Positive Technologies has released its latest report entitled Bank Attacks 2018 (no registration required).
The report is based on work carried out by Positive Technologies for banks. It shows that on the up side banks have acted to secure their external systems against hackers and cybercriminals. Unfortunately, once the defences are breached, the internal security is poor.
The days of a bank manager staying late, filling their pockets with cash and then exiting to far flung places are gone. This is mainly because banks don’t hold large amounts of cash any more. However, bank insiders are still a major source of help for cyber criminals as Positive Technologies discovered. What they also found was that weak internal system controls meant that systems were easily compromised.
The problem of a hard shell and a soft gooey middle in terms of security is not unique to banks. The vast majority of corporate IT is not different. However, banks have been losing large sums of monies to malicious insiders for some time. As such, it might be thought that they would be doing a better job.
How easy was it for Positive Technologies to breach banks?
Judging on the information in the report, far too easy. Positive Technologies performed penetration testing at each bank. The results are a damning indictment on bank security. For example, every bank had:
- Vulnerabilities in web applications
- Insufficient network security
- Server configuration flaws
In addition to this, experts breached the network perimeter in 22% of banks.
If this looks bad it could be worse. The report states that the testers did not use known vulnerabilities that could damage infrastructure. 67% of banks were using outdated software but using it to attack systems could have caused a denial of service attack.
The majority of staff were unable to detect a phishing email and clicked the links in the email. 25% even went as far as inputting their security credentials into fake forms.
Internal network security was also poor. An intruder didn’t even need administrative permissions at 33% of banks to: “access to the hosts that control ATMs, interbank transfer and card processing systems, and payment gateways.”
Passwords continue to be a problem. Deficiencies in user account and password management exist at 58% of banks. In addition there were several attacks that were 100% successful in enabling intruders to gain administrative rights in just one or two steps.
It gets worse. The report goes on to state: “As we found, a quarter of banks used the password “P@ssw0rd” as well as such common combinations as “Qwerty123,” empty passwords, and default passwords (for example, “sa” or “postgres”)”
How much have banks lost?
As highly secretive organisations, banks are not keen to expose attacks against themselves. They are only too aware of the risk of rapidly losing customers. In addition, the risk of lawsuits from regulators, shareholders and large customers are ever present if there is clear culpability.
The head of the cybercrime family responsible for the Carbanak and Cobalt malware was arrested in Alicante, Spain in March. This organisation is believed to have made off with more than €1 billion in attacks on banks since 2013.
The SWIFT messaging system used by banks to transfer money has been used by criminals to steal money. Hackers managed to gain access to the SWIFT terminals inside banks and send messages to transfer monies. Banks in Bangladesh, Russia, Taiwan, Vietnam, Nepal and other countries have been hit. While exact numbers of what was lost are difficult to get it is known that in the case of the Central Bank of Bangladesh, hackers attempted to steal over $1 billion. To reduce future attacks SWIFT has been working on a blockchain solution to improve security. Interestingly, this was not mentioned in the report.
Breaches of card payment systems are becoming more common. These are not just bank ATM attacks, such as Carbanak, but also attacks against retailers. A recent report showed that small merchants were struggling with compliance around card payments. Rather than enable solutions, the report showed that 44% of acquiring organisations (banks) were quite happy charging extra fees to the merchants.
How do the attacks take place?
Attackers invest time, money and resources into these attacks. These are not smash and grab raids nor are they carried out by rank amateurs. Electronic surveillance of the target is more than just probing existing security. Attackers look for any web sites associated with banks.
As more and more banks expose their system to new payment solutions through APIs, hackers are combing through the code to look for errors. Banks, like any organisation, have complex supply chains. This means that attackers do not have to start their attack against the bank.
Insiders are also a key target. SWIFT has claimed that the attacks against its network could only be conducted by those with knowledge of how it works. There are even websites used by attackers that advertise for bank data. The report shows several of these ads with key parts suitably redacted.
The quickest way of compromising a banks network is through phishing emails. The report names several campaigns such as Cobalt, Lazarus, Metel and GCMAN that did exactly this. Watering hole attacks are another source of infecting the machines of bank staff. These rely on the compromising of external websites visited by bank employees. When they connect to the website, malware is installed on their machine.
Once inside, privilege escalation takes place giving the attackers control of internal systems. This eventually makes it easy to transfer funds between accounts. It also allows debit cards to have artificially high limits. This allows money mules, with cloned debit cards, to cash out from ATMS.
What does this mean?
The list of failures above is just a small part of what Positive Technologies discovered. However, this does not make banks any worse than most organisations. On the positive side, the report does say that banks have done a lot to harden systems against external attacks.
The bigger problem is that internal systems are weak. They are susceptible to known vulnerabilities for which patches are available. This failure to patch is something that regulators should deal with. Enterprise Times emailed the Financial Service Authority asking for their comment but so far have heard nothing.
Staff training also needs to be improved to spot phishing attacks. The willingness to click on links in phishing emails and type security credentials into fake forms is worryingly high. It shows that banks are not investing in end-user security awareness training.
Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies outlined recommendations for banks: “The good news is that it’s possible to stop an attack and prevent loss of funds at any stage, as long as the attack is detected in time and appropriate measures are taken. Attachments should be scanned in a sandbox, without depending on endpoint antivirus solutions.
“It’s critical to receive and immediately react to alerts with the help of an in-house or contracted 24/7 security operations center. In addition, SIEM solutions substantially simplify and improve the effectiveness of incident management.”
