Hackers cost finance companies Rs 7 cr a year

Financial services enterprises in India register losses of Rs 6.9 crore on an average due to security breaches every year. Indian banks, part of the overall financial services segment, saw their losses nearly double to Rs 12.6 crore, according to a new Symantec survey.

According to the findings, 67 per cent of respondents experienced a data breach that resulted in lost man- hours, while 61 per cent lost customers. About 80 per cent of respondents faced downtime due to online attacks, and took an average of four hours to resume normal operations.

The threats targeting financial information include W32.Sality.AE, one of the most prevalent threats in recent times. It spreads by infecting executable files and attempts to download potentially malicious files from the internet. The operators of this botnet are capable of stealing banking information. One also has to be wary of ‘Tatanarg’, a Trojan that attempts to steal information from the compromised computer. It specifically targets internet banking accounts.

Infostealer.Bancos variants, on their part, are malicious software programmes that steal confidential financial information, collect email addresses, and delete predetermined files from compromised machines. Zbot, also known as Zeus, is a malware package that allows the most novice hackers to easily steal online banking credentials and other online credentials for financial gain.

Cybercrime is typically perpetrated by botnets, which can be used for a variety of purposes—denial of services attacks, mail relays for spam, click fraud, and malware implementation. It is also possible for cybercriminals to subcontract these services, which are cheap. India ranks high on the cybercriminal's radar, ranking second for malicious code globally in 2010, according to Symantec's latest Internet Security Threat Report. The Symantec Critical Infrastructure Protection Survey 2010 revealed over half of India's critical infrastructure providers were victims of cyber attacks.

In 2010, McAfee detected an average of 60,000 new pieces of malware each day. The countries most targeted were China (17.09 per cent of all attacks), Russia (11.36 per cent), India (9.30 per cent), the US (5.96 per cent) and Vietnam (5.44 per cent). As social networking sites like Facebook and Twitter started to take off, cybercriminals realised they could get their hands on a wealth of personal information if they played the game right. Recently, researchers from the Indraprastha Institute of Information Technology, New Delhi, and the University of Illinois in the US created a stegobot, a new generation botnet that can exploit Facebook images and steal information from unsuspecting users.

“Chief information officers at financial services enterprises in India are concerned about the security of their information and the related losses, leading to attention towards governance of information technology. Reserve Bank of India guidelines, the impending Basel III compliance and the IT (Amendment) Act 2008 regulations are compelling the financial sector to take a closer look at how it secures and manages information,” said Ajay Goel, managing director (India and Saarc), Symantec.

The Symantec survey says financial institutes are under attack from three sources---the malicious insider, the negligent insider and external attackers. Almost 23 per cent respondents faced external attacks, including phishing, and theft of proprietary data. Since November 2010, all phishing attacks on Indian brands have targeted the banking sector.

Add to this a sudden spurt in e-commerce and mobility. Almost 81 per cent offer internet banking and 69 per cent offer phone baking services. About 11 per cent of the victims experienced accidental disclosure of confidential data through emails. The findings also say regulatory and governance mandate have been the key drivers of the adoption of the IT security framework. Almost 50 per cent of respondents from financial services enterprises in India cited compliance as the primary driver of IT security. In the last 12 months, 31 per cent of respondent banks invested in identity management solutions. They said investment in technologies that address regulatory requirement are likely to continue.