In July 2016, a shady individual stood at a First Commercial Bank branch in Taiwan and watched as the cash dispenser door slid open. He pulled out his phone and typed a quick confirmation into a secure messaging app. Seconds later, a hacker's fingers skittered over a keyboard thousands of miles away, blowing through the bank's network security. The cash dispenser spat out a slew of banknotes, which the money mule quickly pocketed, and over the next few hours, he conducted the same ATM hack at multiple cash machines. Before the fraud was complete, the cybergang had pilfered around CAD$3.2 million.
How did hackers scam ATM machines without a forged card in sight? Historically, criminals attached card skimmers to ATMs to copy details from cards as customers used them. Then, they'd use those details to make fake cards. These attackers, however, took an indirect route, bypassing the bank's network security and compromising the ATMs from there. It's not the first time cybercrooks have mounted an ATM hack by breaking into a bank's network. According to Trend Micro, attackers hacked a Russian bank's machines via the network in two separate attacks, known as Cobalt Strike and Carbanak. Another ATM hack, using malicious software called Ripper, targeted the Government Savings Bank in Bangkok, Thailand around the same time as the First Commercial Bank hack.
Obviously, the cards are stacked pretty high against you if you're in the financial services industry—hackers are desperate to get ahold of your sensitive information and data, and they're getting smarter and more clever by the day. So, what can you learn from these hacks to better protect your IT environment?
Don't let employees be your weakest link
These attacks have one thing in common: the weak point enabling attackers to compromise network security in the first place was a bank employee. Hackers sent phishing emails to employees containing either infected file attachments or links to malicious websites, and employees who took the bait infected their own machines. This gave the hacker control over their PCs, and therefore, a foothold on the network. From there, the attackers used lateral movement—the process of probing computers in the same network and infecting them, too. They gradually stole their way across the network until they found the part of the bank's infrastructure containing the cash machines they needed to launch their ATM hack.
In the First Commercial Bank hack, attackers used an infected computer to steal a domain administrator's account credentials from the bank's voice recording system. This gave them elevated privileges, allowing them to reach a Taiwanese branch on the bank's intranet system, bypassing network security and taking over some servers. Then, the attackers mapped out the internal network, gaining a better understanding of where important details were kept. This included the administrator credentials for the ATM update server, which they stole and used to update ATMs with their own software to give them full control.
How can banks stop attackers from infiltrating their networks via employee devices? One of the most powerful measures is nontechnical: training users to be aware of phishing attacks. You can warn your employees to think twice about incoming emails and not click on links or open attachments without contacting the sender to check their validity. You can also measure employee awareness around phishing by working with consultancies that run fake phishing campaigns. These service providers send out phishing emails with links pointing back to their own servers, so they can check to see who's clicked on the bait and measure the effectiveness of awareness campaigns.
Implement strong technical security measures
There will always be a subset of users who don't pay attention to your warnings, which is why technical protections are an important part of the equation for full security. You and your IT team can take many steps to protect the business's systems. For instance, Sender Policy Framework administrators can detect forged sender addresses by limiting the servers allowed to send email on behalf of the company's web domain. Another email authentication method called DomainKeys Identified Mail uses digital certificates to ensure an email's sender is who they claim to be.
While you can use these technologies to prevent hackers from impersonating employees, you shouldn't rely on them to stop all phishing attempts. Additional technologies can reduce the chance of malicious emails getting through, including scanning software that checks incoming emails for suspicious content before it even reaches an employee's computer. Another useful tool is web scanning software that can check any links an employee tries to visit before allowing it to open on their computer.
Don't forget other techniques, like updated anti-malware tools that can spot malicious attachments and whitelisting policies that administrators can set to stop computers installing unauthorized software. There's also one final line of defence: proper patching. The types of malware that can compromise network security and lead to a hack often rely on vulnerabilities in unpatched operating system and application software to infect a computer. By ensuring all security patches are up to date, you can reduce the chance of infection.
The scariest thing about network security is that you can never say for certain if your system is 100 percent secure. But by putting multiple protection measures in place, you can make it far harder for an attacker to successfully break into your systems and wreak havoc. That's advice financial services companies can take to the bank.