Banks are more serious about information security than most companies in other industries, but they’re still regularly robbed to the tune of millions and even billions of dollars. In 2016, $81 million was siphoned from the Bank of Bangladesh—just one of many gang attacks. Last year, thieves took $100 million in a surge of attacks in Eastern Europe, $60 million in fraudulent transfers from a bank in Taiwan, $4 million in wrongful withdrawals from banks in Nepal, $1.5 million through attacks on card processing and interbank transfers in the United States and Russia, and more.
Penetration testers at Positive Technologies set out to discover why banks remain highly vulnerable to attacks and incur such huge monetary losses, despite massive security investments and ongoing security diligence. Penetration testing simulates how an actual intruder would get in, and what they would likely do once inside. In this particular study on bank attacks, Positive Technologies testers share the results of three years of external and internal penetration testing.
The typical bank’s perimeter is strictly guarded yet in 100 percent of cases, the penetration testers were able to gain full control over bank network infrastructure. At more than half of the tested banks (58 percent), attackers got in via unauthorized access to financial applications. And at 25 percent of the banks, penetration testers were able to compromise the workstations used for ATM management.
Perhaps most shocking was that at 17 percent of the tested banks, attackers were able to move massive amounts of money to criminal-controlled accounts via interbank transfers. And, because card processing systems were poorly defended, attackers could also manipulate the balance of card accounts.
Turning Security Inside Out
Interestingly, successful bank attacks typically begin on the inside.
“Despite the focus by banks to protect the perimeter from external attacks, they are still not ready to defend attacks that start from the inside—be they employee mistakes, malicious insiders, or outside criminals using employees to launch attacks,” said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, a global provider of security products and the author of the study.
Regardless of the large investments in security, banks are still susceptible to problems with the human factor. Some of the usual attack forms succeed at banks as well and as often as they do elsewhere.
Phishing, for example, is highly successful at banks. Employees at 75 percent of the tested banks clicked on phishing email messages, and employees at 25 percent of banks entered their credentials on fake authentication forms. At least one employee at each of 25 percent of the banks also opened a malicious attachment.
But perhaps the most shocking of inside threats are found in the announcements on hacker forums offering the services of bank insiders, including money laundering. The study revealed that in some cases, “the privileges of an employee with mere physical access to network jacks (such as a janitor or security guard) are enough for a successful attack.”
Modern day attacks on banks anywhere in the world are largely executed by criminal gangs. Among the most active in recent years are Cobalt (likely related to Buhtrap), Carbanak, Lazarus and Lurk, according to the study.
Many of them began as geographically pinned threats. For example, the Cobalt gang attacked financial institutions in the CIS, Eastern Europe and Southeast Asia but has since spread out to also attack Western Europe and North and South America. They also expanded their targets to include investment funds, stock exchanges and other types of financial institutions.
At banks, the Cobalt gang likes to empty ATMs without physically tampering with them. The Lazurus gang, on the other hand, prefers to use the SWIFT system to steal vast amounts of money by electronic transfers between accounts. In 2016, the gang aimed to siphon $1 billion from the Central Bank of Bangladesh but only got $81 million because the gang messed up the payment documentation.
In short, attacks on financial institutions are some of the costliest in the history of hacks.
“The good news is that it’s possible to stop an attack and prevent loss of funds at any stage, as long as the attack is detected in time and appropriate measures are taken,” said Galloway.
Banks are continuing to pour money into additional security measures, some of which are new technologies such as blockchain and machine learning.
“There are regulators in other industries; however, banks have strong motivation to improve their security and the funds to do it. It should be noted that this mainly applies to large and medium-sized banks which are in the sample of the research. In small banks, the problems of information security are much more serious,” said Galloway.