Likes of Apple Pay may make smaller banks more vulnerable

Many banks with less than $50 billion face a problem that payment systems like Apple Pay will make even more attractive to exploit

Many banks with less than $50 billion in assets have a problem that payment systems like Apple Pay will make even more attractive to exploit, a team of security researchers says.

By altering electronic-transfer files before they are uploaded to the national transaction clearinghouse, criminals can redirect funds to accounts they control and make off with millions of dollars at a clip, according to researchers at TrustCC, a consultancy specializing in financial institution IT security.

They presented their findings at (ISC)² Security Congress 2014.

+ Also on Network World: Home Depot, Target breaches exploited Windows XP flaw |Bot-herders can launch DDoS attacks from dryers, refrigerators, other Internet of Things devices +

The problem is that many banks and credit unions place these sensitive files on their corporate LANs before uploading them to the Automated Clearing House (ACH), a commercial network that processes a variety of financial transactions. That leaves them vulnerable to hackers who have successfully infiltrated the LAN.

While the attack isn't common yet, it could become moreso as consumers shift from traditional magnetic-strip credit cards to more secure chip-and-pin credit cards and alternative payment systems such as Apple Pay. These more secure method will mean more work for professional hackers, say TrustCC researchers Andy Robbins and Brandon Henry.

When that happens, criminals may seek to steal directly from banks because they will present easier targets with larger potential payoffs per compromise, they say. "Then banks are a pretty juicy target," he says.

TrustCC researcher Brandon Henry

Victims of the attack the researchers describe would be among the roughly 4,000 banks and credit unions in the U.S. that have less than $50 billion in assets considered small banks. Larger banks that actually control the vast majority of funds involved in ACH transfers use an architecture that doesn't expose the same vulnerability, Henry says.

But in smaller banks, batch files in ACH format are generally created in secure core networks. At the end of the day these files are shifted to shares on the corporate LAN to be reviewed by persons on the institutions' accounting teams. Once approved, these files are sent to ACH.

The flaw in the system is that ACH files are often left as shares for some period of time. If hackers can access them before the person in accounting, they can alter them, Henry says.

The accountants verify what is known as the 10-digit file control record, the sum of the routing numbers in the folder. So the hacker code would alter the relevant numbers to divert the transfer to thieves' accounts and recalculate the folder's control record so it corresponds to contents of the altered folder. If automated, the process takes about a tenth of a second using 35 lines of Python code. "It's so painfully simple any competent programmer could put this together in a day," he says.

These fraudulent transfers can easily go unnoticed for 24 hours, he says, but even if it's a shorter period it's certainly long enough for the criminals to shift the funds again and make them impossible to recover.

Before the exposed batch folders can be altered, though, hackers first have to break into bank LANs and gain enough privileges to access the shares that contain them. Robbins says in his penetration-testing experience hackers can escalate to domain administrator in financial institutions about half the time using phishing in combination with other common hacking methods. Once they've done that they can almost always find ACH folders, he says.

The researchers have come up with a proof-of-concept of this hack they say they've presented it to various financial institution associations and to NACHA which manages development and administration of ACH. After two months of responsible disclosure, they've decided to publicly reveal it. Recently they have been in touch with NACHA and they feel some progress is being made toward fixing the problem.

One way to address the problem is to encrypt all transaction files before they come out of the secure core network, Henry says. If that can't be done, the ACH system and the means to electronically send funds should be replaced.

All access to these files should be logged and write access to these files should be prohibited by machines outside the core network, he says.

Robbins admitted that the largest of banks those that account overwhelmingly for the monetary value of total transactions upload transfers electronically directly from their core banking networks.

Some smaller banks outsource their core networks to outsourcers but still expose ACH files to their business networks, he says. Sometimes the outsourcers place their core networks on the bank's corporate LAN.

Join the CSO newsletter!

Error: Please check your email address.

Tags TargetApplesecurityHome Depot

More about AppleHome DepotLAN

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts