Banks have good reason to pay attention to the cyberattack that hit the New York Times, Twitter and Huffington Post websites yesterday and apparently resumed on the Times site today — they are vulnerable to the same type of assault.
The Syrian Electronic Army, which backs Syria's President Bashar al-Assad, has taken credit for the attack, in which it broke into the computers of the websites' domain registrar, Melbourne IT. (A domain name registrar redirects visitors from a site's user-friendly public URL, such as www.nytimes.com, to the hidden, numerical IP address of the actual website server.) Once there, the Syrian Electronic Army gained access to registry records and changed contact details and domain name servers for the sites, redirecting visitors to the group's own sites. The attack began as U.S. officials were debating a military strike on Syria in reaction to its government's use of chemical weapons against its own people.
"If your registrar uses single-factor authentication, you are just as vulnerable" as the New York Times is, says Robert E. Lee, security business partner at Intuit. "If that [registrar] gets pilfered, every single domain name that is associated with that username and password is vulnerable to that same attack."
Melbourne IT has several bank clients, including Union Bank in San Francisco. Union Bank did not immediately respond to a request for comment.
"It could happen to bank websites since the same underlying issue (relying on a third party as its domain name registrar) exists for them as well," says Joram Borenstein, vice president of NICE Actimize, a provider of risk and compliance software to banks. "If your third party vendor isn't sufficiently secure, you might as well assume a problem will eventually arise on your doorstep."
Melbourne IT did not respond to a request for comment, but did explain the attack in an email to customers: "The credentials of a Melbourne IT reseller (username and password) were used to access a reseller account on Melbourne IT's systems. The DNS records of several domain names on that reseller account were changed — including nytimes.com. Once Melbourne IT was notified, we changed the affected DNS records back to their previous values, locked the affected records from any further changes at the .com domain name registry, and changed the reseller credentials so no further changes can be made. … We will also review additional layers of security that we can add to our reseller accounts."
Other domain registrars, including MarkMonitor and Network Solutions, also let users log in with a simple user name and password, making them susceptible to hacking. Several bank customers of these services did not immediately respond to a request for comment.
This type of attack is not brand new, but it's a cut above the Syrian Electronic Army's breach of Twitter earlier this year.
"In terms of the sophistication of the attack, this is a big deal," said Marc Frons, CIO for the New York Times Co. in a statement yesterday. "It's sort of like breaking into the local savings and loan versus breaking into Fort Knox. A domain registrar should have extremely tight security because they are holding the security to hundreds if not thousands of Web sites."
As in other areas of their business, financial services companies are at the whim of their vendors' security standards.
"Every player in the chain is important — poor security in any one cripples the whole system," says Ben Knieff, financial crime consultant and founder of Outside Look. "This means players that might have seemed low risk in the past are actually very high value and must have strong security."