Lessons from This Year’s Major Cyber News
Numerous detected and undetected cyber attacks occur daily, which should put our cybersecurity awareness on heightened alert every day. Unfortunately, it is human nature to let down our guard, but the monetary and reputational cost of even a momentary lapse in cyber vigilance can be extremely consequential.
Observe the fifteenth annual National Cybersecurity Awareness Month (NCSAM) at your financial institution by taking a look at some of the most significant cyber events of 2018.
Trouble at the ATM
In early August, cyber criminals stole as much as $11.5 million from a bank in India through an ATM cash-out scheme, with an additional $2 million stolen through fraudulent bank transfers. The hack came on the heels of the FBI warning financial institutions of the impending possibility of this type of attack. According to KrebsonSecurity, the FBI alert was issued on Friday, Aug. 10. The following Tuesday, the Indian bank disclosed that it was hit over the weekend.
ATMmarketplace reports that, “the scheme began with the breach of a firewall” protecting the bank’s servers. Once inside, the cyber criminals “set up their own proxy server to authorize the fraudulent transactions,” and then used cloned bank cards at ATMs across India and in 28 other countries to withdraw the cash before the scam was shut down.
These ATM cash-outs pay big rewards, because cyber criminals remove ATM withdrawal and transaction limits right before they hit their target. And this isn’t just happening outside the United States. A community bank in Virginia lost $2.4 million to an ATM cash-out scheme that began in 2016 and continued into 2017.
An additional problem with ATM security at U.S. financial institutions has come to light this year. In January, the U.S. Secret Service warned institutions about ATM jackpotting, in which the machines are injected with malicious malware that causes them to “spit out huge volumes of cash on demand.”
Both ATM cash-out scams and jackpotting are particularly dangerous for smaller institutions that typically spend less money and time on information technology and cybersecurity. The FBI alert on ATM cash-outs noted the vulnerability of “smaller financial institutions that may not have sufficient resources dedicated to staying up to date with the latest security measures.” The Secret Service alert on ATM jackpotting specifically warned banks that have not invested in moving their ATMs off Windows XP.
Infiltration of Payment Messaging Systems
Another notable bank cyber heist occurred this spring in Mexico, when cyber criminals hacked into at least five financial institutions and used the SPEI payment messaging system to steal $15.3 million. PYMNTS.com describes SPEI as a system similar to the international money and security transfer system SWIFT, that “allows users to electronically transfer money between deposit accounts through a private, encrypted network operated by Mexico’s central bank.”
According to InfoSecurity, Mexican Central Bank officials claim that, “SPEI itself is not thought to have been compromised but rather the software used by banks to connect to it.” This is consistent with SWIFT’s reaction after suffering similar hacks. For instance, after the Russian Central Bank announced that hackers used SWIFT to steal $6 million from a Russian bank, Reuters reported that, “SWIFT says its own systems have never been compromised by hackers.”
However, SWIFT, which was also the vehicle for a 2017 attempted hack on another Russian bank as well as a successful $81 million attack on Bangladesh Bank in 2016, acknowledged that, “digital heists were becoming increasingly prominent as hackers use more sophisticated tools and techniques to launch new attacks.”
More Third-Party Concern
The SPEI and SWIFT hacks underscore the need for financial institutions to build and maintain robust vendor risk management programs. Further proof of this came to light in August, when a third-party service provider admitted to a data exposure, which Wired says occurs “when data is stored and defended improperly such that it is exposed on the open Internet and could be easily accessed by anyone who comes across it.”
The attack occurred at TCM Bank, a credit card issuer. According to Krebs, a “Web site misconfiguration exposed the names, addresses, dates of birth and social security numbers of thousands of people who applied for cards between early March 2017 and mid-July 2018.”
Fortunately, TMC acted quickly to shore up the data exposure upon discovery, but Wired warns that, “The most sinister thing about data exposures is that there’s no way to know for sure what exactly went down while no one was watching.”
And as Krebs advises, “Organizations of all shapes and sizes need to be vigilant about making sure their partners are doing their part on security, lest third-party risk devolves into a first-party breach of customer trust.”
Blackmail in Atlanta
There was another eye-opening cyber event that should raise concern for financial institutions, even though it did not occur in our industry. On March 22, the City of Atlanta was hit with a ransomware attack. CNet described it as “the worst cyberattack to ever hit a U.S. City,” a sentiment echoed by The New York Times.
Atlanta refused to pay the $52,000 bitcoin ransom, even as the attack left many of the city’s mission-critical systems inoperable. Despite the recovery being “far more costly than the initial demand,” (upward of $2.6 million), Wired notes that, “refusing to pay and investing in remediation will likely improve Atlanta’s cyber defenses for the long term.”
According to The New York Times, the SamSam group, which is being blamed for the attack, “is believed to have extorted more than $1 million from some 30 target organizations in 2018 alone.”
This has all occurred against the backdrop of Verizon’s 2018 Data Breach Investigations Report (DBIR), which indicates that ransomware represented “the most prevalent variety of malware” detected in the 53,308 security incidents and 2,216 data breaches analyzed for the study. The DBIR also warns that attacks involving ransomware are transitioning their starting point from individual desktops and devices, which when properly protected can limit the attack’s reach, to databases, servers and even entire networks.
Russians in the Energy Grid
Perhaps the most disturbing 2018 incident was the U.S. Intelligence community’s warning that Russian-linked hackers have targeted and successfully infiltrated our energy sector. The United States Computer Emergency Readiness Team (US-CERT) reports that, the “DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.”
There are at least three reasons why this attack should concern financial institutions:
1. It was perpetrated on critical infrastructure, of which the financial system is another vital part.
2. Unfortunately, it is not the only recent attack involving Russians. Others include the 2017 Russian-linked NotPetya ransomware attacks and the 2018 widespread hack of routers around the world.
3. It is not the only apparent state-sponsored attack. China and North Korea have been accused of cyber-criminal activity, and Wired reported last spring that nine Iranian hackers were indicted for allegedly infiltrating the systems of 300 universities and stealing “31 terabytes of data, estimated to be worth $3 billion in intellectual property.”
These are just a few of the cyber events that occurred so far this year. Indeed, the full scope of 2018 cyberattacks is too vast to cover here. Suffice it to say that numerous household brand names (including Under Armour, Saks and Panera Bread) have seen their reputations hit by either data breach or exposure. The latest appears to be the September announcement that 50 million Facebook accounts were breached.
As the DBIR notes, it only takes cyber criminals a few minutes to hack into organizations, but 68 percent of breaches took months or longer to be discovered. And, “in many cases, it’s not even the organization itself that spots the breach—it’s often a third party, like law enforcement or a partner.” Or “worst of all, many breaches are spotted by customers.”