What happens when hackers and banking network security collide?

September 24, 20184 Minute Read

In late May, Canadian banks BMO and CIBC-owned Simplii Financial learned of a serious breach in network security. It’s the type of news no one ever wants to get. Hackers had stolen the personal financial information of 90,000 account holders across the two banks, making it one of the worst hacks in Canadian history and leaving thousands of customers vulnerable.

The attackers, who the banks claimed were not Canadian hackers, pilfered personal details, including customer names, account numbers, social insurance numbers, dates of birth, email and home mailing addresses, phone numbers, occupations, and citizenship information. With that type of data, they could mount thousands of identity theft attacks, opening new bank accounts in victims’ names, applying for credit, or renting accommodation. Instead, the attackers went for a quick win. They sent letters to the media explaining they’d publish the data unless they received a $1 million ransom.

Decades ago, they would have demanded the money in unmarked bills. Today, things are more high-tech. They wanted payment in XRP, a cryptocurrency used by legitimate online payment network Ripple, which makes it easy for people to make international cross-currency payments. To prove a point, they included detailed—and accurate—information on two banking customers. They also anonymously circulated a list of 100 customers’ details online. These criminals were the real deal.

A breach in network security

How did they manage to circumvent banking security to steal this data? The information publicly available suggests the attackers created an algorithm that generated valid bank account numbers and used it to pose as legitimate customers who had forgotten their passwords. This enabled them to reset the backup security questions and gain access to customer accounts.

“They were giving too much permission to half-authenticated accounts, which enabled us to grab all this information,” an email to CBC News reportedly read, adding that the bank “was not checking if a password was valid until the security questions were input correctly.” This doesn’t ring true, though. Could someone steal that range of information, including SIN numbers, occupations, and citizenship status, simply by logging into a customer’s account? Alternatively, the crooks could have compromised network security by invading internal employee accounts.

The banks never confirmed if they paid the ransom, and the world may never know if they did, but CBC News has the wallet details, which already contained the equivalent of almost CAD $6.5 million shortly after the attack happened. BMO told the media it does not “make payments to fraudsters.”

Building a security strategy

What can banks and other financial services organizations do to protect their network security and prevent this type of hack from happening again? One option is two-factor authentication. In addition to a password, this method uses a second form of authentication, such as a unique code sent to a smartphone the user must enter to gain access. Some banks, such as Barclays in the United Kingdom, use a bank card reader and PIN pad sent to the user’s home, effectively replicating the readers that customers use to authenticate themselves at their local branch. This would prevent crooks from compromising accounts with a password.

Secondly, security analysts can work more closely with application designers, using threat modelling to understand potential malicious attacks at each stage in an online customer interaction. This can help them craft their application logic to avoid attackers exploiting loopholes in key processes, such as authentication, as the BMO/Simplii Financial hackers claimed to have done.

Turning to advanced intrusion prevention

For better data security, you may also want to look into another more advanced form of protection: behavioural analysis. This method uses machine learning techniques to identify common access patterns for customers. If the program notices someone accessing a customer’s account in an unusual way, perhaps at a different time than normal or from an odd location, it can escalate security, asking the user for more information and perhaps initiating a manual phone call.

That said, this method would only prove effective against the methods these non-Canadian hackers claimed to have used to compromise the banks’ network security. If they hacked the systems in other ways, like compromising an internal account and installing malware on central systems, you’d need to implement other protections. Banks are notoriously tight-lipped about security protections and breaches, so the real story may never be known—but this only showcases the importance of instituting a layered, holistic approach to security.

For instance, it’s good practice to secure internal computers by patching operating systems and applications regularly, using malware scanning tools, and installing intrusion prevention systems. You should also consider segmenting internal networks and protecting individual assets to make it more difficult for intruders to move laterally through your network. Access management controls and proper privilege management can help prevent a compromised internal account from wreaking uncontrolled havoc, as well.

Finally, investing in secure endpoints is an important—and often overlooked—protective measure for any institution, including banks. The fewer vulnerable attack points a bank operates, the better network security becomes and the harder an attacker’s job is as a result. After all, in an era when hackers can walk off with 90,000 customers’ unique details, you don’t want to make it any easier for them than it apparently is already.

Gary Hilson October 31, 2018 4 Minute Read

5 ways to prepare for PIPEDA’s updates

PIPEDA's getting an update, and it looks a whole lot like GDPR. Here are five best practices that will help you stay compliant.

Stephanie Vozza October 29, 2018 4 Minute Read

Brush up on these 4 fundamentals for Cybersecurity Awareness Month

From employee training to shoring up endpoints and passwords, get primed for Cybersecurity Awareness Month with these four security and privacy tips.

Graham Templeton September 26, 2018 4 Minute Read

Prepare for PIPEDA with better device security and data privacy

Complying with PIPEDA's new privacy amendments requires diligence in everything from internal processes to device security.