[ISN] Banks: A veil of safety

From: InfoSec News (isnat_private)
Date: Thu May 02 2002 - 00:12:23 PDT

  • Next message: InfoSec News: "[ISN] Hackers spur shutdown of computer server for Navy"

    By Sandeep Junnarkar
    Staff Writer, CNET News.com
    April 30, 2002, 4:00 AM PT 
    Late one recent Sunday night, an executive at a midsized financial
    services firm received the kind of call everyone in the industry
    dreads: a demand for $1 million, or else the brokerage's network would
    crash the next day with a surreptitiously installed program.
    The firm's security team spent a frenzied night searching for the
    pernicious code but failed to find it, and the system went down for an
    hour in the morning. The executive's phone rang once more: The caller
    threatened to crash the system again, but this time during peak
    trading hours. The brokerage, in this case, paid up.
    "We figured out how the person got in and patched the system," said Ed
    Skoudis, a hacking expert at security firm Predictive Systems, which
    was called in to fortify the company's networks. "We deal with about
    two intrusions per month, and we're just one of the many teams out
    there doing this work. We're not dealing with denial-of-service
    attacks or script kiddies playing around, but skilled financial
    Although electronic break-ins are nothing new, their frequency has
    been quietly mounting in recent years as more banks rush online to
    provide services for consumers who are finally using the Web in
    significant numbers to manage their money. The popularity of online
    banking is projected to grow from 22 million households in 2002 to 34
    million in 2005, according to Financial Insite, publisher of the
    Online Banking Report newsletter.
    While not explosive, that steady increase represents a sea change in
    public perception about online banking, in many ways one of the last
    frontiers of electronic commerce. Along with safeguarding medical
    histories, many people view their financial information as a sacred
    totem--a record of their past and a window into their nest egg for the
    future--and are increasingly distrustful of financial institutions in
    today's climate of Enron-inspired paranoia.
    "Let's face it, a bank is in the business of trust," said Mark Rasch,
    the former head of the U.S. Justice Department's computer crimes unit.  
    "The reason you go to a bank is because you trust them not only to
    give you a good rate of return on your money, but also to keep your
    money safe and secure, and to protect your privacy associated with
    your finances. Attacks on the electronic infrastructure are attacks on
    all three of those."
    An $11 billion secret
    No comprehensive records on computer-related crime are public, but it
    is estimated to drain as much as $11 billion per year from consumers
    and corporations in the United States alone, with a growing portion
    coming from financial institutions. In their annual joint study
    released in April, the FBI and the Computer Security Institute, a
    security advocacy group, noted that the combined financial losses for
    223 of 503 companies that responded to their survey came to $455
    Often, the highest cost for financial institutions is not the loss of
    money directly from theft but the expense of fortifying their systems
    to avoid repeat intrusions. Security experts estimate that a bank can
    spend upward of $1 million on equipment and consulting after a single
    incident to repair flawed technologies, which can require far more
    vigilance than the surveillance cameras, alarms and guards used to
    secure physical branch offices.
    "Based on our examinations, we have seen an increase in security
    events over the past several years," said John Carlson, a senior
    adviser for bank technology at the Office of the Comptroller of the
    Currency, which monitors U.S. banks as an arm of the Treasury
    Department. "I am telling you that security incidents are definitely
    The true depth of the problem remains unknown, however, as banking
    sources acknowledge that the industry releases as little information
    as possible on such incidents. Although some high-profile intrusions
    and technical blunders have been impossible to keep out of the news
    media, the vast majority rarely come to public light.
    When banks suspect criminal activity, the Treasury Department requires
    them to file "Suspicious Activity Reports," bulletins originally used
    to track tax evaders and money launderers. The agency releases only
    limited information about the data it collects on breaches and other
    security incidents.
    "We don't supply that information, and we don't really want to supply
    that information," Carlson said. "If such a report were made public,
    banks might shy away from reporting their suspicions. In addition,
    making such reports public would be unfair and prejudicial to the
    subject, against whom there have been no formal charges or findings
    But consumer organizations say more public disclosure is needed. They
    note that banks are notorious for pushing to shield many aspects of
    their operations from scrutiny, employing armies of lobbyists to
    pursue their agendas on Capitol Hill.
    "If there is increasing concern about break-ins and security with
    online banking, I believe the government should be clearer about the
    insecure nature of these online banking services," said Edmund
    Mierzwinski, a consumer banking advocate with the U.S. Public Interest
    Research Group, the national lobbying office for state non-partisan
    public-interest groups.
