The arrest of eight in New York who participated in a global $45 million ATM cash-out attack revealed, once again, some hard truths about the cyber security posture of financial systems and the enterprises that operate essential payment infrastructure.
First, the organization and sophistication of the attackers continues to improve. These are global organizations peopled by professionals with the resources, talents, and patience to identify and compromise high value targets in the financial ecosystem. In this case, the targets were a pair of prepaid card processors, one in India, and the other in the U.S.
Prepaid processors are particularly valuable targets. If you can spearphish your way into a prepaid processor by identifying key individuals and emailing them with malware-laden messages, you can remove usage controls and reset prepaid purse balances to massive amounts. Who needs a debit card tied to a real bank account when you can top-up a prepaid card account on a grand scale?
In advance of those arrests, two weeks ago, at MasterCard’s Global Risk Management Conference in San Diego, two sessions addressed the ATM cash-out scam. The message was consistent. The attacker is resourceful, sophisticated and patient, skilled in exploiting both human fallibility via phishing and making the most of technical weaknesses.
While the forensics of the Great ATM cash out of 2013 (so far) have not been revealed, I surmise, based on remarks at the MasterCard event, that some combination of the following was in play:
- Spearphishing opened the door using social media data, targeting the specific individuals most likely to have access credentials to the processing platform. Malware-carrying email was the vector.
- Once the malware was installed, the attackers carefully mapped the processor network. One of the favorite files to search for is the victim’s own network map diagram.
- Tools are uploaded to examine how applications and data are organized. Anti-virus software is disabled. Files and databases containing user names and passwords are sought. Card track data and the holy grail of PIN data, if it’s stored, are compromised. PIN data values are reset.
- Once the attack is underway, the hack operators, still in control of the processing platform, monitor the progress in realtime of the cash-out operation, refilling prepaid purse values as needed.
- In some cases, the attacker carefully resets purse balances to pre-attack values and cleans up as many footprints as possible. Other attackers, confident of their invisibility, don’t steal everything at once, just small amounts over a long period of time.
The pity of all of this is, according to the forensics experts, is that attacks like these succeed because target companies fail to follow basic security protocols. The list of classic weaknesses has hardly changed in a decade: unpatched database software vulnerable to SQL injection, misconfigured web servers, out of rev software (Windows 2000 Service Pack 4), weak access controls to sensitive data, decryption software located next to the encrypted database, the famously insecure Unix telnet remote login utility still enabled.
One of the recommendations from the MasterCard security event was real-time monitoring for events such as unusual prepaid balance and PIN resets, never mind network egress activity. But that only works if someone’s there to react to the alarms. Both attacks took place at night, one over the Saturday night of a holiday weekend. Even security people have to sleep! Post-breach forensics are made harder because event logging is either disabled or the log files are over-written too frequently.
Wider EMV deployment will make this kind of attack harder but the magstripe will be with us for at least another decade or two. If hackers can remove security controls at the network level even EMV controls are weakened. Perfection at the payment perimeter is a long way off.
With so many points of failure, perimeter defenses are not enough. One of the speakers at the recent MasterCard event, Shawn Henry, president of CrowdStrike Services and a former Executive Assistant Director at the FBI, emphatically made the point that chief information security officers (CISO) have to assume hackers have already penetrated their defenses and focus on controlling the damage through monitoring network egress points and tightening internal controls to enterprise resources.
Internal controls that require stronger authentication, as well as broader encryption of data assets, have to be on the agenda for CISOs as well as global internet-scale operators like Google and PayPal. Both companies are attempting to replace user IDs and passwords with far stronger authentication methods. At this week’s Internet Identity Workshop Conference, Google unveiled a new five-year plan that is anchored by greater reliance on the smartphone as both an identity attribute provider and an active participant in authentication processes.
If “identity is the new money” then stronger authentication will be one way that money is made as it protects the old money we already have. We are going to see competitive, vendor-specific authentication schemes that will both compete and cooperate with more open approaches from the likes of the FIDO Alliance. The appeal of federating authentication includes the sharing of deployment and operational costs across more users and more use cases. That economically rational approach will run into the real security requirements of particular applications and the desire to gather data if not exert outright control.
Now that everyone recognizes the failure of the password-based model, authentication technology is entering a new phase of innovation that will have a major impact on payments. Even though the U.S. is just getting around to deploying nineties-era EMV technology, it is time to build the next generation if we hope to further expand e-commerce and mobile payments.
Authentication, and the cost of authentication services, is a key focus area at Glenbrook so check back for more on this subject or contact me directly.