Threat Management, Network Security, Vulnerability Management

Pen testers break down bank security flaws

While banks have built effective barriers for external attacks, researchers warn they have not done nearly as much work to fight threats on their internal networks.

Earlier this month, a third-party software vulnerability resulted in a Mexican bank heist that scored at least $15.4 million.

In early 2017 there was a surge of attacks targeting card processing in Eastern Europe which scammed nearly $100 million and later that year, intruders attacked the Far Eastern International Bank in Taiwan by making transfers to accounts in Cambodia, Sri Lanka, and the U.S which totaled at $60 million.

Positive Technologies researchers examined how cybercriminals are able to pull off such massive financial heists from behind their keyboards and acted like cybercriminals to gain insight on common vulnerabilities shared among banks.

The firm said it found vulnerabilities in all of the banks they have performed penetration tests on and that half of the banks had insufficient protection against recovery of credentials from OS memory, a quarter used dictionary passwords, and nearly a fifth, 17 percent, had sensitive data stored in cleartext.

Positive Technologies would not specify the number of banks in its study but did emphasize the need for banks to enact strong password policies as 50 percent of those tested used dictionary passwords.

Researchers added that a quarter of these banks used the password "P@ssw0rd" as well as such common combinations as "Qwerty123," empty passwords, and default passwords such as "sa" or "postgres".

The most common vulnerabilities were outdated software which were found in 67 percent, sensitive data stored in clear text, 58 percent, dictionary passwords, 58 percent, use of insecure data transfer protocols, 58 percent, remote access and control interfaces available to any user, 50 percent.

Less common vulnerabilities included anti-dns pinning, sql injection, arbitrary file upload, XML external entity, and cross-site scripting 25 percent.

Other common vulnerabilities that allow infections usually consist of use of outdated software versions and failure to install OS security updates, configuration errors, and absence of two-factor authentication for access to critical systems

As a result of these vulnerabilities, attackers would be able to obtain unauthorized access to financial applications at 58 percent of banks and penetration testers were able to compromise ATM management workstations used at 25 percent of the banks studied.

Researchers were also able to move money to criminal-controlled accounts via interbank transfers at 17 percent of the banks tested.

It's important to realize that banks suffer from the same problems as other companies and typical attack vectors stem from a weak password policy and insufficient protection against password recovery from OS memory.

Similar to physical bank robberies, cybercriminals survey and prepare in advance to attack their targets sometimes leveraging insider personnel.

“Since use of external resources can be detected by security systems, in order not to get caught during this initial stage, criminals resort to passive methods of obtaining information: for example, identifying domain names and addresses belonging to the bank,” researchers said in the report. “At the survey stage, unscrupulous bank employees are actively engaged as well.

Researchers found numerous on web forums from insiders looking to disclose their employers' information for a fee.

“The bottom line is, banks are not ready to defend attacks from the internal intruder today,” Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies told SC Media. “Despite the high level of protection of the network perimeter, attacks using social engineering techniques and so-called watering hole attacks allow attackers to enter the internal network of the bank”

Galloway went on to say that Cybercriminals can covertly be present in the infrastructure for a long time while learning the actions of employees and administrators all while hiding their attack from security systems under the guise of the legal actions of employees whose computers they hacked into.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.