    Insurance against sabotage
    With such high stakes, all parties involved inevitably blame each
    other when a breach occurs, because there are so many points of
    potential vulnerability in the vast and complex systems of financial
    operations: hosting companies, Internet service providers, databases,
    transaction software and all manner of hardware. And all hope to
    deflect the legal liability inevitably associated with such incidents.
    Accordingly, banks are turning to insurance companies because their
    coverage has failed to keep up with risks related to the Internet.  
    Traditional insurance for banks covers robberies, but the new policies
    specifically deal with losses stemming from entire systems crashing
    because of sabotage or hacker or virus attacks that destroy data and
    Progressive and Chubb are among those now offering policies tailored
    to shield banks from losses resulting from computer intrusions.  
    Progressive said that hundreds of small community banks have signed up
    for its Internet Banking Protection Package since it introduced the
    policy last summer.
    "We are getting more and more interest from banks as they realize the
    risks," said Judi Kovach, a Progressive manager. "We had to enhance
    our insurance to include Internet banking exposure because the
    traditional coverage was written 100 years ago."
    Some of these new policies also cover liability issues in case a
    customer sues because his privacy was breached. The federal government
    insures each bank account up to $100,000, but that applies only when
    an entire institution collapses.
    Security breaches have not been confined to younger, Internet-only
    banks like NetBank in the United States and Egg in Britain;  
    established global leaders such as Citibank, Credit Suisse Group's
    Direct Net and Barclays Bank have proven vulnerable as well. Security
    lapses have also been reported by regional institutions such as Wells
    Fargo in California, Republic Bank in Florida and First Virginia.
    Moreover, security concerns involving online banking are rising with
    the advance of Web services, a new way of writing software that makes
    it easier to link systems and get information online. If this budding
    industry takes hold, people may find their private information on
    vulnerable servers or databases connected somewhere to the Net
    regardless of whether they have ever banked online.
    "Many old-guard banks depend on legacy systems like mainframes.  
    There's also corporate desktop systems and branch computers and ATMs;  
    all live on the network, and all have some degree of access," said
    Adrian Lamo, a self-described "ethical hacker" whose conquests include
    the New York Times' internal network, where he viewed the Social
    Security numbers and other private information of former President
    Jimmy Carter and hip-hop artist Queen Latifah, among others. "Even
    branch terminals are frequently older and obscure, potentially
    vulnerable to anyone knowledgeable in their foibles."
    The weakest links
    One notoriously weak link, for example, is a Microsoft server in wide
    use. Early last year the FBI's National Infrastructure Protection
    Center warned that several organized hacker groups from Russia and the
    Ukraine were targeting online banks and other e-commerce sites by
    exploiting vulnerabilities in un-patched versions of Microsoft's
    Internet Information Server software. The FBI advisory blamed the
    international groups for online break-ins at 40 companies in 20
    In its regular security alert, Microsoft detailed how a computer
    connecting to the server could exploit a feature meant to allow
    controlled Internet access to a database, secretly redirecting
    information back to the intruder. Using this method, according to the
    FBI, hackers gained unauthorized access and downloaded proprietary
    bank information, customer databases and credit card numbers.
    They then coolly turned around and notified companies of the
    intrusion, offering services to patch their systems against further
    attacks. If a company declined to pay for their services, the hackers
    became more belligerent and threatened to sell pilfered customer
    information. In October, the FBI reissued the advisory to emphasize
    that this particular line of attack was still a dangerous threat.
    Microsoft had released patches to plug that particular security hole
    in 1998 and reissued security bulletins to customers through 2000, but
    many companies failed to make the repairs. The scenario exemplifies
    how such "fixes" are routinely ignored by many systems
    administrators--if they are aware of the problem at all--and
    underscores the ease of denying culpability when a system is breached.  
    The banks can blame Microsoft, while the software giant can point to
    negligent technology departments at the financial institutions.
    Complicating matters further, the type of software used by financial
    institutions can vary widely from company to company. The larger
    institutions develop software tailored to their systems, while smaller
    banks try to customize off-the-shelf technologies. In either case,
    vulnerabilities are likely.
    "It turns out that the specialized, in-house stuff has more security
    holes than the off-the-shelf ones," said a former investigator for the
    Treasury Department who is now a head of security for a multinational
    bank. "If you use an off-the-shelf system, you may have a secure
    infrastructure, but if you configure it poorly or customize it, you
    could introduce holes to it."
