Data Breaches Back in Spotlight After $45M ATM Heist

Register now

After months of being distracted by distributed denial of service attacks, the $45 million fraud perpetrated last week against Rakbank in the United Arab Emirates and the Bank of Muscat in Oman is refocusing attention in the financial industry on data breaches and the security procedures and technology that can prevent them.

In phase one of the complex, international theft, hackers used malware to breach the card processors the two banks were using, EnStage, which is incorporated in Cupertino, Calif., and ElectraCard Services, which is based in Pune, India. The criminals overrode security protocols, found prepaid debit card systems and deleted limits on the accounts, paving the way for new access codes to be created and for account information to be loaded onto magnetic stripe cards used to withdraw cash from ATMs.

The case is still under investigation and it's not yet known what specific type of malware or hacking techniques were used to compromise the processors' systems in phase one. But according to Verizon's latest Data Breach Investigations Report, 76% of network intrusions exploit weak or stolen credentials, 40% incorporate malware and 29% leverage social tactics such as spearphishing.

Weak or stolen credentials — That this is such a common problem is not news; experts have been saying for years that the password is broken. One issue is that people tend to re-use passwords, notes Alphonse Pascual, senior analyst - security, risk and fraud at Javelin Strategy & Research. In a recent webinar he did for security professionals, 60% admitted they reuse their passwords. When a database has been breached and consumers' login credentials are exposed, "all those names and passwords are somewhere out on the web for you to find. If you know that certain people work at a card processor, you find their login credentials in the database, those may be similar to what they use to access their employer's login site," Pascual says.

Stronger user authentication is key. "We're allowing passwords alone to be the sole authentication method by which we're allowing access to databases of information," Pascual says. One-time passwords, out of band authentication biometrics, and geolocation could help provide better authentication.

Malware — Malicious software is installed directly by an attacker who has gained access to the system about 75% of the time, according to the Verizon report. Almost half the time (47%) it's installed through an email attachment. And 75% of the time, the malware takes the form of spyware (technology, such as tracking software, that aids in gathering information about a person or organization without their knowledge) or a keylogger (a software program or hardware device that records all keystrokes on a computer keyboard). Anti-malware software, which most companies use, can help mitigate the effect of malicious software. There are also specialized software programs, such as Strikeforce Technology's software that encrypt keystrokes so that they can't be picked up by a keylogger tool or screen scraped. User names and passwords can also be stolen by malware if they are stored or transmitted in unencrypted clear text. They can also be grabbed from within a computer's memory, where it isn't encrypted.

Malware can be kept at bay with good patch and configuration management, notes Rick Holland, senior analyst, security and risk management at Forrester Research. "Next, run host-based security solutions that can prevent the actual exploitation, think application whitelisting type solutions." Mobile platforms make anti-malware efforts much more challenging, he notes. "Apple has a bit more control of patching, but Android is particularly painful. As of today, only 26.1% of android devices are running the latest version of code available (Jelly Bean). So the unpatched vulnerabilities in the previous code releases are ripe for exploitation. If I were using an Android device I'd want to run a Google version so that I get access to the latest code versions without having to wait on my carrier to roll it out."

Social tactics — "Spear phishing tends to be one of the ways breaches like this are committed; fraudsters are getting better at identifying targets of value," Pascual says of the method of sending fake emails that appear to be from a legitimate business (such as a bank) and tricking them into divulging online credentials, often through a spoofed website. "If spear phishers identified those processors as a weak place from which they wanted to get data, then sending spear phishing emails with malware, possibly with keylogging software, would be a way to achieve that." However, the ATM heist-related hacking could also have been done by an insider, he cautions.

Automated account and transaction monitoring could have helped processors EnStage and ElectraCard — they might have noticed when the hackers lifted limits on prepaid card accounts and they might have observed thousands of ATM transactions happening over a very short time. "If they're using something, it wasn't sufficient," Pascual notes. "These transaction monitoring tools all have a built-in risk engine, but often they leave it to internal staff to adjust controls, so there may be an opportunity there for training on best practices and what they should be looking for when they're writing their rules."

PCI certification, which calls for encryption and safe passage of data, might have helped, but it's not foolproof. Famous data breach victim Global Payments was PCI certified. One problem is that the qualified security assessors that certify companies are also attempting to sell products to the same people they're certifying.

Any time a bank is working with a third party such as a card transaction processor, it needs to perform an objective assessment of that company. "Some organizations will be a target regardless of what they do, but most become a target because of what they do," the Verizon breach report states.

For reprint and licensing requests for this article, click here.