Online banks: Prime targets for attacks

By Sandeep Junnarkar
Special to ZDNet News
April 30, 2002

Late one recent Sunday night, an executive at a midsized financial services firm received the kind of call everyone in the industry dreads: a demand for $1 million, or else the brokerage's network would crash the next day with a surreptitiously installed program.

The firm's security team spent a frenzied night searching for the pernicious code but failed to find it, and the system went down for an hour in the morning. The executive's phone rang once more: The caller threatened to crash the system again, but this time during peak trading hours. The brokerage, in this case, paid up.

"We figured out how the person got in and patched the system," said Ed Skoudis, a hacking expert at security firm Predictive Systems, which was called in to fortify the company's networks. "We deal with about two intrusions per month, and we're just one of the many teams out there doing this work. We're not dealing with denial-of-service attacks or script kiddies playing around, but skilled financial intrusions."

Although electronic break-ins are nothing new, their frequency has been quietly mounting in recent years as more banks rush online to provide services for consumers who are finally using the Web in significant numbers to manage their money. The popularity of online banking is projected to grow from 22 million households in 2002 to 34 million in 2005, according to Financial Insite, publisher of the Online Banking Report newsletter.

While not explosive, that steady increase represents a sea change in public perception about online banking, in many ways one of the last frontiers of electronic commerce. Along with safeguarding medical histories, many people view their financial information as a sacred totem--a record of their past and a window into their nest egg for the future--and are increasingly distrustful of financial institutions in today's climate of Enron-inspired paranoia.

"Let's face it, a bank is in the business of trust," said Mark Rasch, the former head of the U.S. Justice Department's computer crimes unit. "The reason you go to a bank is because you trust them not only to give you a good rate of return on your money, but also to keep your money safe and secure, and to protect your privacy associated with your finances. Attacks on the electronic infrastructure are attacks on all three of those."

An $11 billion secret
No comprehensive records on computer-related crime are public, but it is estimated to drain as much as $11 billion per year from consumers and corporations in the United States alone, with a growing portion coming from financial institutions. In their annual joint study released in April, the FBI and the Computer Security Institute, a security advocacy group, noted that the combined financial losses for 223 of 503 companies that responded to their survey came to $455 million.

Often, the highest cost for financial institutions is not the loss of money directly from theft but the expense of fortifying their systems to avoid repeat intrusions. Security experts estimate that a bank can spend upward of $1 million on equipment and consulting after a single incident to repair flawed technologies, which can require far more vigilance than the surveillance cameras, alarms and guards used to secure physical branch offices.

"Based on our examinations, we have seen an increase in security events over the past several years," said John Carlson, a senior adviser for bank technology at the Office of the Comptroller of the Currency, which monitors U.S. banks as an arm of the Treasury Department. "I am telling you that security incidents are definitely increasing."

The true depth of the problem remains unknown, however, as banking sources acknowledge that the industry releases as little information as possible on such incidents. Although some high-profile intrusions and technical blunders have been impossible to keep out of the news media, the vast majority rarely come to public light.

When banks suspect criminal activity, the Treasury Department requires them to file "Suspicious Activity Reports," bulletins originally used to track tax evaders and money launderers. The agency releases only limited information about the data it collects on breaches and other security incidents.

"We don't supply that information, and we don't really want to supply that information," Carlson said. "If such a report were made public, banks might shy away from reporting their suspicions. In addition, making such reports public would be unfair and prejudicial to the subject, against whom there have been no formal charges or findings leveled."

But consumer organizations say more public disclosure is needed. They note that banks are notorious for pushing to shield many aspects of their operations from scrutiny, employing armies of lobbyists to pursue their agendas on Capitol Hill.

"If there is increasing concern about break-ins and security with online banking, I believe the government should be clearer about the insecure nature of these online banking services," said Edmund Mierzwinski, a consumer banking advocate with the U.S. Public Interest Research Group, the national lobbying office for state non-partisan public-interest groups.

