Banks: A veil of safety

[InfoSec News <isn () c4i org>]

http://news.com.com/2009-1017-893226.html

By Sandeep Junnarkar
Staff Writer, CNET News.com
April 30, 2002, 4:00 AM PT 

Late one recent Sunday night, an executive at a midsized financial
services firm received the kind of call everyone in the industry
dreads: a demand for $1 million, or else the brokerage's network would
crash the next day with a surreptitiously installed program.

The firm's security team spent a frenzied night searching for the
pernicious code but failed to find it, and the system went down for an
hour in the morning. The executive's phone rang once more: The caller
threatened to crash the system again, but this time during peak
trading hours. The brokerage, in this case, paid up.

"We figured out how the person got in and patched the system," said Ed
Skoudis, a hacking expert at security firm Predictive Systems, which
was called in to fortify the company's networks. "We deal with about
two intrusions per month, and we're just one of the many teams out
there doing this work. We're not dealing with denial-of-service
attacks or script kiddies playing around, but skilled financial
intrusions."

Although electronic break-ins are nothing new, their frequency has
been quietly mounting in recent years as more banks rush online to
provide services for consumers who are finally using the Web in
significant numbers to manage their money. The popularity of online
banking is projected to grow from 22 million households in 2002 to 34
million in 2005, according to Financial Insite, publisher of the
Online Banking Report newsletter.

While not explosive, that steady increase represents a sea change in
public perception about online banking, in many ways one of the last
frontiers of electronic commerce. Along with safeguarding medical
histories, many people view their financial information as a sacred
totem--a record of their past and a window into their nest egg for the
future--and are increasingly distrustful of financial institutions in
today's climate of Enron-inspired paranoia.

"Let's face it, a bank is in the business of trust," said Mark Rasch,
the former head of the U.S. Justice Department's computer crimes unit.  
"The reason you go to a bank is because you trust them not only to
give you a good rate of return on your money, but also to keep your
money safe and secure, and to protect your privacy associated with
your finances. Attacks on the electronic infrastructure are attacks on
all three of those."

An $11 billion secret

No comprehensive records on computer-related crime are public, but it
is estimated to drain as much as $11 billion per year from consumers
and corporations in the United States alone, with a growing portion
coming from financial institutions. In their annual joint study
released in April, the FBI and the Computer Security Institute, a
security advocacy group, noted that the combined financial losses for
223 of 503 companies that responded to their survey came to $455
million.

Often, the highest cost for financial institutions is not the loss of
money directly from theft but the expense of fortifying their systems
to avoid repeat intrusions. Security experts estimate that a bank can
spend upward of $1 million on equipment and consulting after a single
incident to repair flawed technologies, which can require far more
vigilance than the surveillance cameras, alarms and guards used to
secure physical branch offices.

"Based on our examinations, we have seen an increase in security
events over the past several years," said John Carlson, a senior
adviser for bank technology at the Office of the Comptroller of the
Currency, which monitors U.S. banks as an arm of the Treasury
Department. "I am telling you that security incidents are definitely
increasing."

The true depth of the problem remains unknown, however, as banking
sources acknowledge that the industry releases as little information
as possible on such incidents. Although some high-profile intrusions
and technical blunders have been impossible to keep out of the news
media, the vast majority rarely come to public light.

When banks suspect criminal activity, the Treasury Department requires
them to file "Suspicious Activity Reports," bulletins originally used
to track tax evaders and money launderers. The agency releases only
limited information about the data it collects on breaches and other
security incidents.

"We don't supply that information, and we don't really want to supply
that information," Carlson said. "If such a report were made public,
banks might shy away from reporting their suspicions. In addition,
making such reports public would be unfair and prejudicial to the
subject, against whom there have been no formal charges or findings
leveled."

But consumer organizations say more public disclosure is needed. They
note that banks are notorious for pushing to shield many aspects of
their operations from scrutiny, employing armies of lobbyists to
pursue their agendas on Capitol Hill.

"If there is increasing concern about break-ins and security with
online banking, I believe the government should be clearer about the
insecure nature of these online banking services," said Edmund
Mierzwinski, a consumer banking advocate with the U.S. Public Interest
Research Group, the national lobbying office for state non-partisan
public-interest groups.

