Security Experts:

Attacking the Organism: Financial Services

When it comes to high-value assets, few industries can come close to financial services. It’s not just the obvious fact that banks are giant warehouses of money—banks represent critical pieces of infrastructure that entire economies rely upon. 

And while the likes of George (don’t call him Baby Face) Nelson may have made a decent living robbing physical cash from small banks back in the day, digital transformation has opened the door for thieves to pull off some dramatic heists in the modern era.

Some of today’s largest financial institutions have more app developers than bankers. The way these companies interact with customers is by providing application experiences, since fewer and fewer customers want to actually venture into brick and mortar branches. The issue is complicated further by the fact that most banks are decades-old institutions, meaning they may be working with a range of technologies developed over the past 30 years.

This explosion of apps is a critical factor in such a security-dependent industry, creating a wealth of new insertion points for attacks. When customers use a banking app on their phone, there’s the app on the device, interacting with systems in the cloud, transmitted over networks, passing through all the traditional soft spots along the way. Recent reports indicate that half of banks say they’ve experienced data breaches or system downtime. As advanced as security is in the financial industry, clearly there’s still some catching up to do.

Another big problem is simply the range of motivations for attacking large financial services companies. Attacks like Operation Ababil illustrate that the CHEW involved in financial services goes well beyond simple theft. In that case, a hacktivist group most likely sponsored by Iran was seeking to cripple the U.S. financial system and hit the country in its pocketbooks. The attack was in response to a politically charged film released on YouTube by someone who had no affiliation with any financial institution. 

In other attacks the motivation is less clear. In July 2019, a 33-year-old Seattle resident was arrested for compromising millions of accounts belonging to Capital One. The suspect had worked for Amazon Web Services, where the data was held, so may have had some insider knowledge to facilitate the attack. But the attack itself was due to a misconfigured service outside AWS. 

Though millions of records were compromised, including account and Social Security numbers, none of them appears to have been used for financial gain. In a press release, the company said damages could top $100 million, even though the motive for the attack remains unclear. 

And then of course there’s pure theft. The lure of a big haul has always tempted would-be bank robbers, and tales of pulling off such a heist have inspired Hollywood movies. Back in 2016, a hacker group might have gotten away with upward of $1 billion if it weren’t for a few mistakes along the way—and even so, they ultimately pulled $81 million out of the worldwide SWIFT system for funds transfers.

In that case the hackers used legitimate SWIFT credentials of Bangladesh Central Bank employees to initiate a series of large transfers. $81 million was sent to accounts at Rizal Commercial Bank in the Philippines, where it was then credited to several accounts at casinos. 

By the time investigators tracked it down, all but $68,000 had been withdrawn, disappearing without a trace. Questions remain about how the SWIFT credentials were obtained by the hackers, and whether it may have been an inside job.  

In another case in 2017, hackers used a DNS hijacking scheme to attack a major Brazilian institution. The group changed the DNS registrations for all 36 of the bank’s properties, rerouting all traffic to a counterfeit site that exactly replicated the bank’s online services. For five to six hours, the hackers controlled all of the bank’s operations, including ATM machines. The shutdown was so complete that the bank couldn’t even email its customers to alert them of the breach. 

All this goes to show how crazy the security picture is for financial services companies. For a bank, many of its app security insertion points have direct access to online banking. Thus, their online banking becomes only as secure as the devices used by all the people accessing it. And when it comes down to an inside job or a nation state, things get much trickier. 

Ultimately for financial services, the potential rewards for attackers are so great, and the attack surface so large, the industry will need advanced machine learning and artificial intelligence techniques to take the next step against today’s would-be cybergangsters. The industry must raise the bar for attackers so high that they don’t even try to jump over it, focusing on lower-value targets instead. 

AI systems should be able to examine the entire chain of custody of sensitive data across the landscape, looking at individual behaviors such as signing into an account from a specific device, all the way up to a macro view of the entire infrastructure. 

The ability to look deeply into user and system behavior and identify the smallest anomaly—and then correlate, make inferences, and challenge suspicious activity—will become the essential toolkit to stem the tide of fraud and theft in this highly targeted industry.

view counter
Preston Hogue is Sr. Director of Security Marketing at F5 Networks and serves as a worldwide security evangelist for the company. Previously, he was a Security Product Manager at F5, specializing in network security Governance, Risk, and Compliance (GRC). He joined F5 in 2010 as a Security Architect and was responsible for designing F5’s current Information Security Management System. Preston has a proven track record building out Information Security Management Systems with Security Service Oriented Architectures (SSOA), enabling enhanced integration, automation, and simplified management. Before joining F5, he was Director of information Security at social media provider Demand Media where he built out the information security team. Preston’s career began 18 years ago when he served as a security analyst performing operational security (OPSEC) audits for the U.S. Air Force. He currently holds CISSP, CISA, CISM, and CRISC security and professional certifications.