What should banks be doing to protect themselves from cybercrime?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://memeburn.com/2015/03/what-should-banks-be-doing-to-protect-themselves-from-cybercrime/

When the prolific criminal Willie Sutton was asked why he specifically
targeted banks, he purportedly replied: “Because that’s where the money
is.” So it’s no surprise that cybercriminals have made banks a focus for
online heists. Following the recently reported series of Carbanak
cyber-thefts that taken up to a billion dollars from banks worldwide, a new
survey* of 175 heads of financial organisations showed that they rated
online attacks as their second-biggest perceived danger to their industry.

The reason why banking executives are so worried about cyberattacks is
because of their sophistication. Recent online robberies have gone
undetected for weeks or even months, because the criminals manipulate the
banks’ own business-as-usual processes to stealthily move cash and siphon
it away from accounts without attracting attention. In many cases, the
transactions made by the hackers appear to be legitimate from the bank’s
point of view – making cyber-heists a true ‘inside job,’ devised by people
with in-depth understanding of how both business and consumer banking
systems work.

An inside job
In the most recent series of thefts, hackers breached the banks’ systems
using spear phishing techniques, tricking employees into clicking on
malicious downloads by using crafted, targeted emails. This malware gave
hackers access to banks’ internal networks, where they could quietly
explore and gather information on the organisation’s systems and
procedures, and work out the best method for stealing money.

In some cases, this involved quietly transferring funds between various
accounts, and even crediting accounts with large sums before withdrawing
identical amounts, so that the theft looked like an erroneous transaction.

In other cases, hackers used malware to target networks controlling ATM
machines, triggering them to dispense cash at specific times so that
associates could take it from the machine. When an individual bank became
aware it was being targeted and took steps to stop the fraudulent
transactions, the attackers would have already stolen substantial sums, and
simply moved on to their next victim.

Hijacking customers’ accounts
It isn’t just banks’ networks that are targeted by hackers. 2012’s
‘Eurograbber’ attack targeted mobile banking services to steal nearly R583M
from the accounts of over 30,000 customers of over 30 banks in four
European countries, using malware that targeted and infected both the PCs
and mobile phones of customers.

This sophisticated two-stage attack allowed hackers to intercept the unique
SMS-based authentication codes generated by banks to authorise
transactions. The criminals could then steal money from individuals’
accounts by making transfers to a series of external ‘mule’ accounts. The
fraudulent transactions were completely transparent to customers, and from
the banks’ viewpoint, appeared legitimate as they used the appropriate
authorisation codes. The attackers even restricted the maximum amount
stolen per transaction to a percentage of the account’s balance, helping
them to remain undetected.

Securing the human factor
So how should banks secure themselves against such online threats? A common
factor across all of these attacks is that no matter how sophisticated the
malware or mechanism of action, the starting point is a simple, targeted
phishing email, typically containing a file attachment with the malware
payload. Once the bank employee (or customer) clicks the attachment, or a
link directing them to an infected website, the security of the bank or the
customer’s PC is compromised.

In a majority of cases, these targeted emails are able to evade
conventional security defences because the attackers use obfuscation tools
to conceal the malware’s identity from traditional signature-based
antivirus solutions. This means that even older, known malware can be
disguised and slip under the security radar. To mitigate this risk,
organisations can add an extra layer of defence against malware using a
technique known as threat emulation or ‘sandboxing.’ This analyses the
files carried in emails for virus-like behaviour, and isolates any
suspicious files before they arrive in employees’ email inboxes and risk
infecting networks through an accidental click.

Employee education about email- and web-based infections is also an
important step. Teaching staff to watch for vital email social-engineering
clues – such as misspelled emails, unexpected email attachments or links –
can make a big difference in reducing the risks of a hacking attempt being
successful.

Customer protection
As we’ve seen with the Eurograbber theft, online bank fraud can also target
the banks’ customers. As such, the best protection against possible future
attacks is to ensure that banking customers have up-to-date protection on
the PC or devices they use for online banking.

Users should be encouraged to have up-to-date antivirus software and a
firewall on their home PCs. Cost is not an issue here: there are free
solutions from ZoneAlarm and others that deliver protection matching
leading paid-for products. Another key preventative measure is for users to
regularly install software updates and patches, to keep security as current
as possible. It’s also worth reiterating to online banking users that their
banks should never send an unsolicited email, and so the user should not
respond to these as they are likely to be phishing mails.

In conclusion, even the most sophisticated attacks against banks start with
the same, simple steps that try to exploit peoples’ weaknesses. Stopping
these attacks requires a mix of employee (and customer) awareness, and
updated, comprehensive security protections on both bank networks and their
customers’ computers. With these measures, there’s the best possible chance
that future attempts at cybercrime won’t pay.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!