The financial services sector remained a sweet spot for cybercriminals in the second half of 2016. As we predicted in June, the industry continued to grapple with threats from individual fraudsters, organized cybergangs and even nation-states. As always, cybercriminals go where the money is.
Many high-profile thefts hit the headlines all over the world in the past six months. These attacks exploited authentication protocols and mobile application vulnerabilities, and even indicated the presence of organized crime.
In November, Tesco Bank noted suspicious activity on 40,000 of its 136,000 accounts. The U.K. supermarket bank later confirmed that 2.5 million pounds had been stolen from 9,000 accounts. The thieves used brute-force methodologies to test login and password combinations. After breaking an account, they set up contactless payment accounts with a variety of global retailers.
The bank claimed it wasn’t breached directly, however. Due to a flaw in the online banking methodology Tesco employed, accounts belonging to users who chose weak or reused login credentials were vulnerable. But Tesco should have noticed that the IP addresses had changed and required additional forms of authentication.
The takeaway: It’s important to never reuse login credentials, especially for banking or email services. Additionally, always use multifactor authentication when offered.
What a Rip-Off
A Russian gang known as Buhtrap allegedly committed a series of ATM attacks around the world. The FBI issued an alert explaining that these machines would be a prime target of cybergangs, detailing a July 2016 attack in Taiwan in which attackers stole cash from ATMs controlled by the First Commercial Bank. Similar attacks targeting the Government Savings Bank in Thailand followed in July and August. Buhtrap had been testing ATM attacks against Russian banks earlier in the year.
Cybersecurity firm FireEye conducted a comprehensive review of the Ripper malware and noted that the ATMs themselves are being wiped clean and new software is being installed. The new software waits for the card with an expected Europay, MasterCard and Visa (EMV) chip, then spews currency, 40 bills at a time.
Once the ATMs are disconnected from the bank’s network, it is difficult to monitor the activity taking place on a given device. Had the firmware required appropriate authentication prior to allowing updates, the results may have been different.
Retailers and vendors alike struggled to protect their point-of-sale (POS) systems from financial fraudsters during the second half of 2016. In November, The Madison Square Garden Company revealed that its POS system had been compromised. According to an official statement, concession stands within the venue had been exposed to cybercriminals from Nov. 9, 2015, through Oct. 24, 2016. Anyone who paid with a credit card at the concession stands throughout the arena during that time is at risk.
The company noted that the cybersecurity firm it had hired to investigate the incident discovered “external unauthorized access to MSG’s payment processing system and the installation of a program that looked for payment card data as that data was being routed through the system for authorization.”
MSG wasn’t the only one facing cyberattacks. For its part, Oracle Corporation confirmed that its Micros POS system had been breached, allegedly by a Russian organized crime group, in August. The Micros POS system is used in over 180 countries. Oracle simply advised users to change their passwords.
Fast food restaurant chain Wendy’s also suffered a POS breach that enabled cybercriminals to abscond with complete card data. The compromise occurred when a third-party vendor’s credentials were compromised.
These incidents are reminiscent of the POS attacks directed at Target and Home Depot in 2013 and 2014, respectively. Yet here we are several years later, sharing the same stories with different names.
Challenges for Financial Services in 2017
As we head into 2017, financial services organizations should be on the lookout for distributed denial-of-service (DDoS) and ransomware attacks, either of which could produce disastrous results. This looming threat amplifies the need for financial companies to challenge their vendors to demonstrate the security of their systems and implement the necessary telemetry to detect anomalous activity.