According to S-bank, the problem affected such a small group that it was not noticed in its own systems.
Antti Nikkanen
Data security expert Petteri Järvinen describes S-bank’s data security problem as “amazing”. It is especially strange how the problem was not noticed soon.
S-bank announced on Tuesday that there was a system error in its identification that lasted from April to August.
For about four months, some customers had the opportunity to log into another customer’s online bank. The disturbance was used, among other things, to transfer money from accounts and online banking credentials were used to identify themselves to various online services.
– Just common sense says that the problem should have been detected at least because people are contacting us more often than before and asking why money has been lost from the account, says Järvinen.
He states that the company should have noticed the growing number of contacts by monitoring customer feedback.
JOEL MAISALMI
In Finland, online banking credentials are an essential part of the electronic system. They are used to log in not only to banking services but also to other systems and can view health information, for example. Online banking credentials are also used for electronic signatures, and by relying on their strong identification, you can sign loans and other contracts for yourself.
– On a fundamental level, this is an amazing problem. Electronic identification, which is the mainstay of the Finnish information security society, is broken, and no one notices it, Järvinen wonders.
The matter came to S-bank’s attention at the beginning of August when a so-called white hat hacker noticed the problem and brought it to the bank’s attention. White hat hackers are those who use their skills for good and use them to bring information about such system vulnerabilities and disturbances.
“A Small Group”
S-bank’s director responsible for digital development by Carl-Edvard Holmberg according to the report, it took several months to detect the disturbance, because it concerned such a limited group.
– Of course, each of these cases is too many. We are talking about a few hundred customers, and only some of them were logged into the online bank by someone else. And then how many accounts were used for possible abusive payment transactions, we are talking about an even smaller number, he says.
According to Holmberg, the disruption affected such a small number of the bank’s more than 3 million customers that it did not show up significantly in the bank’s data.
– Now that we know what has happened, we are able to investigate previous customer transactions ourselves and determine where they are a matter of financial abuse, says Holmberg.
S-bank does not provide detailed information about the disruption, such as how many customers have been affected by the problem or what amounts of money the customers have lost. Holmberg appeals to the ongoing police investigation in his silence.
On Wednesday, the police announced that the authorities were aware of 53 payment instrument frauds related to the case. In addition to these, there are approximately 150 data breaches under investigation. Two people suspected of abuse have been arrested. According to Iltalehti, one of them is only 16 years old.
The head of the investigation of the case, the crime commissioner Klaus Geiger told for MTV, that a total of 940,000 euros were taken from the customers’ accounts. According to Geger, the money had been spent on a luxurious life.
Refunds in progress
Petteri Järvinen highlights the unequal power relationship between the bank’s customer and the large banking institution. Banks have access to log data on account transactions and have experts and lawyers at their disposal.
– The bank’s information superiority is so great that the customer often loses potential disputes, says Järvinen.
S-bank assures that in cases of damage related to the disturbance that is currently being processed, the customer does not have to separately prove the resulting financial damage or even make a complaint about the events.
– We have been in contact with everyone who is affected. We know that group of customers, and we are able to use our systems to investigate which are possible abuse events, says S-bank’s Holmberg.
According to Holmberg, S-bank has already made amends for many abuses and the rest are being handled “as quickly as possible”. He cannot give an exact schedule.
READ ALSO
Data security expert Petteri Järvinen calls for the banks’ responsibility in the reliability of online bank IDs.
– They used to be a means of electronic signature and they function exclusively based on trust, says Järvinen.
He points out that the banks themselves have wanted to keep the IDs and related technology under their own control. Others have not been able to develop the system.
– This emphasizes the bank’s responsibility for security, he says.
According to Järvinen, the security of online banking IDs has been “practically inviolable” until now, and the now-disclosed disturbance undermines their status. Based on a single incident, however, Järvinen would not say that online banking credentials are an unreliable means of identification.
– Bank IDs have a 25-year history and there are extremely few problems, so I wouldn’t say that this makes them unreliable yet, but it does cause distortion, he says.
The case of S-bank shows that banks “must be constantly alert”.
– Banks have to take care of the system relentlessly. Such things must not happen.