Cyber robbers want cold, hard cash—and they’re finding it at small banks, credit unions

Under constant, though unpublicized, attack, financial institutions find some relief by turning to managed security services

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Bankers abhor any pub­lic air­ing of details of net­work breach­es, or worse, suc­cess­ful cyber robberies.

Hard met­rics are not avail­able, due to the closed nature of the finan­cial ser­vices sec­tor. But make no mis­take, the finan­cial ser­vices sec­tor remains under relent­less cyber attack.

In the 13 years I’ve been writ­ing about cyber­se­cu­ri­ty, there has nev­er been any short­age of mat­ter-of-fact dis­cus­sions in the cyber­se­cu­ri­ty and law enforce­ment com­mu­ni­ties about the intense, ongo­ing prob­ing of bank­ing sys­tems globally.

I took this up with Bri­an Solda­to, NSS Labs’ senior prod­uct man­age­ment direc­tor, when we sat down for a chat at RSA 2017. And he con­firmed that sur­veil­lance gath­er­ing and net­work breach attempts against finan­cial ser­vices firms occurs 24÷7÷365.

Bri­an Solda­to, NSS Labs senior prod­uct man­age­ment director

Banks of all sizes targeted

The biggest multi­na­tion­al banks, as well as the tens of thou­sands of com­mu­ni­ty banks and cred­it union type of insti­tu­tions in the Unit­ed States and across the globe are being tar­get­ed, Solda­to says.

NSS Labs is in a posi­tion to know. One of the main ser­vices the Austin, Texas-based secu­ri­ty con­sul­tan­cy pro­vides is its Cyber Advanced Warn­ing Sys­tem, or CAWS, a sophis­ti­cat­ed radar for cyber threats used by large enter­pris­es to mon­i­tor the ebb and flow of mali­cious attacks mov­ing across the internet.

Once in a while, detailed infor­ma­tion sur­faces about what a cut­ting-edge finan­cial sec­tor attack looks like. That hap­pened this week at Kasper­sky Lab’s annu­al Secu­ri­ty Ana­lyst Sum­mit, an exclu­sive, invi­ta­tion-only event, held this year at a glitzy resort on the Caribbean island nation St. Maarten.

Relat­ed info­graph­ic: Attack­ers hit big and small finan­cial firms

Kasper­sky researchers dis­closed how for five hours one day last Octo­ber, a hack­ing ring grabbed com­plete con­trol over all major oper­a­tions of a multi­na­tion­al bank. The bank was not named, except to say that it has $25 bil­lion in assets, 5 mil­lion cus­tomers, and 500 branch­es in Brazil, Argenti­na, the Unit­ed States, and the Cay­man Islands.

The cyber thieves—believed to be part of a Brazil­ian crime ring—toiled for five months in prepa­ra­tion to set up this five-hour coup d’état. They suc­ceed­ed in inter­cept­ing the bank’s entire online bank­ing, mobile, point-of-sale, ATM and invest­ment transactions.

Thieves, good guys play cat and mouse

This dis­clo­sure resound­ing­ly affirmed what Solda­to and I dis­cussed. “The gaps are still out there,” he told me. “It’s much more dif­fi­cult to stay ahead of these threats today, as com­pared to a few years ago, because they’re con­stant­ly evolving.”

While big multi­na­tion­als rep­re­sent the biggest pay­days, and thus attract the most sophis­ti­cat­ed attacks, com­mu­ni­ty banks and cred­it unions are attrac­tive to crim­i­nals for anoth­er rea­son: they tend to be less well-defended.

Thus local banks and cred­it unions have become the prov­ing grounds for less expe­ri­enced cyber rob­bers who show ini­tia­tive by mak­ing good use of old­er generation—but still very effective—hacking tools and tech­niques, Solda­to says.

Here are a few oth­er take­aways about the expo­sure faced by finan­cial sec­tor SMBs, name­ly com­mu­ni­ty banks and cred­it unions:

• Seek­ing help from MSSPs. It’s typ­i­cal for a small bank to rely on basic net­work defense sys­tems, when what’s need­ed is round-the-clock analy­sis of every bit of traf­fic hit­ting the institution’s net­work. Mali­cious probes and com­mu­ni­ca­tions with crim­i­nal com­mand-and-con­trol servers are non­stop. Under­stand­ing and being able to detect mali­cious traf­fic is key. To address this, small insti­tu­tions are increas­ing­ly turn­ing to a man­aged secu­ri­ty ser­vice provider to sup­ply this expertise.

• ATMs exposed. Kasper­sky researchers this week also dis­closed details about how attack­ers were able to com­pro­mise a bank’s net­work in such a fash­ion so as to be able to remote­ly com­mand ATMs to dis­gorge cash. It may be just a mat­ter of time before this tac­tic catch­es on with small­er U.S. banks and cred­it unions, many of whom oper­ate ATMs using the ancient Win­dows XP oper­at­ing sys­tem, which Microsoft no longer sup­ports. “It’s very easy for an attack­er to buy a gener­ic vul­ner­a­bil­i­ty off the Inter­net and tar­get that cred­it union or those com­mu­ni­ty banks with it,” Solda­to says.

• Ran­somware risk. Ran­somware attacks direct­ed at the finan­cial ser­vices sec­tor more than tripled in 2016 vs. 2015, most­ly against small­er insti­tu­tions. Besides fail­ing to ade­quate­ly defend against this vir­u­lent form of cyber extor­tion, many small­er banks and cred­it unions don’t have nim­ble back­up and dis­as­ter recov­ery rou­tines in place. “It’s very com­mon for them to end up hav­ing to pay the ran­som because it’s actu­al­ly faster for them to get back online by pay­ing than it is for them to try to recov­er their sys­tems,” Solda­to says.

There are 6,000-plus com­mu­ni­ty banks and near­ly 7,000 cred­it unions in the Unit­ed States. Those under the most pres­sure to beef up defens­es against cyber rob­bers are the ones with $50 mil­lion or less in annu­al rev­enue, Solda­to says.

Solda­to told me he expects small­er insti­tu­tions to increas­ing­ly turn to man­aged ser­vices providers for help. To hear more, lis­ten to the accom­pa­ny­ing podcast.

More sto­ries relat­ed to hack­ers’ hits on finan­cial systems:
At new eATMs, cus­tomers can get cash with­out a card—and so can hackers
Small banks, cred­it unions on front lines of cyber­se­cu­ri­ty war
Small banks and cred­it unions increas­ing­ly under cyber attack