Cybercrime may cost Polish banks up to PLN1bn

The financial sector is trying to reach the customer in all possible ways but more channels mean higher risk of cyberattack, warns  Przemysław Skowron from White Cat Security
Cybercrime may cost Polish banks up to PLN1bn

(Christiaan Colen, CC BY-SA)

CE Financial Observer: The cybercriminals stealing our money are apparently successful because we are reckless.

Przemysław Skowron: When we use electronic banking speed of the connection is what matters. So we are less focused. We want to authorize a transaction in the fewest number of steps.

In addition, the banks are trying to present offers to customers using new routes and as quickly as possible. E-mail, SMS or electronic banking, even before we log in, after we log in, or when we are making a transaction.

For example?

We are making a transfer to another bank in order to set up a favorable deposit there, because we have found an offer for a deposit carrying a 2.5 per cent interest rate. Then a window pops up with the information: “Open a deposit account with us, we’ll give you 2.7 per cent”. It is natural that the bank doesn’t want the funds to go to another bank, but this situation is exploited by criminals acting in exactly the same way. The message of a person pretending to be the bank is sent in the same way, in order to trick the customer to perform some non-standard activity. For example, to provide identity data, authentication code, etc.

Banks want to reach customers at all times and everywhere and rely on access through different channels. Is that bad?

The problem is that the financial sector is creating an increasing potential. And as that potential increases, the space for attacks also increases. The more channels, the greater it is.

Are all channels equally dangerous?

The web channel, that is, the traditional electronic banking, is the most effective channel for criminals. Because there are higher limits for operations than, for example, through a telephone, the criminals have the potential access to a larger sum of the client’s money.

We are frequently hearing about the dangers associated with attacks on smartphones.

Across the world attacks on mobile devices are much more popular than in Poland. They are a good channel of attack, since for the purpose of authentication most banks use SMS which are sent to the same device, or mobile tokens, which are located on the same device as the application. Criminals try to attack mobile devices by persuading the customer to either provide an authentication code or to authorize an operation substituted in the place of the one he actually wants to authorize.

Over time the limits for mobile transactions will grow, as that is what the customers want, and the banks will go along with that.

That is probably correct. In addition, more transactions will be executed here and now by companies, mainly small and medium-sized enterprises (SMEs).

The banks want us to pay quickly and impulsively. Is there a conflict of interest between the increasing number of transactions and security?

To some extent there is. Fast transfers from a mobile device or even credit cards, which now also have the form of mobile devices, are payments for relatively small amounts. If we were to prepare a risk analysis, it is relatively not profitable for criminals to attack low-amount payments. Of course, if the scale was huge that would provide a return on the investment but an attack on a large scale is an immediate big investment.

Besides, quick transfers are no less protected by the banks than the traditional transfers. You can give the client the speed of the transaction, as an attack on it is less likely. On the other hand, I suppose that the banks will be more willing to cover the customers’ losses in the case of such payments.

Some analysts believe that criminals will target small and medium-sized enterprises.

At the moment, there are still no spectacular attacks on clients from the SME sector with the use of the mobile channel. However, using the efficiency key, that is, basing on where it is easiest to steal the most, it may turn out that the sector of small and medium-sized enterprises is the best. Although I am not sure if this applies to the mobile channels. It is potentially easier to attack an accountant who is using a classic PC at work.

Who should be more afraid: individual or corporate clients?

The corporate clients. Criminals segment their victims in the same way as banks segment their clients. So there will be attacks on specific companies, which, for example, announce in public reports what sums of money they are turning over and what contracts they are signing. But there will also be attacks targeting individual clients, as long as they have something interesting on their account. And criminals have already noticed that customers in Poland have quite a lot of money.

So the affluent people should be more afraid?

An average Pole has about PLN10,000 on the bank account. This amount satisfies the attacker, especially since attacks on individual customers are simple and cheap. Some criminals are already segmenting individual clients, singling out the wealthiest group.

Are companies also segmented?

Yes. In the corporations the transfer acceptance processes are becoming more complex which means that attacks are more difficult and require more and more resources. Therefore, attacks on SME may prove more cost-effective. In that group, on several attempted attacks two or three may prove successful. In the case of corporations with the same expenditures, the attack may fail.

Procedures provide protection to corporations but at the same time slow down the transactions. In order to accelerate them we make the procedures less cumbersome and do we expose ourselves more?

Where larger sums of money are involved, the banks themselves are slowing the operations down. They require the completion of acceptance schemes. They give the clients a better chance to defend themselves. But there are also gaps in the application of the procedures. Let’s say that transfers must be authorized by two people. In practice, it sometimes happens that the first person enters all the transfers according to the invoices which the company has to pay, and the other accepts them somewhat blindly. If the worker who enters the transfers was attacked, the other worker does not impede the theft. We could even say that he will assist the money in leaving the account.

CERT Poland has calculated that in there are approximately 150,000 bots in Poland, or computers taken over by criminals, and at least ten networks connecting them, known as botnets. Is that a lot?

I have a problem with the interpretation of these calculations, because a single IP address (the IP addresses are the basis for the calculation presented by CERT) does not necessarily mean a single device. The question arises of whether all devices under a single IP address are infected or just one. This is very difficult to answer.

Another problem is also what portion of the botnet does CERT see. Whether it is 90 per cent, or 100, or just 30 per cent. If we knew that, we would know how many bots there are in the botnets. We don’t know whether the bots are targeted on a specific, single attack, or whether the bot steals everything it can. We do not know whether it attacks the client of bank X or bank Y. If it only attacks the client of bank X, then the client of bank Y is “safe”, until the role of that bot changes. And when it changes, then he has a problem. I am convinced that the botnets are at least as big as CERT Poland is indicating.

Is it possible to assess the scale of that risk?

I tried to estimate it, to allow every bank, which after all knows very well how much money its clients have on their accounts and in the financial products, to be able to independently calculate that. Each bank can now say how wrong I was.

What was your result?

The potential losses of the financial sector in Poland amount to PLN1bn. This is the amount held in all banking products by the clients who come into contact with devices taken over by attackers, such as an infected computer, wireless router or a mobile device.

Are banks treating the situation seriously enough?

They are trying to protect clients, especially the corporate clients. For example, PKO BP is organizing meetings for them and trying to instill a hygiene of proceedings. The idea is that the bank should not be the last line of defense.

Are there any results?

It is difficult to talk about the results, because we would have to see the statistics, and also the context of the particular events. We do not have access to this information and we can only presume. Even if someone presents some figures, he is well aware that he cannot reveal the whole context, as that is covered by confidentiality agreements. We can compare the number of attacks year to year, we can try to link them according to certain keys, but we have no clear answers.

Where else is an accumulation of risk?

Systems of electronic banking are becoming increasingly similar to each other. Not in the application layer, which the client sees. They differ in that respect. The systems have many common features at the level at which the attackers are preparing their attack. As a result, the preparation of an attack on one bank can really mean, that it is almost ready in the case of several other banks.

If the criminals changed the command “attack client of bank X and clients logging in to four other banks” in the configuration of their bot, the attack could work immediately. Then they do not have to incur the cost of preparing an attack on five banks, but only on one, with a small addition. This could mean that the attacks will be targeting an ever greater number of banks.

The representatives of the Polish Financial Supervision Authority urged banks to take this risk into account. Do you assess this risk as serious?

We have almost 40 commercial banks and over 500 co-operative banks, and there are three or four providers for the entire country. This means that preparing an attack on one bank, we are practically ready to attack over 100 hundred other banks. While there is indeed less money in the cooperative banks, the scale is bigger and we can reach very high amounts.

What can the banks do?

The structure of the attacks is such that most of them can be monitored or effectively prevented with the use of the technology embedded in the web applications. Electronic banking uses network applications, and they in turn use the HTTP. There are many tools built into the HTTP, which enable us to counteract the attachment of additional code to the bank’s website by the attacker.

CSP (Content Security Policy), HSTS (HTTP Strict Transport Security) and HPKP (HTTP Public Key Pinning) are mechanisms which can monitor the status of electronic banking and send signals to the bank, if something has been modified on the client’s side. They can also prohibit the device from running the code, with which it was infected. The form attached to our electronic banking by the criminals will not be displayed, and the client may even receive a signal that something inappropriate happened on his computer.

Why aren’t banks doing that?

The banks are utilizing these possibilities, but there is less enthusiasm among the suppliers of electronic banking. There are claims that these security features can certainly be circumvented. Everything can be circumvented in some way. But we are setting the bar at a different height. The cost for the entity introducing the product is small, whereas the cost for the entity preparing the attack increases. That is the point.

This additional layer of protection does not guarantee that the attacks will be less effective forever. But it guarantees that attacks designed in the way utilized today will be less effective.

Maybe it’s about the protection of privacy? Banks are reluctant to install anything on the client’s computer.

When a bank activates a CSP, it only sends an instruction to the client’s browser, that when someone is trying to attach a form from a domain other than the domain of the electronic banking, the browser has to reject this action or to inform that “something” (this form) has been attached to the client’s computer. There’s no interference with privacy, the bank does not receive any information about what the client is doing on his computer. There is no access to the client’s private data.

Are the training courses which teach how to respond to attacks on organizations having any effect?

Exercises in the field of cyber security are just as important as physical exercise is in order to maintain fitness. Interestingly, those that go wrong are more useful than those that end in success. Success may mean that we have not selected the target of the attack in the best way, or that we have people on board who cope well in unfamiliar conditions.

It is best to choose exercises with a situation that we haven’t yet dealt with. Organizations tend to cope with already known incidents, they already have prepared procedure. It is therefore important to select such scenarios, for which there are currently no procedures. Exercises allow us to verify through the process, procedures and in practice, whether we are able to respond to incidents which we fear most, but do not come across every day.

Would it be worth to create special units in Poland designed to fight cybercrime?

Such units are the most effective. We should keep in mind that the development of such a unit could take two, three, or four years of work. It is also important to ensure that the teams which are involved in the monitoring and handling of security incidents, specialize not only in the areas in which they want to be good, but also in the areas in which they should be good.

I have encountered the opinion that biometrics will ensure our safety.

We will see in the testing stage. Until biometric solutions pass functional testing and security testing, we will not be certain as to their effectiveness. The results in the tests vary. For example, someone touches the sensor with the finger ten times, out of which seven times the system identifies him, and three times he is rejected.

There is no issue, if you have to touch your smartphone once or twice more. But at the business level that is a problem because it could mean, for example, that an ATM will not accept my authorization, because it decides that I am not me. And then the anti-fraud systems receive a signal that a criminal, and soon after the proper owner tried to withdraw money from the same ATM several times. They can start learning bad patterns. If these systems are well prepared, it may be that biometrics which do not provide certainty, will demoralize them.

White Cat Security is a company that deals with the strengthening of electronic security systems.

(Christiaan Colen, CC BY-SA)

Otwarta licencja