Although the threat of cyberattacks is rising, banks are being pushed to go back to the basics of cybersecurity, according to a penetration specialist.
On December 31, 2019 a group of hackers called Sodinokibi launched a cyberattack on the Travelex network. The group held the foreign exchange company to ransom for £4.6m the Telegraph reported. The attack went on to cause disruption at Lloyds, Barclays, and Royal Bank of Scotland.
With one cyberattack producing a ripple effect across financial services, I wanted to find out what cybersecurity threats are specific to the industry so I had a conversation with Andrew Mabbitt, co-founder and director, Fidus Information Security, a UK firm which specialises in penetration testing.
To carry out a penetration test, it’s important to know the size of the bank, says Mabbitt.
“There are a few things that go out the window straight away. Typically, the external infrastructure, anything they are publicly hosting usually is going to be relatively safe. Again, banks spend a lot of money on security, so straight away you know that will have been tested to death and statistically you are not going to find anything major there.
“We wouldn’t even bother looking at the physical security of the banks because they have all of those cameras, they have a lot of staff, they have security guards. What we would start looking at is, do they have any satellite offices? Do they have a big headquarters? Typically, they are going to have less security because they aren’t guarding all the money, but what are we trying to achieve here?
“We are not trying to get access to the safe and the big bolts in the banks, we are trying to get access to the network. So where would the weakest point on the network be? Typically, they are either in head offices where there is so many people, or they are in satellite offices.
“When we are conducting physical engagement, we can stand outside or sit in a local café even and watch people who work for the bank come in and out. Typically, they are always wearing the same lanyards etc. And if they are generic like a red lanyard, we can just put a red lanyard under our jumper, go to walk in and typically if someone see a lanyard, they are going to trust you.
“The other thing we usually do is also film and take pictures of people if they work at the bank and try and clone a badge. So well get a picture, mock it up in photoshop, print it onto our own badge and then we have the plausible attempt of trying to walk into the building and our badge not working on the scanner and asking security to open it, because again people want to help.
“If we can’t do the break in we will look for people we think we can target, so we stray from the finance team, we stray from the IT team and we look at people who are in very different kind of roles that people wouldn’t assume would be targeted in phishing attacks all the time. So people in media for example, you wouldn’t expect them to be as targeted as people in the finance team, so we would try and exploit that.”
The waiting game
In November 2018, HSBC notified their customers to a data breach which had occurred the month before. An unauthorised log-in left some customers’ personal information accessible.
But how long a hacker can remain undetected completely depends on what they are trying to achieve, Mabbitt says.
“I would say usually the people who have the talent and the backing to attack a critical bank in a country are going to be quite sophisticated. You would expect them to be at a high level of organised crime or nation state bank attacks of which they are not just trying to get in and steal the money, they want to get as much data as possible. So, they are the kind of hacks where people will sit on networks for at least six months and above.
“One of the biggest issues when transferring data is people still send it over a normal email. In their mind they are sending it from their email and the only other person who is going to see that is the other person on the other end of that email. If your email inbox is compromised, you may have no idea, and somebody could just be watching every single email that you are sending. Another thing to note is emails by default do not have any encryption in them that means anyone who is able to compromise the connection in the middle, and watch the traffic flow – granted it would take a lot of effort to do something like that – if anyone is on the same wifi network, if anyone can intercept data in transit over the wire, they will completely be able to read that entire contents of that email without any hassle at all.
“One of the things that needs to be implemented is mandatory encryption when sending data. I know the UK government use a classification scheme on data – there is client confidential, official, essential, sensitive, top secret etc. And there are stick guidelines on how each of them has to be handled.”
Financial services firms continue to be the most heavily targeted by hackers because of the critical data they hold, says Mabbitt. But a lack of employee awareness and the physical building security continue to be the two biggest pitfalls in firms’ security.
“I say physical and people assume James Bond scaling over a fence, but in essence a lot of the time it is just standing outside in a smoking area and following someone in because they hold the door open for you. The reason being people are inherently nice and want to help. Nobody wants to turn around and be that person to say, ‘hi, who are you?’
“Once you’ve spent millions on your security features and all the things that people put on the network and the nice shiny boxes they buy to protect them, it all goes down the drain if someone can just walk into your building and plug into your network.
“The second pitfall that we see which isn’t just limited to the financial sector will be employee awareness, and when I say employee awareness, I mean things like phishing attacks. The reason being I know a lot of financial companies invest a lot in training staff not to open emails etc.
“It is very easy to tailor things to appeal to the specific person, such as if we know that someone works in a mailroom we can send them something which looks like it is from a well-known delivery company and we can straight away from the commonly mentioned ones being used like finance and CEOs – we won’t go near those. Or we can send something to HR with a fake CV.
“But the issue with phishing and similar attacks is the banks and employees have to get it right every single time - not enter their credentials, and not open documents, whereas an attacker only has to get it right once.”