Consumers should hold onto emergency cash on the assumption that a cyberattack could bring down banking systems at any time, a European banking authority has advised as Australians recover from days of Commonwealth Bank and Westpac outages that have not been ruled out as cyberattacks.

“Society should be aware that a cyberattack could, in extreme cases, render financial services temporarily unavailable,” says the recent financial sector update from Netherlands-based DeNederlandscheBank (DNB), noting that financial institutions are targeted in a quarter of cases. cyberattacks.

“Cyber ​​incidents pose a growing threat to society and the financial sector,” the update notes in a warning that prompted the DNB’s head of monetary affairs, Olaf Sleijpen, to advise people to “be careful.” cash under the mattress or being able to pay with QR codes. » if payment systems break down.

In a country where recent figures show trust in cash remains high – 71 percent of young Dutch people expect to still pay with cash in five years – recent legislation has sought to preserve the role of cash liquid, even if countries like Australia are turning away from it. he.

Cash made up less than 27 percent of Australian consumer payments in 2019, according to the Australian Payments Network, and has declined throughout the COVID-19 pandemic, to the point where only 2.1 percent of payments are expected to be in cash this year.

Parliament is considering laws protecting cash, and a recent meeting of the Payments System Council noted that “cash remains a very important means of payment for some members of the community and is also retained for precautionary purposes, including as backup means for electronic payments.

The importance of having backup payment methods became clear this month, as Westpac suffered a multi-day outage in which its banking services became unavailable on multiple occasions – prompting customers to complaining on social media and to financial regulators because they were unable to transfer funds for payments.

Days later, another Commonwealth Bank of Australia (CBA) system failure led to some consumers removing duplicate transactions from their bank accounts – with many reporting overdrawn accounts – and the app CBA bank was also reported to be down.

^{Westpac and Commonwealth banks have failed consumers this week. Photo: Supplied}

Security and outages are the new normal for banks

Banking outages are increasing given the complexity of increasingly flexible banking services, the RBA recently admitted, noting that “online banking and fast payment services are most likely to be affected by outages.”

“The reliance on electronic payment methods means that any disruption to the provision of these services can have serious consequences for customers, businesses and the economy as a whole,” the RBA said, stressing that banks should report any “major outage” lasting more than 30 minutes.

The RBA’s ongoing outages dataset recorded 532 such outages that took online banking offline for a total of 1,478 hours over the past 30 months, with 415 outages reported for the services rapid transfer which lasted 1,316 hours in total.

Some facilities reported nearly 400 total outage hours during the period, while one facility reported more than 80 outages.

Although the RBA’s figures confirm that all banks are experiencing service outages, the differences in how Westpac and the CBA handled their respective outages have piqued the interest of security experts.

The ABC has proactively waived fees and charges for affected customers, joining Westpac in keeping customers informed of its progress on X – but Westpac has still not publicly responded to Federal Treasurer Jim Chalmers’ suggestion that a cyber attack may have been involved.

“We work closely,” Chalmers said, “whether with banks or other businesses and organizations, to make sure that when something happens like this, no matter how unwelcome it may be, we respond immediately. that we can and that we also keep ourselves informed.

The government “sees it as our important responsibility to ensure that we catch up and monitor developments in this area,” he added, “because we don’t want to see people inconvenienced by this kind of ‘interruptions’.

Attack

Financial services and insurance companies (FSIs) are heavily targeted by cybercriminals, with banks under attack “constantly” in what has been described as “asymmetric warfare” in which consumers regularly suffer collateral damage.

Ransomware attackers and criminal groups often use distributed denial-of-service (DDoS) attacks “in layered attack patterns to distract cyber teams, hide other attack operations, and/or add nuisance to mitigation,” noted FSI security specialist FS-ISAC in its latest report. threat report.

Third-party anti-DDoS services and web application firewalls “can mitigate all but the most massive DDoS attacks,” the report notes, “(meaning that) the observed operational impact is generally low – largely limited to short-term unavailability of the website – which may cause reputational damage.

Westpac did not respond to repeated inquiries about the cause of the outage, but Chalmers’ suggestion that DDoS may have been involved is consistent with FS-ISAC’s assessment – and one security expert believes cyberattacks must be considered the cause until proven otherwise.

“We live in a digital world and while systems can fail for multiple reasons, every incident can potentially be associated with a cyber threat,” said Ajay Unni, founder and CEO of cybersecurity consultancy StickmanCyber. The information age.

“Every type of incident, now and in the future, must be investigated to rule out a cyber attack as such…. (Even) when systems fail for non-security reasons or due to negligence, this could open the door for attackers to take advantage of this to launch their attacks.

Both CBA and Westpac have warned customers to be wary of cybercriminals using their outages as an opportunity to commit scams by pretending to be the bank and offering help to affected customers.