Insurance against sabotage
With such high stakes, all parties involved inevitably blame each other when a breach occurs, because there are so many points of potential vulnerability in the vast and complex systems of financial operations: hosting companies, Internet service providers, databases, transaction software and all manner of hardware. And all hope to deflect the legal liability inevitably associated with such incidents.

Accordingly, banks are turning to insurance companies because their coverage has failed to keep up with risks related to the Internet. Traditional insurance for banks covers robberies, but the new policies specifically deal with losses stemming from entire systems crashing because of sabotage or hacker or virus attacks that destroy data and programs.

Progressive and Chubb are among those now offering policies tailored to shield banks from losses resulting from computer intrusions. Progressive said that hundreds of small community banks have signed up for its Internet Banking Protection Package since it introduced the policy last summer.

"We are getting more and more interest from banks as they realize the risks," said Judi Kovach, a Progressive manager. "We had to enhance our insurance to include Internet banking exposure because the traditional coverage was written 100 years ago."

Some of these new policies also cover liability issues in case a customer sues because his privacy was breached. The federal government insures each bank account up to $100,000, but that applies only when an entire institution collapses.

Security breaches have not been confined to younger, Internet-only banks like NetBank in the United States and Egg in Britain; established global leaders such as Citibank, Credit Suisse Group's Direct Net and Barclays Bank have proven vulnerable as well. Security lapses have also been reported by regional institutions such as Wells Fargo in California, Republic Bank in Florida and First Virginia.

Moreover, security concerns involving online banking are rising with the advance of Web services, a new way of writing software that makes it easier to link systems and get information online. If this budding industry takes hold, people may find their private information on vulnerable servers or databases connected somewhere to the Net regardless of whether they have ever banked online.

"Many old-guard banks depend on legacy systems like mainframes. There's also corporate desktop systems and branch computers and ATMs; all live on the network, and all have some degree of access," said Adrian Lamo, a self-described "ethical hacker" whose conquests include the New York Times' internal network, where he viewed the Social Security numbers and other private information of former President Jimmy Carter and hip-hop artist Queen Latifah, among others. "Even branch terminals are frequently older and obscure, potentially vulnerable to anyone knowledgeable in their foibles."

The weakest links One notoriously weak link, for example, is a Microsoft server in wide use. Early last year the FBI's National Infrastructure Protection Center warned that several organized hacker groups from Russia and the Ukraine were targeting online banks and other e-commerce sites by exploiting vulnerabilities in un-patched versions of Microsoft's Internet Information Server software. The FBI advisory blamed the international groups for online break-ins at 40 companies in 20 states.

In its regular security alert, Microsoft detailed how a computer connecting to the server could exploit a feature meant to allow controlled Internet access to a database, secretly redirecting information back to the intruder. Using this method, according to the FBI, hackers gained unauthorized access and downloaded proprietary bank information, customer databases and credit card numbers.

They then coolly turned around and notified companies of the intrusion, offering services to patch their systems against further attacks. If a company declined to pay for their services, the hackers became more belligerent and threatened to sell pilfered customer information. In October, the FBI reissued the advisory to emphasize that this particular line of attack was still a dangerous threat.

Microsoft had released patches to plug that particular security hole in 1998 and reissued security bulletins to customers through 2000, but many companies failed to make the repairs. The scenario exemplifies how such "fixes" are routinely ignored by many systems administrators--if they are aware of the problem at all--and underscores the ease of denying culpability when a system is breached. The banks can blame Microsoft, while the software giant can point to negligent technology departments at the financial institutions.

Complicating matters further, the type of software used by financial institutions can vary widely from company to company. The larger institutions develop software tailored to their systems, while smaller banks try to customize off-the-shelf technologies. In either case, vulnerabilities are likely.

"It turns out that the specialized, in-house stuff has more security holes than the off-the-shelf ones," said a former investigator for the Treasury Department who is now a head of security for a multinational bank. "If you use an off-the-shelf system, you may have a secure infrastructure, but if you configure it poorly or customize it, you could introduce holes to it."

