The Industrial Security Podcast Courtesy of Waterfall Security Solutions.
PLAY the latest episode
In today’s digital-first world, banks and financial service companies need to allow their customers to easily manage money online in order to compete. Unfortunately, most banking platforms were not designed securely and hackers have been taking advantage of these built-in weaknesses ever since banks first went online.
Although banking attacks have become more complex in the past few years, the vast majority still rely on tricking users. For example, one common phishing attack used against banks involves directing targets to a malicious clone of the banking platform’s actual website. Once users try to log in to this genuine-looking fake website, the platform can confuse them by displaying a “Service Not Available” messages and store the credentials the user just tried to enter.
It’s all about manipulating users into making mistakes. But phishing attacks are just one tactic to be aware of in the age of e-banking. Here are five more ways hackers attack banks through their users:
SMS swapping has become quite common in the banking industry. First, the attacker steals a victim’s private phone number, along with the phone’s Security ID. Then the attacker calls the SIM card call center claiming they lost their phone, have bought a new SIM card and now need to get their old number back. Using the Security ID and other private information, possibly gathered from snooping on social media accounts, they convince the telecommunication support person to perform the phone swap.
This scam can even evade security protections. Most banking institutions that offer multi-factor authentication (MFA) to protect online banking sessions and applications rely on SMS-based MFA instead of using mobile tokens. Once hackers steal people’s phone numbers, they have access to these SMS messages. That means they can access the victim’s account even if it has SMS-based MFA in place.
Another old but effective tactic is the Man In-The-Middle (MITM) attack, in which attackers target banking platforms that do not adequately protect their infrastructure. This not only allows hackers to steal money, but also negatively affects the bank’s reputation by making their infrastructure seem fragile and vulnerable. The attack allows fraudsters to interfere with the communication between users and the bank’s backend implementation to change transaction values and accounts. It can be prevented by using certificate pinning technology, which allows bank application to trust a specific certificate for a given server.
However, vulnerabilities have been found on this implementation when using TLS connections. A common technique called DNS spoofing can easily redirect the victim’s traffic when they’re connected under the same Wi-Fi network, failing to validate the hostname. The best way banks can prevent this attack from harming a customer’s account is by implementing a token multi-factor signature.
Man-in-the-Browser attack (MITB) is a trojan horse proxy that infects online browsers. It plays the role of a MITM, sniffing and modifying transactions performed on the infected browser, but still displaying back the user’s legitimate input. Most users assume their transactions are protected via SSL if they’re using a website with HTTPS enabled, but SSL only protects data in transit, between the browser and the server.
Better certificate management can prevent infection, but this is very hard to guarantee when a user is banking from their personal computer. Luckily, this attack can also be prevented by implementing multi-factor authentication tokens to protect the bank transaction itself.
Spear phishing attacks
Spear phishing is an email spoofing technique used by fraudsters to target a specific organization or individual with a customized, highly-realistic phishing email. Simply put, it’s a more targeted, complex and research-intensive version of phishing.
This attack is usually used against organizations that the attacker is familiar with. Attackers will use insider knowledge to specifically target the employee responsible for making payments in a way that seems realistic. For example, they might send an email to an accountant that appears to be from the CFO asking them to make a payment that appears normal at first glance. If the employee falls for the attack, it could lead them to a fake website or download link that triggers a MITM or MITB attack.
Mobile malware attacks
Mobile banking trojans are one of the most flexible and dangerous types of malware, designed to steal funds from user’s accounts by stealing their credentials. They look like genuine mobile applications in the Apple or Google store, but when the user downloads and runs the application, it will start monitoring the phone’s banking apps. Not every banking app is designed to protect its own assets appropriately, so passwords and accounts are often easily traceable due to bad implementations and open source libraries exposures.
How banks can defend themselves
One of the best ways for banks to protect their payment systems is to require MFA security layers for each money transaction. Even if customers are tricked into logging onto a fake website or clicking a phishing link, attackers would never be able to transfer money or make payments.
These actions depend on the final user tokens, which the attacker would not have if MFA controls are in place! This can be accomplished by generating password-based signatures using fixed and random transaction attributes like names, values, accounts, timestamps, and so on. Plus, MFA won’t negatively impact the user experience of a banking app or service if it’s implemented correctly.
One thing’s for certain – hackers will continue to view banks and financial institutions as fertile grounds for lucrative fraud campaigns. Banks owe it to their customers to constantly reassess their security measures in order to protect against the above online threats, but users play a role in e-banking security as well. Customers need to educate themselves on the top banking attacks, understand when their money might be at risk, and advocate for better security controls when necessary.