The Bankwatch

Tracking the consumer evolution of financial services

Archive for the ‘Security’ Category

Hacking your Bank | Snosoft


This is a fabulous post.  It is fabulous because it shows the folly associated with every banks walled garden approach to security. 

The message here is that you (bank) must assume your personnel network is compromised.

Hacking Your Bank | SNOSOFT RESEARCH TEAM

Because this engagement required stealth, we focused on the social attack vectors and Social Reconnaissance. We first targeted FaceBook with our “FaceBook from the hackers perspective“ methodology. That enabled us to map relationships between employees, vendors, friends, family etc. It also enabled us to identify key people in Accounts Receivable / Accounts Payable (“AR/AP”).

After investigating a few social network sites they applied for a job after carefully reviewing the specs.  The result:

Upon completion of our screening call, we had sufficient information to attempt stealth penetration with a high probability of success. The beauty is that we collected all of this information without sending a single packet to our customer’s network. In summary we learned:

  • That the bank uses Windows XP for most Desktops
  • Who some of the bank’s vendors were (IT Services)
  • The names and email addresses of people in AR/AP
  • What Anti-Virus technology the bank uses
  • Information about the banks traffic control policies

Based on this information they developed a plan to get inside the bank with the first attack being a pdf invoice containing a compromise.  They were able to do this because they knew the types of intrusion detection used at the bank.  It was all downhill from there.

That proved to be very useful as we were able to quickly identify VNC connections and capture VNC authentication packets. As it turns out, the VNC connections that we captured were being made to the Active Directory (“AD”) server.  We were able to crack the VNC password by using a VNC Cracking Tool. Once that happened we were able to access, the AD server and extract the servers SAM file.

Relevance to Bankwatch:

Traditional security methods and approaches are not adequate.  Banks must assume that every employee in their organisation is vulnerable and will (not may) reveal some snippet of information that associated with other snippets will provide a dedicated attack to obtain enough information to succeed. 

This revelation will result in a different approach to security. 

Technorati Tags: ,,,

Written by Colin Henderson

April 29, 2010 at 22:58

Posted in Security

Indian Banks Adopt a Rule all Banks Need | security alterts


India adopts a new rule for Banks [ht Payments news] that should have been voluntarily adopted years ago by all banks everywhere. I have always been a proponent for online alerts, but it makes eminent sense to make "card not present" alerts mandatory.

India’s Mandate re: Stronger Authentication for Card Not Present Use | Payments News

The rules require India’s banks to support two basic capabilities:

  • A system of providing for additional authentication/validation based on information not visible on the cards for all on-line card not present transactions (e.g., Verified by Visa or MasterCard SecureCode)
  • A system that provides "Online Alerts" to the cardholder for all ‘card not present’ transactions of the value of Rs. 5,000 (about US$104) and above

Written by Colin Henderson

August 2, 2009 at 08:37

Posted in Security

Tagged with , ,

“My mom was right to be skeptical” | scam avoidance advice from Google


The headline "How to Steer Clear of Money Scams" on a Google blog caught my attention. It turns out it is incredibly useful information for people to think about while on the web.

How to identify scams and other schemes

Written by Colin Henderson

July 20, 2009 at 16:45

Posted in Security

Tagged with , ,

A security hole every banker must read


Every banker and security expert must read this. The flow here is common knowledge to security experts already but it really drives home to users how they must be careful about how they approach their password strategies.

The key here is to note how the interconnection takes place between, in this case, gmail and the secondary address, hotmail. The former can be secure yet through innovative ‘social enginering’ the second can open all sorts of doors.

Worthwhile to take the time .. read through and think about your approach.

The Anatomy Of The Twitter Attack | Techcrunch

Unfortunately for Twitter, Hacker Croll found such a weak point. An employee who has online habits that are probably no different than those of 98% of other web users. It began with the personal Gmail account of this employee. As with most other web applications, the personal edition of Gmail has a password recovery feature that presents a user with a number of challenges to prove their identity so that their password can be reset. It likely wasn’t the first account from a Twitter employee that Hacker Croll had attempted to access – but in the case of this particular account he discovered a kink in the armor that gave him the big first step. On requesting to recover the password, Gmail informed him that an email had been sent to the user’s secondary email account. In an effort to balance usability with security, Gmail offered a hint as to which account the email to reset the password was being sent to, in case the user required a gentle reminder. In this case the obfuscated pointer to the location of the secondary email account was ******@h******.com. The natural best guess was that the secondary email account was hosted at hotmail.com.

