We naturally assume banks are safe. But why? From legendary bank robbers: Jesse James or Bonnie & Clyde, banks have always been a target. Today’s bank robbers are cybercriminals. And they are targeting not only the banks but also consumers.
Every couple of months cyber-attacks on banks make the headlines. Be it the Carbanak cybergang’s biggest ever online bank heist, a distributed denial of service attacks on RBS/Natwest or a Polish bank being held to ransom by a lone hacker threatening to release corporate user data unless he is paid.
Exploiting the point of interaction
Although some of the attacks originate from the bank’s back office systems being breached, the most common are those which exploit the point of interaction: the client – the web browser.
This could be a long-con Trojan browser plugin attack; using a browser extension with popular content which can later be updated with malicious code that monitors the browser and provides access to the consumers’ credentials and simulates APIs transferring the money. Another relies on the corporate IT department’s diligence. Whilst IT test the updated software patch prior to rolling it out, hackers take advantage of consumers using their corporate laptops for online banking allowing them to exploit the exposed security weaknesses.
Let’s look at a common example in more detail.
Settled into his comfy armchair at his favorite high-street coffee shop, Bob pays some bills. He selects the Wi-Fi access point: ‘MoonBucks-WiFi’: must be genuine – recognizable name and strongest signal. He automatically clicks the screen requesting a download to secure his Wi-Fi: extra security is always good! He logs onto his bank with his username, password and secure token from his mobile. A two stage authentication must be enough – right? Once logged on, his bank identifies him via a session-cookie stored in his browser. He then pays his bills – or does he?
Sat not too far away in the busy coffee shop is Eve. It is her Wi-Fi access point that Bob is using – not the legitimate one. And the Wi-Fi security download request installed a fake SSL root certificate which lets her intercept the communication between Bob and his bank. Bob is actually accessing a copy of his banking screen which Eve created. She is using his details into the real bank to steal all his money. And Bob is none the wiser until too late. All too easy!
Securing the point of interaction
In my earlier post, I described how it is possible to secure the browser. In this banking example the added advantage would be that the bank’s website could be ‘self-defending’ and it would be alerted to any tampering from a plugin extension or software on the laptop.
On top of that, an extra layer of encryption can be added to the traffic between the browser and bank further ensuring that there is no-one in the middle and that you’re communicating directly with your bank!