- Alleged hackers have struck again, infiltrating numerous banking systems and stealing up to hundreds of millions of dollars in 30 different countries. Security firm and anti-virus maker Kaspersky revealed a new modus operandi that clearly shows how cyber criminals were able to penetrate the core systems affecting more than 100 banks. They successfully targeted banking systems with advanced malware and without having any insider information.
These attacks started with a simple spear phishing attempt. Cyber criminals began by gaining entry into an employee’s computer and then systematically tracked down the administrators’ computers using sophisticated malware to secretly monitor the banks’ core systems over long periods of time. The malicious software was using various techniques such as keystroke-loggers and widely available surveillance tools to feed them with the right information.
This was not the first time that hackers figured out a way to gain access to the inner workings of a bank’s system. In previous cases, such as RAKBANK 2013 and Citibank earlier in 2011, there were serious vulnerabilities in security identified, otherwise known as Advanced Persistent Threats (APT).
APT’s are very difficult to catch. Using malicious software, the hackers can infiltrate the banking system and try to impersonate the normal behavior of the back office’s internal process. Most of the common fraud prevention solutions are only looking for irregularities at customer accounts and card transactions but are NOT looking at the internals of a banking system. Hackers, who have learned the internal process from the “inside out”, can silently monitor the behavior and subtly defraud the back office systems without being caught.
What can banks do to detect advanced persistent treats?
The best way to detect infiltrated systems is through value chain integrity management. Value chain integrity provides the ability to compare changes with other relevant information such as who made the change and what process was used. This allows the bank to quickly determine whether a change was based on a genuine source or request. In other words, every change altered within the system has to be related to a previous step in the process. Any change, which cannot be related to a genuine source, and any steps in between, should be stopped for further investigation.
“The best approach to detect Advanced Persistent Threat attacks is by implementing a so called Value Chain Integrity Monitoring solution”.
“To monitor the integrity of a value chain, we always recommend the implementation of a two-step approach”, says Dr. Andreas Meyer, Director Risk & Fraud at INFORM. “First by validating the legitimacy of every process step and secondly, by validating the processed data. Therefore, we advise financial institutions to take a holistic approach and monitor the entire value chain. It is important to start from the beginning when a financial institution receives an order from a customer and then continue follow through right up to the final step of execution.”
Let’s take online banking as an example. For every step in the process you need to have a genuine request, starting from initiating a payment order by the customer and continuing right through the process of settlement. This way any unusual change in the cycle, such as manipulating the beneficiary account number will be detected by the value chain integrity monitoring system. Criminals, who have infected the internal system with malware, would be prevented from changing the data unless they were in control of the entire value chain. “This would be very unlikely to happen.” says Wiebe Fokma, Senior Consultant at INFORM. “In a real case scenario, a hacker might be able to infiltrate an access point that is specific to an accounting system or process but he would never be able to control the entire banking system, the risk of that is close to zero”, adds Wiebe.
Process integrity monitoring is another approach to protect the value chain of a bank. This detection technique allows the tracking and tracing of every step of the process. For example, when a customer requests to raise his credit limit, the process integrity monitoring will check whether every process step and event has been executed correctly. When an intruder is able to get direct access to the credit limit administration or customer database, he could never make a change without being detected. Once again, the process integrity tool would trace back every single step as part of the service agreement and alert the bank whenever a change request was made without a 100% process validation score. “By looking at the log files of every system involved, we can determine in real-time whether a request started legitimately. Although criminals can hack the banking system, they are unable to control every individual step between front-office and back office”, continues Wiebe Fokma.
Banking operations are very complex environments, posing many challenges in operational efficiencies, customer conveniences, regulatory requirements and risk management controls. “Value chain integrity monitoring we believe is the next step in ensuring better protection of a bank’s core values and the security of their customers.“ says Wiebe, “Not only can hackers be detected but also rogue employees, which is critical as well.”
Value chain integrity monitoring is nothing new in the market. In supply chain management, this concept has been successfully used for years to increase the quality and efficiency of production planning and logistics. INFORM has been a market leader in this area for many years. RiskShield delivers financial institutions a reliable solution that can find any abnormality in the banking and payments operations as well as stop both external and internal related fraud in real-time. In addition to RiskShield real-time capabilities in customer behavior monitoring and web anomaly detection, value chain integrity management is the next level to further optimize the bank’s security in payment operations, online services and customer protection.
“The Carbanak attack, which resulted in a multi-million dollar lost, could have been avoided by monitoring for anomalies in the internal payment process,” says Wiebe Fokma. “By using INFORM’s technology, the infected part of the payment system would have been discovered. RiskShield's value chain integrity monitoring would track and trace every step in the process cycle and block transactions that do not comply to criteria of integrity.”