At Hotmail, Hacker Croll again attempted the password recovery procedure – making an educated guess of what the username would be based on what he already knew. This is the point where the chain of trust broke down, as the attacker discovered that the account specified as a secondary for Gmail, and hosted at Hotmail was no longer active. This is due to a policy at Hotmail where old and dormant accounts are removed and recycled. He registered the account, re-requested the password recovery feature at Gmail and within a few moments had access to the personal Gmail account of a Twitter employee. The first domino had fallen.

Written by Colin Henderson

July 19, 2009 at 23:29

Posted in Security

Tagged with , ,

6 years is too long for elimination of mag strip debit cards


We were just hit today with a case of fraud that affected my family personally, and it just validates my view that the security of our payments networks is a problem being swept under the carpet.  Every day, all banks contact thousands of customers to cancel their debit card because it was or may have been compromised.  This is a well kept secret, and has not made mainstream press yet.

In our situation we actually were the card compromised, and I know enough about the card usage to narrow down the location of the compromise which is why this one worrys me.  The compromise took place at a merchant, either a restaurant or a sporting goods store.  No ATM was involved so the compromise had to be a parasite POS terminal.

In our case the criminals used an ATM to withdraw cash shortly afterwards.  Incidentally thanks to our Bank for picking up on this event within a few hours and dealing with it.

logo_rbc

Chip migration offers hope but only after mag stripe is eliminated, and that is another 6 years off, even though chip cards are now being isued in 2009.  The entire POS terminal fleet in Canada could be replaced quickly if their was a will to do so.

Chip Migration plans | EMV Canada

Interac Association has established migration dates for cards and terminals. Complete card and ABM conversion is required by the end of 2012; complete point of sale (POS) conversion is required by the end of 2015. After 2015, Interac debit magnetic stripe transactions will no longer be accepted at devices in Canada.

and this from Interac

The chip transition timeline

Every Acquirer (or payment service provider) has its own timetable in place for providing chip terminals. In order to ensure a smooth transition, Interac Association has implemented final conversion deadlines that work within merchants’ normal business cycles, so that merchants will be able to transition to chip within the set timeline and with minimum impact.

  • Interac chip cards and terminals are already being rolled out across Canada.
  • Complete migration to chip technology will take several years and the timetable for the introduction of chip will vary from one financial institution, and one service provider to another.
  • All Automated Banking Machines (ABM), point-of-sale (POS) terminals and banking cards across Canada will be upgraded.
  • Magnetic stripe debit card transactions will no longer be accepted at ABMs after December 31, 2012.
  • Magnetic stripe transactions will no longer be accepted at POS after December 31, 2015.
  • Chip cards will continue to carry the magnetic stripe, not only to facilitate the chip transition period, but also to allow cardholders to use their debit cards in other countries that do not use chip technology.

Relevance to Bankwatch:

Chip cards are coming, but the timeline is unacceptably long, out of desire to keep merchants, acquirors and issuers costs down.

In Japan, debit has never taken off.  On the other hand Suica and Pasmo are very popular, and gaining outside the original use of train service only into convenience stores and other small purchase locations.  That includes beer, other alcohol, magazines and movie rentals.

The idea of leaving thousands of dollars in full view with a 4 digit number as the only key is insanity.

suica 250px-Suica

Suica is successful because its handy being a wireless swipe,  and low risk with small amounts stored.

Chip will introduce the security of a non copyable card (we hope), but the 6 year wait in Canada is going to be an unfortunate inconvenience for the thousands that are compromised and have to replace their cards.

Reaearch by Nobuyo Henderson

Written by Colin Henderson

June 20, 2009 at 20:35

Tower Group are right – US financial services firms have lost the battle to protect the personal information of customers


This is a sufficiently provocative headline that I can hardly ignore.

Financial institutions have lost battle to protect customer data – TowerGroup | Finextra

US financial services firms have lost the battle to protect the personal information of customers and must now assume that all their clients’ data has been, or will be, compromised, according to TowerGroup.

First of all I agree with the headline.  The battle is largely lost;  I would go further, and hesitantly admit what few bankers will, that control over customers information never really existed.  Why do I say that?

Consider how banks have evolved, which is one account type at a time, one service at a time.  Each of those were managed by disparate computer systems, and as new products were added new systems were added. This problem has only been magnified by bank consolidations which added even more disparate systems.

The result is that Joe Customer has ‘files’ located within different systems, each with his own address, and personal information.  In fact he is often Joe C. Customer, or J.T. Customer in those other systems.  Government regulation that forestalled the use of Social Insurance/ National Insurance numbers as identifiers forestalled any common macro identifier for Joe.  The result is that the bank is not sure of Joe is the same in each system or not.  Similar addresses are a clue but hardly definitive.  I will have more to write on this later.

Lets return to the Tower piece in Finextra:

Meanwhile, companies should assume that traditional account information such as name, address, date of birth and account balance are useless as authentication factors. Instead they should consider using knowledge-based authentication and one-time passwords delivered via SMS.

Relevance to Bankwatch:

In other words, the very information that Banks do not fully control nor understand in context of customer identification, is the the same information that cannot be relied on any more.  The conundrum is that is the only information that banks have in place to rely upon.  This is hardly a recipe for success nor customer loyalty, and small wonder that customers accept and promote use of disaggregated financial services, spreading themselves between institutions as their own personal risk mitigation strategy.

Banks are very focussed on transaction security, using chip cards, two factor authentication and the like, but this does nothing for information security.  The Bank that can ever crack this nut by offerring complete information security, such that Joe in our example can feel confident about his financial information not being compromised might just give itself a leadership edge.

Written by Colin Henderson

June 17, 2009 at 08:40

Posted in Security

Tagged with ,

Should the Fed be the 14th payment network, and how would that solve the problems?


President Kohn of the Kansas City Fed speaks at the ECB/De Nederlandsche Bank Conference conference in Frankfurt.  He argues for greater control by the Fed over the payments system.  While his outline of problems makes sense, they also describe the failure of the current system, and the lack of foresight from the existing controls, and its unclear that the proposed solution from them will have any impact other than exacerbating those problems.  The problems he describes are real and more importantly consumer facing.  They are also imho problems that large banks could address given their scale and the opportunity for customer loyalty.  I am thinking of BofA and Wells specifically, but that is for another post.

The Future of Retail Banking and Payments – President Thomas H. Hoenig

In light of the trend toward greater industry concentration and the existence of important payments system externalities, the Federal Reserve should play a larger and more active role in electronic retail payments if it wants to promote the efficiency and integrity of the payments system.

There are two broad categories of problems that he identifies with the payments networks

  1. lack of competitiveness: In 2007 81% of the payments volume went over three networks, compared to 46% just few years earlier.  In addition the number of networks are down from 43 to 14.
  2. integrity of the system(s): He sees single point of failure and prominence of non-banks as issues of concern.  The variety of systems introduce externalities that undermine the entire system.  His example is the continued use of mag stripe and the security implications of not shifting to chip card as the rest of the world has done.

On that last point I would add that the fact of holding on to the mag stripe is influencing the rest of the world with  counter productive results.  For example in Canada banks are issuing cards with stripe and chip which makes no sense.  So long as the stripe exists the flaws associated with strip exist.  But the sheer size of the American market pressures the issuers to continue with stripe for the forseeable future.

Then he makes this statement:

Historically, the Federal Reserve’s role in both checks and ACH reflects a preference to operate within the market rather than as a pure regulator. We are well aware that industries can – and do – quickly develop methods to exploit any regulatory loopholes and avoid the intended outcome. By competing with the private sector on a level playing field, the Federal Reserve can encourage efficiency and integrity from an “on the ground” position.

That statement reads to me as rationalisation of inaction and continuation of the status quo.  His conclusion is that the best form of regulation and solution to the aforementioned problems is to compete with the other networks.

Thus, in my view, the Federal Reserve’s future role in retail payments should be built around its current position in ACH. For example, in its operator role, the Federal Reserve could augment its ACH products and services, with the aim of enhancing competition and safety within the ACH industry.

… … …

Finally, the Federal Reserve could enhance competition in payment card markets by positioning ACH services as an alternative to debit card payment networks.

It certainly is a strategy and we can debate whether government ought to be engaged in payments systems directly, as regulators, or not at all.  All I know is that consumers (and banks) will suffer from the real problems he identified at the outset, and its not at all clear that the Feds 14th network will address those problems at all.  This reads as a recipe for disaster in American payments.  For example the very issue he outlined of underinvestment in security and integrity will only accentuate as the other 13 networks work to compete with the Fed, and protect profits.  Expect continued data leakages, network outages, and identity theft.

Written by Colin Henderson

May 26, 2009 at 10:59

%d bloggers like this: