Beating the 'Swift hacks' starts with better authentication
The Swift money transfer network, which connects 11,000 global banks in over 200 countries, was used to steal $81 million from the central bank of Bangladesh, and similar hacks followed.
Although the infiltration strategies continue to evolve and become more clever, many banks and issuers are still trying to protect themselves using traditional defensive measures. These strategies weren’t working when they were initially deployed and they aren’t working now.
As long as banks and financial institutions continue to provide online services, they will be vulnerable and continue to be hacked. Better authentication and confirmation mechanisms are a great place to start.
Finance organizations serious about protecting their customers require two-factor authentication, which involves the mobile phone when logging in to transfer money. As an added measure of protection, when making a payment to a new vendor that isn’t already in the customer’s profile, a text message is sent to the customer’s phone with a code that must be entered into the online profile. For a hacker to compromise this process, they would have to hack both the customer’s computer and their mobile device.
In the case of the Swift heist, analysis of the code repository uploaded from Bangladesh showed that the malware allowed the hackers to delete records and intercept incoming messages. As a result, the hackers were able to intercept confirming messages sent for printing as a security measure. Sending instead “manipulated copies,” thus evading detection and potentially running away with huge sums of money.
Sending an email for confirmation on a money transfer is not ideal. A better strategy is the combination of entering data received via text on a separate device into a secure web site. This is currently one of the best forms of security because once a machine has been compromised as in the Swift incident; the infection could have access to everything on the PC, including email.
An even better authentication process might be adding in human intervention. Unresolved attacks cost organizations an average of $21,155 per day. This is a hefty multiplier when you consider that it takes more than four months to resolve targeted attacks plus the even longer amount of time leading up to the actual detection. The $21,155 savings per day would go a long way toward a call center with few dozen more people on the payroll to confirm money transfers and help avoid electronic thefts like the one against Swift.
Late last year, Swift announced a global payment initiative focusing on developing a blockchain road map used by bitcoin. Innovative changes like this demonstrate promise for securing the banking industry.
Beyond building better authentication processes, the finance industry should be off loading the logs that hold evidence of every transaction. In other words, all details on every business critical device should be sent in real time to some type of SIEM. Even the traffic generated by the critical devices (such as NetFlow) should be archived off for routine threat detection and future investigations.
Logs are often the first thing requested when embarking on incident response. Immediately after asking a few questions about the compromise, the security team will want to query the flow collection server or SIEM. These combined systems contain all of the events that occurred on each mission-critical system.
To add additional security, a UDP Forwarding appliance should be inserted between the devices sending logs and the flow collector or SIEM. A UDP forwarder can make duplicates of UDP packets forward them onto multiple collection systems without modifying the source IP address. As a result, in order for an infection to remove the evidence maintained in the logs, it would have to hack the UDP Forwarder to find out where the messages are going and then hack each collection server. Most infections won’t do this and move on to easier targets.
The faster the answers can be sought out, the lower the cost of the security event. To improve speed, security teams need context-aware security analytics, a process of poring through logs and other pieces of information and correlating it with other sources to make it comprehensible and actionable.
Context can come in the form of NetFlow, syslogs, proxy records, Amazon AWS logs, DNS lookups, URLs visited, username directories, PTAM information — pretty much anything that can correlate with a device is context. The differentiator between competitive systems is how easily you can pivot from one piece of context to another. Simplicity and speed result in a shorter mean time to know.
There will never will be a 100% reliable cyber-protection solution for our financial deposits. There is only “reasonably good” or “better than other banks” protection. If your institution has the best protection, hackers will usually go after an easier target.
Better authentication, off-loading logs and improved context will all contribute to strong security.