When news broke out in August that a cyber virus dubbed ‘Gauss’ attacked bank accounts in the Middle East, with the vast majority being Lebanese accounts, senior management at local banks must have said to themselves “just when you thought it couldn’t get worse.” With the banking sector’s challenges already piling up — from a war in neighboring Syria to dwindling domestic economic growth to increased international scrutiny — banks now had to add a cyber war to their lingering list of concerns.
Kaspersky Lab, a Moscow-based information technology (IT) security vendor, discovered the Gauss virus and claimed it began operating in September 2011, attacking around 2,500 machines in the Middle East, of which 1,600 were in Lebanon. According to Kaspersky, Gauss is capable of stealing browser history, cookies, passwords and system configurations as well as accessing credentials for various online banking systems and payment methods, targeting the clients’ bank accounts and not the servers of the banks.
Kasperky claims that six Lebanese banks saw their clients’ bank accounts affected by the cyber virus: Bank of Beirut, Byblos Bank, Credit Libanais, BLOM Bank, Banque Libano-Française and Fransabank. The total number of online accounts in Lebanon is not readily available information — neither the Association of Banks in Lebanon nor Banque du Liban (BDL), Lebanon’s central bank, were able to provide this information (“Banks do not provide us with the number of online accounts, merely the total accounts,” says a spokesperson at the BDL). A chief information officer at a leading local bank however, assumes this figure does not exceed 300,000.
In response to this cyber virus, BDL provided security recommendations to the banking sector in order to prevent future attacks and limit the spread of the virus. “For instance, if there is no need for a USB, don’t use it; if you have to use it, do a scan before opening it,” says Zeina Assi, head of the IT security division at BDL. She claims that the impact on the banks was limited but “there was theft of information of course.” The central bank cannot impose on banks which software to use; its role is merely to recommend certain security measures to the IT teams of the local banks, which are responsible for implementing the necessary measures to protect the banks and their clients.
BLOM Bank’s chief information officer Antoine Lawandos claims that their customers were not impacted by the Gauss virus because of the technology offered to their clients when they access online accounts. To login to eBlom, clients must input two factors: a password as well as a four-digit one-time-password (OTP) sent on their mobile phones via SMS — in IT security jargon, this is called “dual authentication”. “So even if the client’s PC has been infected by Gauss, his digital identity could not be intercepted,” says Lawandos.
Credit Libanais also claims it was not affected. “As far as we know, none of our systems were penetrated and no customer information affected,” says Najib Ghanem, head of IT at Credit Libanais. “We use Virtual Keyboard (think of the iPad’s keyboard for instance) and Volatile Matrix (meaning the numbers on the “virtual keyboard” change places after an input) technology to authenticate clients signing onto our online banking service. These techniques ensure that hackers cannot use “keyboard sniffers” (which track keys entered on a keyboard) to record and steal passwords and PINs [personal identification numbers]”. He adds that Credit Libanais considered adopting OTP technology but did not see the need to at this point.
If attacks of this sort are the new face of wars in the Internet age, banks are going to need to increase investment in technology to protect themselves and their clients. “Chances are that there will always be fraudsters who will try to attack banks and financial institutions,” says Lawandos. “As an industry, we are under constant attack from many different directions and every indication is that this is likely to increase in the future,” adds Ghanem.
Deploying appropriate and up-to-date technology to counter the likelihood of attacks means piling up more costs, which have been already mounting this year from increased regulations to wage hikes imposed by the government. With the sector suffering from falling revenues this year, bearing additional costs is unpleasant, but with more cyber attacks expected, the sector really does not have a choice.