Insurance against sabotage

With such high stakes, all parties involved inevitably blame each
other when a breach occurs, because there are so many points of
potential vulnerability in the vast and complex systems of financial
operations: hosting companies, Internet service providers, databases,
transaction software and all manner of hardware. And all hope to
deflect the legal liability inevitably associated with such incidents.

Accordingly, banks are turning to insurance companies because their
coverage has failed to keep up with risks related to the Internet.  
Traditional insurance for banks covers robberies, but the new policies
specifically deal with losses stemming from entire systems crashing
because of sabotage or hacker or virus attacks that destroy data and
programs.

Progressive and Chubb are among those now offering policies tailored
to shield banks from losses resulting from computer intrusions.  
Progressive said that hundreds of small community banks have signed up
for its Internet Banking Protection Package since it introduced the
policy last summer.

"We are getting more and more interest from banks as they realize the
risks," said Judi Kovach, a Progressive manager. "We had to enhance
our insurance to include Internet banking exposure because the
traditional coverage was written 100 years ago."

Some of these new policies also cover liability issues in case a
customer sues because his privacy was breached. The federal government
insures each bank account up to $100,000, but that applies only when
an entire institution collapses.

Security breaches have not been confined to younger, Internet-only
banks like NetBank in the United States and Egg in Britain;  
established global leaders such as Citibank, Credit Suisse Group's
Direct Net and Barclays Bank have proven vulnerable as well. Security
lapses have also been reported by regional institutions such as Wells
Fargo in California, Republic Bank in Florida and First Virginia.

Moreover, security concerns involving online banking are rising with
the advance of Web services, a new way of writing software that makes
it easier to link systems and get information online. If this budding
industry takes hold, people may find their private information on
vulnerable servers or databases connected somewhere to the Net
regardless of whether they have ever banked online.

"Many old-guard banks depend on legacy systems like mainframes.  
There's also corporate desktop systems and branch computers and ATMs;  
all live on the network, and all have some degree of access," said
Adrian Lamo, a self-described "ethical hacker" whose conquests include
the New York Times' internal network, where he viewed the Social
Security numbers and other private information of former President
Jimmy Carter and hip-hop artist Queen Latifah, among others. "Even
branch terminals are frequently older and obscure, potentially
vulnerable to anyone knowledgeable in their foibles."

The weakest links

One notoriously weak link, for example, is a Microsoft server in wide
use. Early last year the FBI's National Infrastructure Protection
Center warned that several organized hacker groups from Russia and the
Ukraine were targeting online banks and other e-commerce sites by
exploiting vulnerabilities in un-patched versions of Microsoft's
Internet Information Server software. The FBI advisory blamed the
international groups for online break-ins at 40 companies in 20
states.

In its regular security alert, Microsoft detailed how a computer
connecting to the server could exploit a feature meant to allow
controlled Internet access to a database, secretly redirecting
information back to the intruder. Using this method, according to the
FBI, hackers gained unauthorized access and downloaded proprietary
bank information, customer databases and credit card numbers.

They then coolly turned around and notified companies of the
intrusion, offering services to patch their systems against further
attacks. If a company declined to pay for their services, the hackers
became more belligerent and threatened to sell pilfered customer
information. In October, the FBI reissued the advisory to emphasize
that this particular line of attack was still a dangerous threat.

Microsoft had released patches to plug that particular security hole
in 1998 and reissued security bulletins to customers through 2000, but
many companies failed to make the repairs. The scenario exemplifies
how such "fixes" are routinely ignored by many systems
administrators--if they are aware of the problem at all--and
underscores the ease of denying culpability when a system is breached.  
The banks can blame Microsoft, while the software giant can point to
negligent technology departments at the financial institutions.

Complicating matters further, the type of software used by financial
institutions can vary widely from company to company. The larger
institutions develop software tailored to their systems, while smaller
banks try to customize off-the-shelf technologies. In either case,
vulnerabilities are likely.

"It turns out that the specialized, in-house stuff has more security
holes than the off-the-shelf ones," said a former investigator for the
Treasury Department who is now a head of security for a multinational
bank. "If you use an off-the-shelf system, you may have a secure
infrastructure, but if you configure it poorly or customize it, you
could introduce holes to it."

