Payments networks battle new breed of criminals in cyber attacks
By Hannah Kuchler for Financial Times
When $81m was stolen by cyber criminals from the Bangladeshi central bank earlier this year, it was not just the money that was lost, but trust in the Swift global payments network relied on by 11,000 members.
Gottfried Leibbrandt, Swift’s chief executive, said the business of protecting money had been changed completely now that criminals did not need “guns and blow torches” to break into banks but simply a PC. Payments networks are having to work out new ways to keep up with a rapidly changing set of digital threats.
Swift, the messaging service that allows the transfer of money between banks, found a “good number” of attacks after the heist from the Bangladeshi central bank in February atbanks in Vietnam, the Philippines and Ecuador.
Pushing its members to tighten their security, it pointed the finger in a letter: “The targeted customers have, however, shared one thing in common; they have all had particular weaknesses in their local security.”
Payments networks — whether Swift or the latest peer-to-peer money transfer app — are only as trustworthy as their weakest link. Even if data are encrypted in transit, each bank or individual on a network must be able to reliably prove who they are — and authentication in payments still has a way to go.
The Swift attacks did not come as a surprise to people in the industry, says Justin Clarke-Salt, co-founder of Gotham Digital Science, a cyber security company. The attacks played on a weakness in the system: that not every institution protects access to Swift in the same way.
“They are going after low hanging fruit. Attackers often attack people who are easier to attack,” he says. “So far from what we know has been publicly reported, they have very much targeted smaller financial institutions. This is probably because they have less sophisticated controls.”
“Attackers are becoming more sophisticated, while defences that people have relied on for some time are breaking down.”
Larger banks will have additional layers of cyber security known in the industry as “defence in depth”. They may have automated certain elements of the controls rather than relying on manual systems and are more likely to have created a physical barrier, like a secure gated room, to access the network, he says.
Rajiv Dholaki,, vice-president of products at Nok Nok Labs, a Palo Alto-based company that provides online authentication, says that while it is not yet clear exactly how hackers conducted the Swift breaches, they got into “weak networks” in “local jurisdictions like Ukraine or Bangladesh”, where they were able to pretend to be legal entities simply because they were within the network.
For Mr Dholakia, the Swift attacks are an example of a broader problem: that attackers are becoming more sophisticated, while defences that people have relied on for some time are breaking down. This is a “volatile mix for the future”, he warns.
“A common thread to many of these attacks is compromised or hijacked credentials that allow an attacker to pose as a legitimate entity,” he says.
Despite concerns about the potential for hackers to target everything from connected cars to power plants, most cyber criminals are still clearly motivated by money. They are on the hunt for ways to steal by pretending to be people they are not.
The introduction of the EMV payments standard (known in Europe as chip and pin) in the US has reduced criminals’ ability to steal from cards used in stores, whether it be through fake credit cards or by hacking the software in payment terminals as they did in attacks on Target and Home Depot.
Instead, many are looking for ways to steal online in so-called “card not present transactions”, where a payment card is used online or over the telephone. Payments fraud jumped 137 per cent in the US in the past year, according to a recent study by PYMNTS.com in conjunction with fraud detection company Forter.
Smrithi Konanur, a global product manager at HPE Security’s data security division, says cyber criminals are now focusing on using stolen credentials in web and mobile apps, where it is hard to authenticate a user without putting them off using the app. Visa tried to do this with Visa Verified, where a consumer is diverted to another page to be authenticated by a third party. “That process didn’t go very well because retailers didn’t see it as a good experience for their customers, so it didn’t take off,” Ms Konanur says.
She adds that “old school payments infrastructure” on the back end is struggling to keep up with changes under way in payments: from store, to e-commerce, to mobile and now evolving into taking payments in connected “internet of things” devices.
There has been a threefold increase in mobile malware in the past year, says Scott Clements, chief strategy officer at Vasco Data Security, as people increasingly interact with their banks via mobile apps.
“There’s a real acceleration happening in infected applications that go on to mobile devices and access personal and confidential information for nefarious purposes,” he says.
Hackers are reverse engineering online banking apps, copying them and putting them in unofficial app stores, especially in China, to trick consumers into believing they are the real app — and so harvesting their credentials.
Vasco creates a “wrap” that protects online banking apps so that no infected apps on a phone can interact with them, and creates different forms of two factor authentication, such as creating bar codes on web pages that can be snapped for identification.
However, for banks competing with a host of fintech start-ups, customer convenience will always be important. They may have to make an “economic assessment” of how much they will lose to fraud versus how much they could lose to a “very poor user experience”, he says.
“Younger people and millennials in particular have a propensity to do more on a mobile device. I’m not sure my kids have been in a bank branch in more than half their life,” he says.
First appeared at FT