Ron Kelson,
Pierluigi Paganini, Fabian Martins,
David Pace and Benjamin Gittins
Every day the international SWIFT banking network processes financial transactions (relayed between banks) valued at literally trillions of dollars. Today, most of the >1 billion personal computers connected to the Internet are now at least occasionally involved in e-banking, B2B transactions, and other forms of online e-commerce. With the introduction of mobile devices, social networks, and the arrival of new technologies such as Near Field Communications, the attack surface area against banking and financial institutions has exploded. Consequently, these vast financial and banking seas offer plentiful opportunities for criminals to “fish” successfully at our expense.
Cyber security has become the top global technological issue, according to the 2012 World Economic Forum’s Global Risks Report. Deloitte’s 2012 Global Financial Services Industry Security Study shows nearly a quarter of the world’s banks voluntarily reported security breaches in the past year. Cyber threats are a serious ongoing concern to banks. Earlier this year Israel was subjected to an escalation of attacks, some of which attacked their national banking system with serious consequences. Furthermore, financial organisations (such as Visa, MasterCard and PayPal) that financially boycotted WikiLeaks were subject to cyber attacks by angry Hacktivists. Self-inflicted security failures, like the massive credit-card data breach of Global Payments Inc., demonstrate just how vulnerable the internal banking and financial sector infrastructure is to cyber threats. Like most other industries, their information systems suffer from conceptual design and implementation security flaws.
For more examples, search on the internet for: Chip And Pin is Broken by Ross Anderson et al, and Practices and Difficulties of Key Management on the Credit Card Market by Fabian Martins.
Yet, all these problems are just the tip of the ice-berg. To quote US Vice Admiral J. Mike McConnel (Rtd), former Director of the US National Security Agency, and Advisor to US President Obama:
“The world cannot function without an effective banking system, and it is possible to contaminate the database upon which banking operates. There is no gold standard, no dollar bills, so if you can just contaminate the data in one large bank, you could cause global banking to collapse.” (Dec 2010)
In addition to these serious internal structural problems, we also need to holistically consider the financial and banking system as a “System of Systems” that stretches out to potentially every desktop computer and mobile phone system. As banks slowly improve the security measures of their systems, the thefts will increasingly migrate towards weaker channels — that is: to You. To quote Brian Snow, former Technical Director of the US NSA’s Information Assurance Directorate:
“No (person or) organization is immune and it is no longer credible to say: Not my problem!”
The general consensus in the financial and banking industry is that the top fraud threats are roughly:
The majority of the incidents (~80%) are experienced by banking customers. Just recently, we have observed an exponential escalation of malware attacks against customers which target financial transactions.
Most banking Institutions feel reasonably well prepared to prevent classic fraud such as card fraud, cheque fraud and money laundering. The recent HSBC scandal involving Mexican drug cartel money laundering tells a different story. The Irish Times reports that:
“HSBC has admitted the bank’s failure to prevent money-laundering in Mexico and the US was “shameful, embarrassing and very painful”, as it took a $700 million charge to cover the cost of US regulatory fines. Chief Executive Stuart Gulliver said the charge was the “best estimate” based on the bank’s current knowledge of the situation, but he said the cost could be “significantly higher”.
So, even in areas where banks feel confident of their security measures, there are clear examples that suggest otherwise. Not surprisingly, most of these large institutions are not well prepared against the modern threats posed by the rapidly changing cybercrime landscape.
One of the best known “modern” attacks against banking customers are “Phishing attacks” which acquire information (and sometimes, indirectly, money) such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Kaspersky Lab’s Head of Global Research and Analysis team Dmitry Bestuzhev declared:
“Most spam phishing comes from fake financial, e-pay and bank emails (24.52%), while social networks account for 24% of phishing attacks. Attacks are transparent to the victim, as they have no idea what is going on – it’s simple but effective. [As an attacker] you don’t need to know how to hack a website; you just need to create a fake one.”
However, today the trend is towards the development of more sophisticated attack techniques. According to Kaspersky experts, the number of online banking threats is on the rise, with more than 125 000 new malicious programs sprouting up every day attacking client’s computers. Today Kaspersky systems are blocking more than 350 000 attacks per day. The Kaspersky experts alert us all about the need to have the most up-to-date software on our PC’s:
“Cybercriminals exploit weak spots. Users can have strong passwords or policies, but if you don’t run patches or update, criminals will get in your machine. It doesn’t matter what antivirus you use, you will be infected if you don’t update.” … “Phishing and malware is effective because of the bad habits of users not to install patches. Users need something more than just anti-virus.”
Rising to the challenge, some banks are now taking pro-active measures to protect their customers from multiple styles of cyber attack. This is particularly the case in countries, such as Brazil, where government regulation makes the bank responsible for any fraud that prejudices its customer, even if that happens because the client’s computer is infected computer.