The latter occurred with a small, regional financial institution that
enlisted an outside security team to evaluate an off-the-shelf system
it had already begun to use. The consultants found one field of data
that was exchanged between the server and browser that required a
four-digit number between 1 and 10,000--from 0001 to 9999--that was
generated automatically by the application.

"If we could successfully guess this number, we could become some
user. The fact is that 1 in 10,000 doesn't take long to guess if I can
guess 100 permutations per minute with an automated number generator,"  
said Predictive's Skoudis, who did not disclose the identity of the
bank involved. "We weren't told if we were called in because of an
incident, but the vulnerability was there and a present threat."

Hackers often target hosting companies and ISPs, usually the weakest
links in the chain, to bypass firewalls. In December, Lamo broke in to
MCI WorldCom's ISP network and was able to view the secure networks of
Citibank and Bank of America, which ran over leased lines.

Lamo exploited something called an "open proxy," a server normally
used by a company to filter data on an Internet connection. The open
proxy had been mistakenly installed on a Web server when it was first
configured, leaving it exposed.

"Any intruder could have taken control of the routers with the
information I had," Lamo said.

Sometimes, all it takes is one errant ISP connection to bring down an
entire system.

Even a bank with a fully protected internal network could find itself
exposed if a teller were to sign on to a personal America Online
account from inside the network, for example. This could happen
because AOL forms a virtual network adapter and assigns a separate IP
address, according to Lamo.

"That automatically creates something of a tunnel through many
firewalls when the user signs on," Lamo said, explaining that while
that bank network remains secure, a workstation within the bank
becomes vulnerable by way of the AOL address.

This scenario was exploited less than two years ago when intruders
cracked one of AOL's customer information databases by establishing a
connection to the computers of some of the company's customer service
representatives. "It illustrates how any organization can't really
prepare against all possibilities when they're using a public
network," Lamo said.

Human error

Despite all the possible technical weaknesses in the online banking
infrastructure, humans often present far more risk than any
technology. Investigators and security experts note that a bank
insider more often than not plays a role in security breaches.

An insider can be someone working at any point along the financial
network infrastructure, from a current or former employee in the
bank's technology department to someone affiliated with an
off-the-shelf software company.

"Insiders know your systems. They can inflict the most damage,"  
Skoudis said. "They might be gone for months but may have installed
remote-control software to get in from anywhere."

Investigators and security experts said the pressure and worry that
built steadily to make sure that computer systems were ready for the
infamous Y2K bug presented a great opportunity for insiders to "go
bad."

"Financial institutions were running around like mad, hiring people
right out of the phone book to make sure they could put up all the
signs and banners saying, 'We are Y2K ready--don't pull all your money
out,'" said Hale Guyer, a special investigator and member of the
Illinois attorney general's Task Force on the Investigation of
Internet Crime and Child Exploitation. "They all did very poor
background checks because of the rush. What would have kept one of
those people from putting in a back door to your systems?"

Even without inside help, hackers can prey on what investigators say
is the most susceptible link of all: the bank customer tapping in from
home, often on a computer with little or no security software. This
person presents the most tempting target, the one least aware of how
much damage can be done simply by opening an e-mail attachment or
clicking a link.

Home PCs still routinely fall victim to "Trojan horses," types of
software that pretend to do something useful but in fact punch
security holes in individual systems and allow hackers to log
keystrokes or record conversations if a microphone is attached to the
computer. Lamo said most of the fraud discussed on less-sophisticated
hacker chats relates to stealing information using Trojan horses.

This stolen information is still only one phase of a process that
takes weeks of work, requiring a hacker to painstakingly gather all
the information necessary to impersonate someone online. But that may
change with newer, more sophisticated hacking technologies.

"It is likely that we will see automated attacks appearing eventually,
using viruses to attack many users of online banking
indiscriminately," said Mike Bond, a computer security researcher at
Cambridge University. He added, though, that this is unlikely to occur
in the near future.

Bond and his colleague Richard Clayton made headlines last year when
they developed a program that allowed them to bypass one of IBM's most
secure cryptographic co-processors, a system used to store PIN codes
for ATMs. The researchers demonstrated the breach on a laboratory
computer, and IBM subsequently fixed the flaw.

"No matter how great a job you do, a determined attacker will
eventually find some sort of problem," Bond said. "You have to find
just one fault to exploit, while banks need to cover all possible
faults."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.