    The latter occurred with a small, regional financial institution that
    enlisted an outside security team to evaluate an off-the-shelf system
    it had already begun to use. The consultants found one field of data
    that was exchanged between the server and browser that required a
    four-digit number between 1 and 10,000--from 0001 to 9999--that was
    generated automatically by the application.
    "If we could successfully guess this number, we could become some
    user. The fact is that 1 in 10,000 doesn't take long to guess if I can
    guess 100 permutations per minute with an automated number generator,"  
    said Predictive's Skoudis, who did not disclose the identity of the
    bank involved. "We weren't told if we were called in because of an
    incident, but the vulnerability was there and a present threat."
    Hackers often target hosting companies and ISPs, usually the weakest
    links in the chain, to bypass firewalls. In December, Lamo broke in to
    MCI WorldCom's ISP network and was able to view the secure networks of
    Citibank and Bank of America, which ran over leased lines.
    Lamo exploited something called an "open proxy," a server normally
    used by a company to filter data on an Internet connection. The open
    proxy had been mistakenly installed on a Web server when it was first
    configured, leaving it exposed.
    "Any intruder could have taken control of the routers with the
    information I had," Lamo said.
    Sometimes, all it takes is one errant ISP connection to bring down an
    entire system.
    Even a bank with a fully protected internal network could find itself
    exposed if a teller were to sign on to a personal America Online
    account from inside the network, for example. This could happen
    because AOL forms a virtual network adapter and assigns a separate IP
    address, according to Lamo.
    "That automatically creates something of a tunnel through many
    firewalls when the user signs on," Lamo said, explaining that while
    that bank network remains secure, a workstation within the bank
    becomes vulnerable by way of the AOL address.
    This scenario was exploited less than two years ago when intruders
    cracked one of AOL's customer information databases by establishing a
    connection to the computers of some of the company's customer service
    representatives. "It illustrates how any organization can't really
    prepare against all possibilities when they're using a public
    network," Lamo said.
    Human error
    Despite all the possible technical weaknesses in the online banking
    infrastructure, humans often present far more risk than any
    technology. Investigators and security experts note that a bank
    insider more often than not plays a role in security breaches.
    An insider can be someone working at any point along the financial
    network infrastructure, from a current or former employee in the
    bank's technology department to someone affiliated with an
    off-the-shelf software company.
    "Insiders know your systems. They can inflict the most damage,"  
    Skoudis said. "They might be gone for months but may have installed
    remote-control software to get in from anywhere."
    Investigators and security experts said the pressure and worry that
    built steadily to make sure that computer systems were ready for the
    infamous Y2K bug presented a great opportunity for insiders to "go
    "Financial institutions were running around like mad, hiring people
    right out of the phone book to make sure they could put up all the
    signs and banners saying, 'We are Y2K ready--don't pull all your money
    out,'" said Hale Guyer, a special investigator and member of the
    Illinois attorney general's Task Force on the Investigation of
    Internet Crime and Child Exploitation. "They all did very poor
    background checks because of the rush. What would have kept one of
    those people from putting in a back door to your systems?"
    Even without inside help, hackers can prey on what investigators say
    is the most susceptible link of all: the bank customer tapping in from
    home, often on a computer with little or no security software. This
    person presents the most tempting target, the one least aware of how
    much damage can be done simply by opening an e-mail attachment or
    clicking a link.
    Home PCs still routinely fall victim to "Trojan horses," types of
    software that pretend to do something useful but in fact punch
    security holes in individual systems and allow hackers to log
    keystrokes or record conversations if a microphone is attached to the
    computer. Lamo said most of the fraud discussed on less-sophisticated
    hacker chats relates to stealing information using Trojan horses.
    This stolen information is still only one phase of a process that
    takes weeks of work, requiring a hacker to painstakingly gather all
    the information necessary to impersonate someone online. But that may
    change with newer, more sophisticated hacking technologies.
    "It is likely that we will see automated attacks appearing eventually,
    using viruses to attack many users of online banking
    indiscriminately," said Mike Bond, a computer security researcher at
    Cambridge University. He added, though, that this is unlikely to occur
    in the near future.
    Bond and his colleague Richard Clayton made headlines last year when
    they developed a program that allowed them to bypass one of IBM's most
    secure cryptographic co-processors, a system used to store PIN codes
    for ATMs. The researchers demonstrated the breach on a laboratory
    computer, and IBM subsequently fixed the flaw.
    "No matter how great a job you do, a determined attacker will
    eventually find some sort of problem," Bond said. "You have to find
    just one fault to exploit, while banks need to cover all possible
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu May 02 2002 - 03:58:06 PDT