The case of TSB and the importance of safeguarding banking cyber infrastructure
The banking system is the backbone of the modern economy and everyone – from individuals to the private sector to the government – has a vested interest in its smooth functioning.
With so many banking services now hosted and offered online, the security of online banking infrastructure is of pivotal importance. From transactions at the bank counter that need to be recorded and approved in the bank’s online systems to web banking which serves the largest part of customers, every aspect of a bank’s activity is linked to its cyber infrastructure – and it is of vital importance to protect it properly.
Hackers out to target banks
Banks offer a wide suite of services to customers that primarily have to do with managing and transferring wealth. In this context, they host information that could give third parties unauthorized access to funds. Naturally, this opens banks up to all kinds of hacker attacks, ranging from Distributed Denial of Service attacks (DDoS) to SQL injection or even ransomware. Hacker attack vectors become more sophisticated by the day, and when it comes to targeting banks, cybercriminals are very motivated to succeed as they know that their reward will be high. Their methods often exploit vulnerabilities in an online system, which is why many institutions turn to ethical hacking to test them out for flaws.
Ethical hacking refers to the process of attempting to penetrate a system with the owner’s permission in order to discover and fix its weak points. Other best practices include a bug bounty, in order to provide an extra incentive to anyone who finds a flaw to report it. The situation becomes even more acute when the large number of clients that every bank has are brought into play, who can become an extra liability for the banking institution. Individual customers could compromise their accounts by falling victim to phishing scams – especially fraudulent messages that claim they come from the bank itself. This can cause further headache and require significant effort and time to mitigate.
Ensuring online services function properly
But hackers are not all that banks have to worry about. When so much relies on an online system, it is pivotal to take every step to ensure its smooth functioning. With so many people using web banking services, banks need to continuously strive to improve the round-trip time (RTT) of their web applications. Web apps perform crucial functions in online banking, as they are essentially the meeting point between a server and a browser. For instance, the log-in process that you go through when you connect to your account online is carried out via a dedicated web app. RTT is a key metric in measuring an application’s performance, as well as page load time and network latency. It essentially describes the time it takes for a browser to receive a response after it has sent a request to a server, reflected in milliseconds.
When many customers try to use the same service at once, RTT typically rises as the servers try to manage the spikes in traffic. While it might be common to deal with issues once in a blue moon, when these become commonplace then banks stand to lose a lot in terms of reputation and disgruntled customers fleeing to competitors. This was a bitter lesson learned by banks belonging to the Lloyds’ banking group, and especially TSB, as they have experienced several technical issues lately and faced backlash from angry consumers. In April 2018, TSB announced that it would migrate its systems and thus customers would be unable to access their accounts over the weekend. Yet the situation quickly spiraled out of control and ended up lasting five days, during which customers continuously reported issues with their accounts, mainly with transactions or funds not showing up, as well as being unable to use online banking services.
The backlash faced by TSB
Then on 10 July, clients started complaining that online banking was again painfully slow, with many of them threatening that they would switch to another provider. Just a couple of weeks back, customers saw their Lloyd’s banking apps not responding, while banks across the Lloyds group – which includes TSB, The Bank of Scotland and Halifax – all experienced problems with their respective mobile apps. Although TSB claimed that their mobile app update had nothing to do with the issues, many customers remained skeptical. And it certainly did not help that clients experienced problems with online banking again in August and September.
In total, TSB says that the problems resulted in a loss of a whopping £105.4 million (before tax) for 2018, after it rushed to divert resources in addressing these issues. It has also stated that the costs of dealing with the migration crisis, including compensation offered to customers, investment in resources needed to mitigate the consequences and its own lost income, amounted to £330.2 million. Meanwhile, 80,000 customers left the bank in 2018 – compared to 50,000 who did so in 2017 – with the numbers reaching a high point in Q2, just after the April crisis. TSB claims they have so far responded to 90% of customer complaints they were sent since the system migration – so 181,000 out of a total of 204,000.
As the TSB incident and its consequences demonstrate, while a wider online banking integration provides speed, convenience and security, it also opens the bank up to risks – and if it doesn’t handle them correctly, to loss of trust and customers.