In late 2014 a major bank cyber heist was spotted. This has become known as the infamous ‘Carbanak’ attack and may have resulted in over $1 billion being stolen from accounts across 100 financial institutions worldwide. The Carbanak heist was carried out using standard email phishing techniques, which installed malware designed to steal login credentials and other data. Cyber-robbery of this nature is an exploitation of the banking sector’s innovative approach to customer service. Banking has become much more convenient in the last decade. Banks have listened to their clients, and created more competitive and convenient banking through online, and now mobile banking solutions. From a customer’s point of view this has made banking a much more seamless part of our lives being easy to access from anywhere, at anytime. From a bank’s perspective it has streamlined many banking processes. However, the phishing storm clouds are gathering ever closer to the banking industry. Online access, as well as giving the customer greater access powers to their account, has also offered a way in to our banking portals for the cybercriminal. Attacks like Carbanak will continue unless we take steps to stop them.
Bank Phishing – Tricks of the Trade?
There are a number of highly successful cyber threats that are based on phishing or spear phishing techniques. In general phishing is used to exploit banking credentials for the purpose of theft, either directly, through spoof sites, or using installed malware. Some examples include:
Bank-Targeted Phishing
Bank phishing attempts are focused on staff – often IT administration staff. Spear phishing, a variant of phishing, is a very successful method based on social engineering, i.e. understanding and exploiting human behavior and specifically targeting a known user. Symantec in their ‘Internet Security Threat Report 2016’ found that in 2015, 55% of employees were targeted in a spear phishing attack, with the finance sector being the most targeted industry.
The JP Morgan breach of 2014 is a perfect example of this successful method in action. The JP Morgan breach was hailed as one of the largest banking breaches of all time, where 83 million customer accounts were hacked. The attack successfully stole the login credentials, using a spear phishing email, which targets known users. Once the credentials were in the hands of the hacker, they had access to the JP Morgan server and their customer account data. The real issue in the JP Morgan breach was that the server only used a username and password to control access. If second factor was implemented (also known as 2FA or two-factor authentication) then the threshold for a phishing attack would have been much higher, and the cybercriminals would have failed.
Customer-Targeted Phishing – Companies
Business Customers are being targeted through a technique known as ‘Business Email Scams’ or BES. A BES threat is highly sophisticated, the cybercriminal taking time to understand their victim and whom they supply. They use social engineering tricks to fool employees of a business into thinking they have received an email from a high level executive, such as a CFO or CEO. The email usually has an urgent request to transfer money to a bank account (owned by the cybercriminal).
This technique is very successful. In the USA the FBI has given stark warning about this technique, saying that over $2.3 billion was lost through this type of cyber-attack between 2013 and 2016. They have also found that there has been a massive increase of over 270% in BES attacks in the last year.
Customer-Targeted Phishing – Individuals
Mobile Banking is being targeted with malware specifically written to exploit mobile banking users. A particularly sophisticated phishing approach, named Android.fakelogin, works by spotting which mobile banking app a person is using, and then dynamically overlaying a spoof interface which captures the users login credentials as they enter them into the spoof page.
And traditional phishing is also moving over to the mobile. ‘Smishing’ is the new black when it comes to phishing. Smishing is a text message that has links to a spoof site, identical to the bank site, which requests login credentials. Banks are increasingly communicating with customers using text messages, so customers are used to receiving texts from their bank. Banks are also offering instant bank transfers using mobile apps. Together these innovations have cleared the way for the rise of smishing to extort money from banking customers. In the UK a number of banks have become smishing targets.
Who is Liable for The Attacks?
The question of liability is always at the end of a conversation about the loss of money through criminal activity. The liability of such crimes varies across countries and across account types. In the USA, for example, an individual’s account is protected under Federal Reserve Regulation E (12 C.F.R. Part 205); banks having to recompense an individual if their account is hacked. However, there is less protection in the USA for business bank accounts. In Europe, the European Banking Authority (EBA) has set strict guidelines for checking the authentication of the person making a bank transfer to limit liability against the bank. However, the EBA guidelines make specific exclusions, such as mobile payments from an app. The ‘fault’ question is one that continues to cause debate and as technology improves we will no doubt see changes to legislation in this area.
What Actions Can Mitigate Banks and Cybercrime?
As far as managing security within the organization, PWC has identified the banking supply chain as being a key area of concern. In the 2016 report, ‘Turnaround and transformation in cybersecurity: Financial services’, PWC suggest the use of risk based security frameworks as a solution to this. Risk based authentication or ‘adaptive authentication’ is one area that is highly effective in managing phishing and spear phishing attempts. Adaptive authentication uses an intelligent approach to authentication, by recognizing the level of risk within any given login event. For example, it can request a higher level of login credential if the user is attempting access from an unknown IP address – ideal for preventing a spear phishing attack, whilst not impacting on usability of a system.
In terms of consumer and business banking, security awareness is key to managing the threat of phishing. Banks have a duty of care to educate their customers about current threats, including BES and smishing. However, customers do have to take steps to prevent infection from malware laden phishing emails and malicious sites. This includes ensuring they are running the most up to date software; ensuring patches are current as well as running antivirus software.
As banks move more into mobile banking, the use of advanced authentication measures such as biometrics are needed to ensure that instant payments and banking apps are protected.
United Security Providers (USP) were one of the first technology vendors to work in the area of online banking and security. USP has been working with Credit Suisse to ensure their banking provisioning had state of the art security applied to harden the Credit Suisse’s own security architecture. USP’s Secure Entry Sever (SES) was an early implementer of strong authentication, particularly 2FA, recognizing that spear phishing must be controlled through intelligent application of security. But if you do end up successfully phished, USP also offer fraud detection systems which mitigate the risks and outcomes of a successful phishing attack.
Michael Liebi ist Gründer und nun als Board Member bei United Security Providers tätig.