The latter occurred with a small, regional financial institution that enlisted an outside security team to evaluate an off-the-shelf system it had already begun to use. The consultants found one field of data that was exchanged between the server and browser that required a four-digit number between 1 and 10,000--from 0001 to 9999--that was generated automatically by the application.

"If we could successfully guess this number, we could become some user. The fact is that 1 in 10,000 doesn't take long to guess if I can guess 100 permutations per minute with an automated number generator," said Predictive's Skoudis, who did not disclose the identity of the bank involved. "We weren't told if we were called in because of an incident, but the vulnerability was there and a present threat."

Hackers often target hosting companies and ISPs, usually the weakest links in the chain, to bypass firewalls. In December, Lamo broke in to MCI WorldCom's ISP network and was able to view the secure networks of Citibank and Bank of America, which ran over leased lines.

Lamo exploited something called an "open proxy," a server normally used by a company to filter data on an Internet connection. The open proxy had been mistakenly installed on a Web server when it was first configured, leaving it exposed.

"Any intruder could have taken control of the routers with the information I had," Lamo said.

Sometimes, all it takes is one errant ISP connection to bring down an entire system.

Even a bank with a fully protected internal network could find itself exposed if a teller were to sign on to a personal America Online account from inside the network, for example. This could happen because AOL forms a virtual network adapter and assigns a separate IP address, according to Lamo.

"That automatically creates something of a tunnel through many firewalls when the user signs on," Lamo said, explaining that while that bank network remains secure, a workstation within the bank becomes vulnerable by way of the AOL address.

This scenario was exploited less than two years ago when intruders cracked one of AOL's customer information databases by establishing a connection to the computers of some of the company's customer service representatives. "It illustrates how any organization can't really prepare against all possibilities when they're using a public network," Lamo said.

Human error
Despite all the possible technical weaknesses in the online banking infrastructure, humans often present far more risk than any technology. Investigators and security experts note that a bank insider more often than not plays a role in security breaches.

An insider can be someone working at any point along the financial network infrastructure, from a current or former employee in the bank's technology department to someone affiliated with an off-the-shelf software company.

"Insiders know your systems. They can inflict the most damage," Skoudis said. "They might be gone for months but may have installed remote-control software to get in from anywhere."

Investigators and security experts said the pressure and worry that built steadily to make sure that computer systems were ready for the infamous Y2K bug presented a great opportunity for insiders to "go bad."

"Financial institutions were running around like mad, hiring people right out of the phone book to make sure they could put up all the signs and banners saying, 'We are Y2K ready--don't pull all your money out,'" said Hale Guyer, a special investigator and member of the Illinois attorney general's Task Force on the Investigation of Internet Crime and Child Exploitation. "They all did very poor background checks because of the rush. What would have kept one of those people from putting in a back door to your systems?"

Even without inside help, hackers can prey on what investigators say is the most susceptible link of all: the bank customer tapping in from home, often on a computer with little or no security software. This person presents the most tempting target, the one least aware of how much damage can be done simply by opening an e-mail attachment or clicking a link.

Home PCs still routinely fall victim to "Trojan horses," types of software that pretend to do something useful but in fact punch security holes in individual systems and allow hackers to log keystrokes or record conversations if a microphone is attached to the computer. Lamo said most of the fraud discussed on less-sophisticated hacker chats relates to stealing information using Trojan horses.

This stolen information is still only one phase of a process that takes weeks of work, requiring a hacker to painstakingly gather all the information necessary to impersonate someone online. But that may change with newer, more sophisticated hacking technologies.

"It is likely that we will see automated attacks appearing eventually, using viruses to attack many users of online banking indiscriminately," said Mike Bond, a computer security researcher at Cambridge University. He added, though, that this is unlikely to occur in the near future.

Bond and his colleague Richard Clayton made headlines last year when they developed a program that allowed them to bypass one of IBM's most secure cryptographic co-processors, a system used to store PIN codes for ATMs. The researchers demonstrated the breach on a laboratory computer, and IBM subsequently fixed the flaw.

"No matter how great a job you do, a determined attacker will eventually find some sort of problem," Bond said. "You have to find just one fault to exploit, while banks need to cover all possible faults."