Fabian Martins is a banking security specialist and Product Development Manager at Scopus Tecnologia which is part of Bradesco, one of the Big Four banks in Brazil. Scopus operates Bradesco’s security centre and is on the front lines protecting the Bank’s critical business systems and their customers. Scopus provides innovative solutions based on more than 30 years of battling financial attacks. The banking market in Brazil is one of the most dynamic and evolving, mainly because of its early adoption of internet banking services (2nd in the world) and its growing economy even under the current financial crisis scenario. Not surprising, Brazil is one of the places in the world where the banking security technologies – and the bad guys – are evolving fastest.
To get an idea of the scope of the problem, every day Scopus evaluates more than 70 new malware designed specifically to attack Brazilian banks’ customers. More than 90% of these new malware are automatically handled by Scopus’ technologies, but for 10% the remediation must be developed in less than 24 hours. Typically, none of these new banking-specific malware are identified by regular anti-virus solutions which customers can buy. Scopus’ solutions save banks millions of dollars every month, and those savings translate to more profitable operations and a reduction in fees for their customers.
So what do some of these more advanced attacks look like?
A Trojan horse, or Trojan, is a type of malware that masquerades as a legitimate file or helpful program with the purpose of granting a hacker unauthorized access to a computer. Recently a Trojan tool was discovered that is able to perform stealth attacks against a bank account, steal money and hide the theft from the account holder. Malware such as Zeus and SpyEye work by applying a classic man-in-the-middle attack to steal money from the account by presenting the user with fake login forms to capture user’s credentials.
However, more advanced malware now has the ability to alter the data the customer sees on the screen. So, the banking server transmits information to the user about the actual bank balance, and the malware intercepts and discretely modifies this information en route. Recently Trend Micro published the news of the creation of a new hacking toolkit named ATS (Automatic Transfer System) composed of Javascript and HTML web-injection scripts used to intercept a user’s interaction with online banking forms. It has the ability to discretely query the available funds in the victim’s bank account and transfer the victim’s money to a different account. As the victim is blissfully ignorant of the theft, the attacker has time to withdraw the money and successfully complete the crime.
Currently ATS has been mostly targeting banks located in Italy, UK and Germany. These are countries that have made major investments in information security and have sophisticated defences already in place to counter traditional financial crime. Scopus security technologies are designed to prevent exactly these advanced types of attacks that take over the banking client’s computer.
To quote Melissa Hathaway (leader of US President Obama’s Cyberspace Policy Review):
“I don’t trust hardly any transaction right now, there is no integrity in our infrastructure. I’m not sure I care if it’s available, you need to make sure it’s a trusted transaction first, confidential second, and available last. I think there are a lot of leaders in our country and around the world that would agree with me.” (2010).
For this reason, sometimes, it is necessary for banks and their security providers to deny some customer transactions when the customer appears to be in a high-risk situation.
As always: security is achieved through a combination of technology, processes, people and a lot – and we really mean a lot – of focus on prevention. This requires banks and customers to work together to protect their mutual interests. We hope that this series of articles on cyber security, provided by ICT Gozo Malta and our collaborators, will help raise readers’ awareness of the issues and, with suggestions from experts such as Kapersky Labs, provide some guidance to protecting your own assets. In today’s environment, being proactive is common sense, if not essential.
Pierluigi Paganini, Security Specialist CISO Bit4ID Srl, is a CEH Certified Ethical Hacker, EC Council and Founder of Security Affairs
(http://securityaffairs.co/
wordpress )
Prof. Fabian Martins,
(http://br.linkedin.com/in/fabianmartinssilva ) Banking security expert and Product Development Manager at Scopus Tecnologia, http://www.scopus.com.br/ ) owned by Bradesco Group.
Ron Kelson is Vice Chair of the ICT Gozo Malta Project and CEO of Synaptic Laboratories Limited [email protected] .
Ben Gittins is CTO of Synaptic Laboratories Limited. [email protected]
David Pace is Project Manager of the ICT Gozo Malta Project and an IT Consultant
ph: +356 79630221
ICT Gozo Malta is a joint collaboration between the Gozo Business Chamber and Synaptic Labs, part funded in 2011 by the Malta Government, Ministry for Gozo, Eco Gozo Project, and a prize winner in the 2012 Malta Government National Enterprise Innovation Awards. www.ictgozomalta.eu links to free cyber awareness resources for all age groups. To promote Maltese ICT, we encourage all ICT Professionals to register on the ICT GM Skills Register and keep aware of developments, both in Cybersecurity and other ICT R&D initiatives in Malta and Gozo. For further details
contact David Pace at