finance
monthly
Personal Finance. Money. Investing.
Contribute
Newsletter
Corporate

Below, Thanassis Diogos, Managing Consultant, SpiderLabs at Trustwave, discusses with Finance Monthly the intricate planning and plotting behind the recent Eastern European cyber hack on banks, which combine both physical and cyber stealing methods. Trustwave believe that this attack has the potential to spread to the UK and around the world.

Earlier this year Trustwave was called in to investigate several security breaches which had affected banks in Post-Soviet countries. These attacks appeared to be a hybrid of physical and cyber techniques with people used as mules to open new bank accounts, and cyber specialists using their skills to hack into the banks systems. Banks which had been compromised suffered significant monetary losses, somewhere between USD$3 million and USD$10 million. Trustwave’s investigation also discovered that the attacks shared common features. These identifiers included large financial losses originating from apparently legitimate customer accounts and all thefts taking place at ATM locations outside of the banks originating country, where the money was withdrawn using a legitimate debit card.

In some cases, the banks were not aware they were being breached until the attack was complete. However, there were cases where the malicious activity was picked up by third party processors, who are responsible for processing credit and debit card transactions. Despite the large sums being stolen, the thefts were hard to detect thanks to the use of debit cards acquired legitimately through the standard in-branch application process.

A closer look

Upon investigation of the third-party processors and the affected banks, we found a completely unique modus operandi behind the breaches. The criminal gang had used innovative attack tactics, techniques and procedures to successfully complete the attack campaign. The attack itself comprised of two physical stages which top and tailed the attack – the mules opened bank accounts in the initial phase and withdrew the funds in the final ATM cashing out phase. The cyber-attack compromised four stages beginning with obtaining unauthorised access to the banks network, compromise of the third-party processors network, obtain privileged access to card management system and finally activate the overdraft facility on specific accounts.

Method in the madness

The criminals hired a number of mules and provided them with false credentials, so they could open new accounts in branch. On opening the accounts, the mules requested to receive debit cards with the account, and the cards were then passed on out of the originating country to a group of international conspirators. It is not unusual to request a debit card with a new account as the balance of the account is directly related to how much money is available.

Whilst these numerous bank accounts were being opened in branch, the cyber part of the attack was already under way. Members of the criminal gang hacked into the victim banks’ internal systems and manipulated the debit cards features to allow very high overdraft limits or no overdraft limit at all, and also removed any anti-fraud controls in place on specific accounts. Almost simultaneously the operation continued in the countries where the debit cards had been sent to. The cards were used to make large withdrawals from a number of ATM’s which had been carefully selected because they had high or no withdrawal limits. Locations were also chosen to be remote and have either no or obscured security cameras. During the following few hours the operation concluded with a sum between USD$3 million and USD$10 million being withdrawn from each bank.

Recommendations to banks

There are measures which banks can take to help mitigate these kinds of attacks. A proactive program such as managed detection and response (MDR), also known as threat hunting is recommended. Implementing a threat hunting program will allow banks to detect threats early on and mitigate them before they have the opportunity to do any real damage. Banks should also prepare incident response plans and have them well documented and tested so they are fully prepared to act swiftly if such incidents occur.

Unfortunately, the success of these attacks could be attributed to the lack of coupling between the core banking system and the third-party card management system. Had these two systems been integrated correctly the changes to the debit cards overdraft limits would have been red flagged much earlier on. A second example of non-technical control failure is that several accounts on the card management system were able to both raise a request for a change and approve the change. This process is a violation of a commonly used control used in banks and banking applications called Maker-Checker. Banks are therefore advised to undertake frequent cyber security risk assessments to detect and mitigate this type of control weakness.

Currently the attacks have been localised to Eastern Europe and Russia, however, we believe that they do represent a clear and imminent threat to financial institutions in Europe, North America, Asia and Australia over the forthcoming months. During the course of the investigation it was discovered that bank losses currently stand at around USD$40 million. However, this does not account for undiscovered or un-investigated attacks or investigations undertaken by internal groups or third parties, the total losses could already run into hundreds of millions of USD. We would advise all global financial institutions to consider this threat seriously and take necessary precautions.

Last weekend, British shoppers were predicted to have spent almost £8bn on Black Friday sales – nearly four percent higher than last year. While this busy shopping period is certainly good for the British economy, it raises concerns about the opportunities for scammers and cyber criminals. Ross Brewer, VP and MD EMEA at LogRhythm, discusses for Finance Monthly below.

Indeed, all eyes have been on who – and there will be some – will fall victim to hackers’ increasingly persistent and clever tactics. Retailers are prime targets because of the confidential data they hold – whether it’s bank details, email addresses or personal information. There’s absolutely no doubt that cyber criminals will have tried to take advantage of the past week’s online sales peaks to access networks unnoticed or execute malware that has been sitting on the network for months. Retailers have a lot to prove when it comes to showing consumers that they are taking modern-day threats seriously.

As we only saw this week with Uber, it isn’t always a breach that makes headlines, it can be how it’s contained and disclosed. In such a competitive industry, retailers rely heavily on loyalty, which means reputation is key. They need to understand the true value of the data they hold and take the necessary steps to protect it.

Monitoring and detection is key

It’s hugely important that retailers are investing in tools that continuously monitors networks for any signs of a compromise. Indeed, online activity and network communications between components in the card processing chain need to be tightly controlled; a process that is specifically mandated by PCI-DSS. With time increasingly of the essence, it is also critical that, rather than simply scanning for threats and raising an alarm if something suspicious is identified, these systems are able to deliver actionable insight with supporting forensic data and contextually rich intelligence. Not only does this ensure that the right information is delivered at the right time, to the right people, but it guarantees that the appropriate context will be attached, significantly decreasing the amount of time it takes to detect and respond to threats.

Most retailers know by now that they cannot afford to take shortcuts when it comes to cyber security. With breaches now a case of when, not if, it’s essential that they are on high alert at all times – particularly during busy shopping periods. Despite growing concerns over the cyber threat, consumers are spending more and more money in store and online each year, but retailers cannot take this for granted. It only takes one data breach to damage a company’s reputation, hinder future sales and/or disrupt pending investments and deals.

The good news is that security intelligence has become so advanced that companies can now automatically detect a compromise as soon as it happens, enabling security teams to stop a cyberattack before any damage is done. With GDPR only a matter of months away, enterprise organisations and retailers are feeling the pressure to identify, mitigate and disclose an attack at the time that it happens. Only with rapid detection and response capabilities will retailers be able to take cyberattackers head on and protect their customers.

About Finance Monthly

Universal Media logo
Finance Monthly is a comprehensive website tailored for individuals seeking insights into the world of consumer finance and money management. It offers news, commentary, and in-depth analysis on topics crucial to personal financial management and decision-making. Whether you're interested in budgeting, investing, or understanding market trends, Finance Monthly provides valuable information to help you navigate the financial aspects of everyday life.
© 2024 Finance Monthly - All Rights Reserved.
News Illustration

Get our free monthly FM email

Subscribe to Finance Monthly and Get the Latest Finance News, Opinion and Insight Direct to you every month.
chevron-right-circle linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram