The year 2019 was full of events related to the publication of information about new vulnerabilities in the security of IT products of various suppliers and new methods of implementing intrusions, cybercrime and frauds that were carried out around the world. The visible trends that can be distinguished on this basis are as follows:
- Phishing campaigns, especially those distributed via SMS, are still popular, although customers react better and better to such scams and the Bank is better prepared,
- We have not recorded any significant changes compared to previous years in the context of abuses and advances in social engineering applied to individuals,
- the degree of technological advancement of malware attacks is higher, attacks of this type become more directional, or lead to theft of resources by means of an attack using social engineering, however, the number of attacks has definitely declined,
- The severity of attacks targeted at businesses and institutions (mainly financial) carried out by organised cybercrime groups is similar to previous years.
Attempts have been made to attack / compromise external suppliers in order to access the infrastructure of cooperating companies.
At the same time, the environment in which we live and operate is undergoing changes. Fast development is specific to:
- Internet of Things (IoT),
- smart cities,
- e-state / e-administration,
- cloud computing services,
- 5G networks,
which not only affects comfort, efficiency and performance, but also involves many risks.
Bearing this in mind, we are constantly strengthening and developing our own cyber security system at the local level and across the ING Group in order to prevent acts of cybercrime against clients, employees and our Bank's information and communication system.
We are constantly improving security solutions and systems used to protect our customers, as well as the Bank itself, constantly testing their real effectiveness through, among others, penetration tests of banking infrastructure and applications, advanced APT tests (Eng. Advanced Persistent Threat), tests of immunity to DDoS (Eng.. Distributed Denial of Service) and many others.
We have maintained and updated existing and implement new tools for early detection of all types of fraud and abuse, advanced targeted attacks, including preventing information leakage or execution of unauthorized transfer of large amounts of money from the banking system.
We are working to improve the prevention of cybercrime through Programmes undertaken within the ING Group. We actively cooperate with other financial institutions, governmental and law enforcement authorities and Internet service providers, especially after our Bank has been recognised as a key service provider under the National Cyber Security System Act.
Last year, our Bank carried out a number of activities aimed at raising the level of awareness of the Bank's employees of the threats of cyber security and implemented Programmes aimed at improving the skills of IT staff and teams responsible for ensuring an appropriate level of the Bank's cyber security. We have launched new communication campaigns for our Bank's customers warning about current threats.
Moreover, for several years now the Bank has been cooperating with the Polish Banks’ Association by creating the “Documents Reserved” campaign. It is primarily intended to inform the general public, both those who are customers of the banks and those who are not yet, about an option of endorsing identity documents in case of their loss (loss, theft). The informational campaign is carried out through, among others, posters, leaflets, signs available in the outlets, mailing, banners, announcements and press materials.
Thanks to coordinated actions aimed at ensuring an optimal level of cyber security, in 2019 our Bank did not record any significant cyber security incidents or frauds that would result from the weakness of the banking security system.
Counteracting cybercrime is one of our Bank's basic methods of building secure and attack resistant channels of interaction with customers. Due to the continuous development of new, advanced attack methods, the bank’s security teams are constantly improving existing systems and building new, more effective detection and prevention mechanisms. An important element of our development strategy is the continuous improvement of the competence of security professionals and the testing of systems, processes and people in numerous APTs ( Advanced Persistent Threat) and DDoS (Distributed Denial of Service). All these activities are aimed at protecting the bank’s resources from threats from inside and outside and thus protecting our clients and the funds entrusted to us.
In H2 2019, we implemented behavioural verification, i.e. a service consisting in analysing customer behaviour when using the transactional service. The created user profile allows to detect fraud in case an unauthorized person tries to perform a transaction.
Behavioural verification analyses the user’s interaction with the computer or mobile device. During this verification we do not check what the user does, but how he does it. We collect and analyse, inter alia, information on how fast and often the user clicks on individual keys on the keyboard, how to scroll the screen, how fast and often the user clicks the computer mouse and how to hold the device. We build a user profile only after logging in to Moje ING and compare the behaviour after each login.
Thanks to this solution, we will soon be able to secure additionally our transactions and access internet banking. In this way we will prevent third parties from impersonating Moje ING user.
On current basis we keep our customers informed about existing threats through our websites, educate them and show them how to behave in order to use online and mobile banking safely. Such activities are visible in our e-banking system for each user, and up-to-date information is systematically placed on the basis of the currently detected threat targeting each electronic banking user.
We are constantly developing tools, algorithms and rules to detect various types of fraud and abuse, including preventing data leakage. We execute many of these tasks together with other ING Group member companies, as well as in cooperation with financial institutions, state bodies and law enforcement agencies. We establish cooperation with suppliers of modern technologies in order to introduce new authorisation factors based on e.g. biometrics or customer behaviour.
The year 2019 saw primarily the strengthening the security of many systems to the existing technical and legal requirements aimed at better protection of customer data processed in our systems and about starting the bank’s operations within the national cyber security system.