FreeLists / cybercrime-alerts / Can your bank stop an e-stickup?

[alerts@xxxxxxxxxxx]

* this message via http://techPolice.com *

  Can your bank stop an e-stickup?

By Sandeep Junnarkar
Special to ZDNet News

May 1, 2002, 4:45 AM PT

URL: http://zdnet.com.com/2100-1106-896101.html

Even if you have never banked online, your money may never be completely safe 
from an electronic heist.

Nearly every bank in the United States runs its operations on an internal 
network that connects to the Internet at some point. Although the banking 
industry claims that its security is virtually foolproof, others say that any 
technology can be penetrated under the right circumstances.

Electronic break-ins are often carried out with the help of factors that have 
nothing to do with technological wizardry, such as an inside source, simple 
carelessness, or an intruder's persistence in trying different passwords and 
account numbers.

"I don't know how high-tech the hacking is," said Hale Guyer, a special 
investigator and member of the Illinois attorney general's Task Force on the 
Investigation of Internet Crime and Child Exploitation. "Someone who knows a 
system could hack it by sneaking in a back door."

Given the conflicting opinions and dearth of public information on specific 
incidents, it is impossible to assess with any certainty how safe one's bank 
accounts are online. But one way for people to judge their accounts' security 
is to examine how a typical break-in might be carried out.

In interviews with federal regulators, security experts and hackers, some 
common patterns emerge. Following are the basic steps a computer criminal is 
likely to take to get his hands on your money.

Casing the target
The easiest way to siphon cash from a bank is not to target the bank itself but 
to crack into one of the many companies hired by financial institutions to 
process bill payments and transactions. In many cases, a bank will allow these 
companies to run its entire network.

 "In the period of 1998 to 2000, we estimated that 50 percent of non-bank 
online banking services had existing vulnerabilities," said James Molini, chief 
executive of security firm Brink's Internet Security and a former executive for 
data security at First USA Bank. "The numbers have not diminished significantly 
since that time."

If the intruder settles on outsourcing companies, the next step would be to 
study how the companies process payments and move money. "You would troll 
around for a while looking for sites with poor security," Molini said. "When 
you find out who has got exposures on how they process payments, you go after 
them."

Others said they would focus on small regional banks, many of which have rushed 
online to keep up with larger competitors. In their haste, these banks may have 
opened gaping holes when altering off-the-shelf security and transaction 
software to meet their specific needs.

Bank mergers also create opportunities for computer criminals. Although the 
pace of mega-mergers in the banking industry has slowed since the J.P. Morgan 
and Chase Manhattan union in 2000, smaller banks continue to join forces, 
hoping to remain relevant at a regional level.

"Mergers present unique problems to financial institutions, especially in 
technologies," said Mark Rasch, the former head of the U.S. Justice 
Department's computer crimes unit. "You have to attempt to fuse diverse 
technologies from databases of customers to transaction systems. When you are 
going through rapid change, you don't have time to go through every line of 
code to determine whether it presents a vulnerability."

In a problem seen often in mergers, an internal search feature in one company's 
database may publicly index a critical, private link belonging to its partner, 
basically leaving an unguarded back door to a restricted area.

"It is just as likely to involve obscure network structure issues that don't 
get noticed until a hacker realizes he has trusted access to an internal 
system," said Adrian Lamo, a self-described "ethical hacker." While working 
within a company's intranet, he said, "employees don't tend to notice if a 
change to firewall rules suddenly allows access to a resource from the outside 
world."

The upheaval during mergers can also create irresistible temptations for 
disgruntled employees who might have considered breaking in to accounts or 
other malicious activity, especially if they are uncertain about retaining 
their positions after the corporate combination is complete.

"It is a dangerous time because you don't even know who is watching the store," 
Rasch said.

Befriending the insider
Teaming up with an insider or planting someone within the organization is often 
a necessary step. A recent U.S. Treasury Department analysis noted that more 
than 60 percent of reported computer intrusions involved an insider.

"Transaction systems are so isolated that it is even hard for people whose job 
it is to legitimately move money to move it--and that makes it nearly 
impossible for outsiders to do it," said Kawika Daguio, an officer with the 
Financial Information Protection Association, a security think tank. "Insiders 
are the only ones who can make money go where it's not supposed to go."

One kind of insider is a person who may have stumbled upon a glitch unknown to 
system administrators. Another type gets a job at the financial company 
specifically with criminal intent.

Those who work in the customer service department may try to steal entire 
consumer information databases, while others join technology staff to find 
weaknesses in the network and software.

From this vantage, doors will open more smoothly and with less notice. Guyer 
notes that when law enforcement officials investigate computer crimes, they 
invariably find passwords somewhere on paper within five feet of an 
administrator's terminal. One former executive at a small bank said that 
passwords to the network are even left on Post-it notes stuck on people's 
monitors.

This happens because systems that require high security randomly generate 
passwords that are difficult to memorize. And most administrators are inundated 
with numerous passwords--one for each of the many databases and networks, as 
well as for clearance into increasing levels of restricted areas.

The break-in
One strategy is to attack the hardware itself, exploiting notoriously 
glitch-prone Web systems to gain access to the servers running the bank's 
online operations.

"Most banks run Unix Web servers or Microsoft IIS (Internet Information 
Server), and both are prone to remote attacks that can allow a hacker to take 
control of the server itself," said David Ahmad, the moderator of the Bugtraq 
mailing list, one of the leading e-mail lists dedicated to reports of software 
vulnerabilities.

Companies including financial institutions subscribe to the list. In April, 
Microsoft issued a security patch to plug 10 new holes that could allow hackers 
to take full control of computers running the company's IIS program.

In seizing control of a server, security experts say, a hacker can also modify 
any trusted applications to perform malicious operations. An attack that 
manipulates such internal applications is more likely to escape notice by the 
network's electronic guards.

"Intrusion-detection systems only spot known attacks or behaviors that indicate 
a certain class of attack," Ahmad said. "Attacks against a server might be 
detected, but a complex application-based attack might look like normal 
behavior."

Financial institutions do make it difficult for employees to move money, but 
their systems must be flexible enough to work with customers who are not 
subject to the same level of scrutiny. This could allow an insider to create a 
fake customer transaction and authorization to shepherd the money right out of 
a system.

"Those kinds of things work--and work fairly quickly," Molini said. "If they 
are able to do this effectively, they can do it to many institutions both 
inside and outside the U.S."

The getaway
Security experts say that a theft of $5,000 to $10,000 can be carried out over 
a few weeks. Higher amounts of up to $1 million are likely to take four to six 
months.

How often such thefts are successful remains unclear. The financial industry 
generally claims that insiders are hunted down and prosecuted, but records of 
such incidents are often kept out of the public eye to avoid tarnishing the 
image of banks that have been robbed.

As special investigator Guyer put it, "The odds are that smaller banks aren't 
going to want the notoriety that something went wrong."






--
This was sent to you from http://theMezz.com
To Subscribe/Unsubscribe go to http://techPolice.com