Bank (in)Security: Between the 1880s and the 1930s, physical bank burglaries were a substantial problem. To counter these threats bank's employed vaults to protect their contents from theft, unauthorised use, fire, natural disasters, and other threats. Vaults were an integral part of the building, using armored walls and a tightly fashioned armoured door secured with a complex lock.
During the 1950s, researchers at the Stanford Research Institute invented "ERMA", the Electronic Recording Method of Accounting computer processing system. ERMA started as a project for the Bank of America in an effort to automate bank book-keeping. Thirty-two ERMA computers were delivered to the BoA in 1959 for full-time use as the bank's accounting computer and cheque handling system.
Over time, money began to move in increasingly electronic ways. Today, the international SWIFT banking network processes financial transactions valued at literally trillions of dollars EVERY day. It should come as no surprise that robbing banks is an increasingly electronic affair…
Today, the worldwide security community is concerned by the sharp increase in the number of cyber attacks against banking and financial institutions by cyber criminals and state-sponsored hackers.
What is at stake? To quote U.S. Vice Admiral J. Mike McConnel (Rtd), former Director of the US National Security Agency, and Advisor to U.S. President Obama:
“The world cannot function without an effective banking system, and it is possible to contaminate the database upon which banking operates. There is no gold standard, no dollar bills, so if you can just contaminate the data in one large bank, you could cause global banking to collapse.” (Dec 2010)
General insecurity of the banking sector: As the financial and banking system expanded into Automatic Teller Machines a first wave of internal and external attacks began. Given the impressive physical security of the ATM itself, most of the attacks were mounted through the trivially weak magnetic stripe bank cards. Attempts to patch the wave of magnetic credit-card attacks with "Chip And Pin" technologies failed (Ross Anderson, et al). Magnetic and chip-and-pin attacks continue today.
Many banks increasingly pushed greater security controls on third party financial organisations, while not applying the same level of security controls internally. Self-inflicted security failures, like the massive credit-card data breach of Global Payments Inc., are illustrative of the problem.
Most banks are also vulnerable to insider attacks. The report “Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector” (2004) found that in 70% of cases studied, the insiders exploited, or attempted to exploit, systemic vulnerabilities in applications and/or processes or procedures to carry out the incidents. In 61% of the cases, the insiders exploited vulnerabilities inherent in the hardware, software, or network design. 26% percent of the cases involved the use of someone else’s computer account, physical use of an unattended unsecured terminal, or social engineering. Nearly all of the surveyed organizations experienced financial loss as a result of the insiders’ actions (91%).
Instead of comprehensively and systematically addressing known vulnerabilities, many banks have been content to live with an “acceptable” degree of operating losses. Most banks hedged their bets with insurance and limited countermeasures, many pursuing various approaches to shift liability, and the costs to implement security controls, to others.
To date, attacks have been predominantly parasitic. However, there is concern the threat landscape may be changing.
Growing waves of cyber attacks: Banking is an increasingly desirable target for hacktivists, and cyber terrorists who have no desire to live parasitically off the insecurities of the banking system. Cyber attacks against financial institutions, can create serious economic damage, and obtain extensive media coverage of the operations; a primary objective of these types of attackers.
War against the banking system of western enemies: In conventional war, military organizations target and destroy critical infrastructure such as electricity, communications, airports, roads and water supplies. Banks of foreign governments may become subject to sanctions. For example in March 2012, Iran was largely cut off from global commerce after the international SWIFT banking network severed ties with many Iranian banks to back EU sanctions against Tehran.
Until now, the banking sector has been somewhat immune from cyber attacks of the type described by Vice Admiral J. Mike McConnel. According to Shane Harris in the article "US: The cyberwar plan" published in the National Journal in 2009: "in the months before the U.S. invasion of Iraq in March 2003, military planners considered a computerized attack to disable the networks that controlled Iraq's banking system, but they backed off when they realized that those networks were global and connected to banks in France." A cyber attack could contribute to, or trigger, the financial collapse of a nation, or even a group of connected nations.
Cyber attacks against the banking systems of the west: Recent reports raised the possibility of Iranian cyber offensive against US banks. This was immediately denied by the Government of Teheran, but the event has now increased discussions on the real level of security of western banking systems. The news was provided by a top Department of Justice official after the observed attacks against Bank of America and JPMorgan Chase.
Doug Johnson, Vice President of risk management policy for the American Bankers Association, and a member of FS-ISAC, is convinced that we will witness an increase in cyber attacks against the banking sector, and that banks of all sizes should prepare now for an increasing offensive against them.
Lanny Breuer, assistant Attorney General for the department’s criminal division, defined cybercrime one of the most serious threats to national security declaring: “It is so hard to get a handle on, because a lot of it is perpetrated by those working abroad who are skilled at what they do, and the anti-virus software most of us use only protects us from known vulnerabilities.”
Cyber attacks, state sponsored or not? Sophisticated malware and botnets are threatening high-value/sensitive computer networks of all sectors, in particular the banking networks. Unfortunately, due to the cyber attribution problem, it is very hard to distinguish state-sponsored attacks from opportunistic cyber criminal offensives. As the UK Cyber Strategy Says:
“with the borderless and anonymous nature of the internet, precise attribution is often difficult and the distinction between adversaries is increasingly blurred.” … “Some states regard cyberspace as providing a way to commit hostile acts ‘deniably’.”
In September 2012, Estonia’s State Prosecutor's Office announced that it was bringing the investigation of the country’s 2007 cyber attack to a close. The decision to shut down the investigation came after prosecutors failed to pin down the IP addresses, and computers used, during the digital barrage in April and May 2007. This negative result will only bolster the confidence of 100+ countries investing in cyber-offensive weapons (such as the U.S DARPA’s cyber-offensive “Plan X” ) with impunity.
To make situations worse, identifying cyber attacks is becoming even more difficult, as confirmed by the study released by the security firm FireEye, named “Advanced Threat Report” in the first half of 2012. It provides an overview of the current threat landscape, evolving advanced malware and advanced persistent threat (APT) tactics, and the level of infiltration seen in organisations’ networks today. The document presents an alarming scenario, with organisations observing an impressive increase in advanced malware bypassing their traditional security defenses.
Today, security experts are frequently discovering that malicious software (malware) is able to elude common defense mechanisms, remaining in stealth for long periods during which it operates surreptitiously.
Rapidly escalating attacks on the financial sector. Between the second half of 2011 and the first half of 2012, the financial services sector has been hit by an increased number of attacks. The industry saw more events in one month alone (May 2012) than in the entire second half of 2011.
The concern for the wave of cyber attacks is high, considering that The Financial Services Information Sharing and Analysis Center, an industry security group, has recently raised its threat level for cyber attacks to “high” from “elevated.”
How to mitiate the risks?
It's desirable for a joint commitment of banking institutions, governments and also customers.
- Banks and financial organisations need to stop engaging in liability shifting and systematically address the known long-standing security risks in the their ICT systems in a way that protects the legitimate interests of all stakeholders.
- The banking IT sector and government must continue to train specialised staff to respond to the new wave of attacks as they occur. This will require the continued involvement of veteran cyber security experts, investment in better day-to-day security controls, and a careful technical and legal analysis of response options available during an attack.
- It is crucial that all employees have general education in good ICT hygiene. They must be trained to detect and prevent Advanced Persistant Threat attacks started by simple/classic phishing campaigns.
- Users must be educated in the proper use of new technologies, and must be informed on the evolution of the cyber threats and related risks.
Banks are increasingly being attacked by agents that have no interest in parasitically living of them, but rather set out on inflicting damaging/fatal blows on them. Banking and financial institutions, like all organisations, should carefully ask the question: are our long-standing cyber vulnerabilities now becoming significant liabilities in the today’s environment?
About the Authors :
Pierluigi Paganini, Security Specialist CISO Bit4ID Srl, is a CEH Certified Ethical Hacker, EC Council and Founder of Security Affairs ( http://securityaffairs.co/wordpress )
Prof. Fabian Martins, ( http://br.linkedin.com/in/fabianmartinssilva ) Banking security expert and Product Development Manager at Scopus Tecnologia, http://www.scopus.com.br/ ) owned by Bradesco Group.
Ron Kelson is Vice Chair of the ICT Gozo Malta Project and CEO of Synaptic Laboratories Limited [email protected] .
Ben Gittins is CTO of Synaptic Laboratories Limited. [email protected]
David Pace is Project Manager of the ICT Gozo Malta Project and an IT Consultant ph: +356 79630221
ICT Gozo Malta is a joint collaboration between the Gozo Business Chamber and Synaptic Labs, part funded in 2011 by the Malta Government, Ministry for Gozo, Eco Gozo Project, and a prize winner in the 2012 Malta Government National Enterprise Support Awards. www.ictgozomalta.eu links to free cyber awareness resources for all age groups. To promote Maltese ICT, we encourage all ICT Professionals to register on the ICT GM Skills Register and keep aware of developments, both in Cybersecurity and other ICT R&D initiatives in Malta and Gozo. For further details contact David Pace at [email protected] .