Security Tester Tells All
An audacious series of bank ATM thefts demonstrates the need for strong anti-fraud and information security controls at financial institutions.
May 29, 2013
A ring of hackers made headlines recently for stealing US $45 million from bank ATMs in a series of 36,000 cross-border transactions conducted in several countries over just 10 hours. To show how easily such a crime could be committed, Security Compass CEO Nish Bhalla explained to CNN Money how he "stole" US $14 million from a U.S. bank client in 2010 as part of a security test. Although Bhalla had the advantage of having access to the bank's computer network, he says real-world thieves could gain entry by accessing a bank's wireless network and using it as a springboard to jump on to the corporate network by "fooling" other computers into thinking it was being accessed by a bank computer. Once he had gained access during his simulation, Bhalla used sniffer software to find out how the bank's systems were connected and then discovered the login and password information used by the bank branch's tellers. From there, he was able to find login information for the branch's main database. Finally, Bhalla created a new account in the database with a balance of US $14 million, which he could have withdrawn from any bank branch.
The recent ATM theft was a large and seemingly complex crime, as well as an example of how easy it can be to exploit the vulnerability of financial institutions to credit card fraud. At its root, however, is an often-used technique of obtaining customers' credit card details and later using the data to manufacture and use false credit cards.
Internal auditors can learn a great deal from this crime, and from Bhalla's insights into how similar crimes can be committed, to prevent and detect such incidents in the future:
Regularly review, test, and strengthen the access controls over bank systems and confidential customer data. Public and internal banking networks should be entirely separate and have strong security controls in place, including firewalls, strict authorizations, and data encryption wherever possible. A financial institution's controls surrounding security changes ought to be a particular focus. Access to sensitive systems and data, such as card numbers and personal identification numbers (PINs) associated with prepaid accounts, should only be granted to employees who absolutely need it to perform business duties, and their activities should be monitored. Access to processor systems that manage bank accounts and ATM transactions — including withdrawal limits — should receive particular attention, with real-time reporting of changes made. In Bhalla's security test, the creation of a US $14 million bank account should have triggered a system red flag immediately, including from an anti-money laundering perspective. Other controls such as those over access points for tellers' computers, should have no means available (e.g., USB ports) to hack into them.
Assess vendor management arrangements and the security controls of critical service providers (e.g., data processors) to ensure they are demonstrated adequately. Ensure audits of data and information security programs are conducted to understand the service providers' ability to secure data. Also ensure that they are maintaining maximum security settings for hardware, operating systems, and applications. Request frequent updates from processing partners on how they are adapting to emerging threats. If the information raises any red flags, follow up with the provider to ensure they are being addressed fully.
Ensure card and authorization systems are up to date. Globally, many more countries are shifting away from magnetic-stripe cards in favor of less vulnerable "chip" or EMV (Europay, MasterCard, and Visa) cards, which are much more difficult for counterfeiters to duplicate. Organizations should engage card-blocking systems to help stop fraud before it becomes widespread. However, fraudsters study and test the world's new and emerging detection systems, and many have learned how to fly under the radar. Particularly in the case of ATM flash fraud, immediate card-blocking technology has become important to stemming financial losses quickly.
Secure the ATM. Organizations can leverage the power of ATM terminal profiling that watches for multiple transaction requests from the same machine, comparing that incident with the protected ATM's normal activity and scoring the transaction accordingly. High scores trigger actions such as a fraud analyst review or an automatic decline, depending on the financial institution's unique fraud strategies. Current technology can mitigate some of the risks associated with the use of fake bank cards, essentially by "tying" individuals' credit cards to their mobile phone and using proximity correlation analysis. If the accounts affected by the US $45 million theft had incorporated this technology, it may have been more difficult for the thieves to withdraw money from various ATMs because the system would have recognized that the account holder's mobile phone was not in the same location as the fake card. Surveillance cameras mounted at various locations around ATMs are a further deterrent to criminals by capturing close views and angles, detecting long-time intervals for a single user, and linking video footage to a specific transaction.
Engage in information exchange and education. Because banking, credit card, and ATM hacking is a strategy frequently used by fraudsters, it's important to monitor the various fraud alert information networks. Numerous organizations provide regular information and information exchange mechanisms to help actively share fraud characteristics and incidents. In his test, Bhalla used sniffer software to hack into his client bank's internal systems; banks and auditors ought to be on top of the latest developments in deploying anti-sniffing software. From a governance perspective, and particularly for financial institutions, these kinds of fraud activities ought to be a regular subject of board and audit committee meetings and routinely included in audit plans and reports. Also, banks should educate cardholders and customer service representatives about hacking, skimming, and social engineering scams.