Consumers should keep emergency cash assuming that a cyber-attack could bring banking systems down at any time, a European banking authority has advised as Australians recover from days-long Commonwealth Bank and Westpac outages that have not been ruled out as cyber-attacks.
“Society should be aware that a cyber-attack could, in extreme cases, make financial services temporarily unavailable,” the Netherlands-based DeNederlandscheBank’s (DNB)’s recent financial sector update said in noting that financial institutions are targeted in a quarter of all cyber-attacks.
“Cyber incidents pose a growing threat to society and the financial sector,” the update noted in a warning that prompted DNB monetary affairs chief, Olaf Sleijpen, to advise people “to have cash under the mattress, or be able to pay with QR codes” if payment systems go down.
In a country where recent figures show confidence in cash remains high – 71 per cent of young Dutch citizens expect to still be paying with cash five years from now – recent legislation has sought to preserve the role of cash even as countries like Australia rush away from it.
Cash accounted for less than 27 per cent of Australian consumer payments in 2019, according to the Australian Payments Network, and declined throughout the COVID-19 pandemic to the point where just 2.1 per cent of payments are expected to be cash this year.
Parliament is considering cash-protecting laws, with a recent Payments System Board meeting noting “cash remains a very important means of payment for some members of the community and is also held for precautionary purposes, including as a backup to electronic payments.”
The importance of having backup payment methods came into sharp relief this month, as Westpac suffered a days-long outage in which its banking services repeatedly became unavailable – driving customers to social media and financial regulators to complain as they were left unable to transfer funds for payments.
Days later, another systems fault at the Commonwealth Bank of Australia (CBA) led to some consumers having duplicate transactions taken out of their bank accounts – with many reporting overdrawn accounts as a result – and the CBA’s banking app was also reported as down.
Both Westpac and Commonwealth banks have let down consumers this week. Photo: Supplied
Security, outages are the new normal for banks
Bank outages are increasing given the complexity of ever more flexible banking services, the RBA recently admitted in noting that “online banking and fast payments services are most likely to be affected from outages.”
“Reliance on electronic payment methods means that any disruption to the provision of these services can have serious impacts on customers, businesses and the broader economy,” the RBA said, noting that banks should report any “significant outage” lasting over 30 minutes.
The RBA’s ongoing outages data set recorded 532 such outages that brought online banking service offline for 1,478 hours in total over the past 30 months, with 415 reported outages of fast transfer services that lasted 1,316 hours in total.
Some institutions reported nearly 400 hours of outages overall during the period, while one institution reported over 80 outages.
While RBA figures confirm that all banks suffer service outages, differences in the way Westpac and the CBA handled their respective outages have piqued the interest of security experts.
The CBA proactively reversed charges and fees for affected customers, joining Westpac in keeping customers apprised of its progress on X – yet Westpac still has not publicly addressed federal Treasurer Jim Chalmers’ suggestion that a cyber-attack may have been involved.
“We do work closely,” Chalmers said, “whether it’s with the banks or the other businesses and organisations, to make sure that when something happens like this, as unwelcome as it is, that we’re responding when we can and that also we’re keeping each other informed.”
The government “sees it as an important part of our responsibilities to make sure that we catch up and keep up with developments in this space,” he added, “because we don’t want to see people inconvenienced by these kinds of interruptions.”
Under attack
Financial services and insurance (FSI) firms are heavily targeted by cyber criminals, with banks attacked “all the time” in what has been described as “asymmetrical warfare” in which consumers regularly suffer collateral damage.
Ransomware attackers and criminal groups often use distributed denial of service (DDoS) attacks “in layered attack patterns to distract cyber teams, disguise other attack operations, and/or add nuisance to the mitigation,” FSI security specialist FS-ISAC noted in its latest threat report.
Third-party anti-DDoS services and web application firewalls “can mitigate against all but the most massive DDoS attacks,” the report notes, “[meaning] observed operational impact is typically low – largely confined to short-term website unavailability – which may cause reputational damage.”
Westpac did not respond to repeated enquiries about the cause of the outage, but Chalmers’s suggestion that a DDoS may have been involved is consistent with FS-ISAC’s assessment – and one security expert believes cyber-attacks must be considered as the cause until proven otherwise.
“We are living in a digital world and while systems can go down for multiple reasons, every incident could possibly have a cyber threat associated with it,” Ajay Unni, founder and CEO of cyber security consultancy StickmanCyber, told Information Age.
“Every type of incident now and into the future needs to be investigated to rule out a cyber-attack as such…. [Even] when systems go down for non-security reasons or negligence, it could open doors for attackers to use that an opportunity to launch their attacks.”
Both CBA and Westpac warned customers to be aware of cyber criminals using their outages as an opportunity to execute scams by impersonating the bank and offering help for affected customers.
