next logical step forward for biometrics as being a replacement for magnetic strips on cards, so it's only a matter of time.

"When the technology reaches the point of being cost-effective to do and reliable, then it will be done," he says. "But it's not there yet."

Mobile challenge

Very much a current issue is the growing convenience and prevalence of contactless payments, and the security loopholes these can generate. With nearfield communications, the business case for the future is to enable mobile phones for payments. The question is then how to secure mobile devices, and for ENISA, this is where big challenges lie.

"The next logical step forward for biometrics is as a replacement for magnetic strips on cards."

At the same time, the desire of banks to engage with their customers more through social media opens up another realm of security issues.

"I think the basic message from social media discussion is that it changes our daily business and private lives, and immediately you have the issue of data protection and tracking of information," explains Helmbrecht.

"The business model, of course, needs your personal data to monetise it, so this is where you have security and privacy issues. The challenge is how to handle the different interests of data protection. Social media really changes the landscape. It has new risks but a lot of opportunities for new business."

The risk does not necessarily lie in the primary engagement with the customer but more in the ability of fraudsters to assemble information on a customer from an increasing number of available sources.

"As social media channels become more prevalent there are more opportunities for criminals to seek out your information and put it together in a harmful way," says Helmbrecht. "So users need to be aware of how much personal information is out there."

Threats and opportunities come from all directions. The question of winning the war against cybercrime is a difficult one, but Helmbrecht is very clear about the answer.

"We are doing a lot of things with a lot of political support," he says, "and I'm confident we will be very successful."

Professor Udo Helmbrecht has been the executive director of ENISA since October 2009, where he resides over scientific and technical matters. Prior to this, he was president of BSI, the German Federal Office for Information Security, for six years.