Mesrine has gone out of fashion. The shattering entries of gun-toting bandits in bank branches is followed by the clicking of the keys of hundreds of computer keyboards, animated by hackers from Los Angeles, Beijing or Moscow. The new target is no longer the vault, but the computer system that controls and directs financial flows. This makes them less spectacular, but much more effective. In 2016, the central bank of Bangladesh was robbed of nearly $81 million after hackers infiltrated its system and obtained certificates authorizing the transfer of funds.
Read alsoCybersecurity: when investigators close ranks against cybercrime
The concept of a safe is written in their DNA. This is why banks were, earlier than others, sensitive to digital security issues. “Along with defence, the banking world is the first ordering party in terms of cybersecurity”, points out Jacques de La Rivière, founder of Gatewatcher, which designs tools for detecting cyberattacks. They protect themselves against two types of intrusions: virtual robbery, which damages their reputation the most, and ransomware, which targets their information system.
Vital role for the nation
In 2013, the military programming law identified French systemic banks – BNP Paribas, Société Générale, Crédit Agricole, BPCE, Crédit Mutuel – as operators of vital importance. Because they occupy a central role in the survival of the nation, these establishments must comply with 22 cybersecurity rules and a battery of processes that feed the nightmares of risk managers. Their application is controlled by Anssi, the digital policeman. The cost is a reflection of the constraint, between 4 and 5 billion euros devoted each year to these devices.
Read alsoCyberattacks: why are French companies targets?
“Banks have their own teams of hackers who continuously test the strength of their systems by simulating intrusions,” observes Jacques de La Rivière. They have also implemented different levels of authentication to gain access to certain data and decisions, or firewall software that blocks information systems and Internet traffic. USB stick ports are removed; redundancy systems constantly save the systems and guarantee a backup if the main system is taken by storm… All while ensuring that these heavy cybersecurity infrastructures do not handicap the daily operation of the company.
old computer language
Beyond the protection of systems and the establishment of crisis units in the event of infiltration, the military programming law requires heavy prevention work, involving a complete mapping of banks’ information systems. “It seems obvious, but there are gray areas, notes a director of information services for a large French bank.
Read alsoOnline ransom demand, a professional art
The design of banks’ information infrastructures dates back to the 1970s: they are coded in an old language which is not thought out in terms of security and which is no longer used today.” Getting rid of this heritage is a question of survival, because it is in the flaws of this original language and these obsolete technological bricks that the most complex threats to defuse are lodged.
In numbers
22 cybersecurity rules to be respected for French systemic banks, enacted by the military programming law of 2013.
4 to 5 billion euros devoted each year to these devices.
600 million dollars spent per year on cybersecurity by the bank JPMorgan Chase.