Bank payment system robbery highlights need for multifactor authentication

Register now

Bank robbery online usually isn’t too different from the in-person version: Robbers get in, grab what they can, and get out.

But late last year, hackers of an unnamed Brazilian bank took a different approach. Instead of hacking into customers’ private account information from within the bank’s highly secure infrastructure, these hackers rerouted all of the bank’s online activity to fake replica servers—where customers, and their money, unknowingly conducted payments, potential ATM transactions and other business as usual.

It all started with the hackers taking over the bank’s Domain Name System (DNS) registrations of its 36 different online bank properties that Saturday afternoon. They controlled all of the bank's online operations for five to six hours. It’s possible they redirected all ATM and point-of-sale systems to their own servers as well.
Although the Brazilian bank involved in this attack hasn’t been named, the incident demonstrates how widespread the loss from a DNS security breach can be. It also showed that a domain heist can render usual security measures useless; an encrypted website and secure network aren’t very helpful when your customers have been unknowingly routed to a criminal’s lookalike site. And unfortunately, it’s not just large financial institutions that need to watch their backs.

According to analysts at Beazley Breach Response (BBR) Services, banks and credit unions with less than $35 million in annual revenue accounted for 81 percent of security breaches in 2016. The report notes that these smaller firms tend to have less robust data security and fewer experienced personnel than larger banks. Given the sophistication of today’s hackers, if we’ve learned anything from this and other recent security attacks, it’s that customers need more than just a password to protect their accounts.

Many financial institutions have accepted hacking as an inevitability, resigning themselves to a reactive approach when attacks occur, rather than investing in preventative solutions. A great number of banks—half of the top 20 ranked by total assets, in fact—simply hand the problem over to someone else to handle. Instead of managing their own DNS, these banks leave it to a potentially vulnerable third party to protect. One reason for this lackadaisical attitude may be that banks don’t realize just how simple it is to deploy an ounce of prevention.

In the case of the Brazilian bank hack, for example, a simple one-time password or push authentication would have alerted DNS administrators to the problem before the hackers were able to take control of all of the systems. And even if the hackers made it into the DNS, if action-based two-factor authentication had been in place, they would have been stonewalled from performing sensitive actions such as executing certificates.

Regardless of who controls a bank's DNS, security precautions like two-factor authentication (2FA) make it far more difficult for hackers to gain access. In fact, despite the sophistication of the Brazilian bank attack, the entire theft could have been averted if users were required to provide a second form of authentication beyond a single password. Advanced 2FA services are very easy to implement without detracting from the customer experience. And when it comes to sensitive login and transactional information, studies show that customers appreciate a more secure process.

The stakes for financial institutions are incredibly high. As long as there are funds to steal, there will be hackers trying to break in. A single security breach can kill a brand, and take customer trust along with it. In the age of modern bank robbery, it’s critical to learn from past disasters, and protect customers from malicious attacks with more than just a password.

For reprint and licensing requests for this article, click here.