Ripe for Disruption: Bank Authentication

One thing that still drives me crazy, and doesn’t seem to have changed with banks, is they way they handle fraud detection with the customer. Their sophisticated algorithms detect fraudulent activity, they flag it, suspend the card, and give you a call, leaving a message identifying themselves as your bank and asking you to call back a number — which is not on the back of the credit card you have.

So, if you’re like me, you call back the number given in the voice message and have this conversation:

Hello this is Bank A’s fraud detection team, how can I help you today?
Hi, quoting reference 12345.
Thank you, I need some verification details first. Do yo have your credit card details to hand?
I do, but this number I was asked to call was not on the back of my card, so I need some evidenc from you that you are who you say you are first.
Unfortunately, I don’t have anything that would help there.

So then you have to call the number on the card, and then get passed from pillar to post until you reach the right person.

How is this still the case in 2016, and why have no thoughtful disruptive folk thought up an alternative? Could this be done on the blockchain (only half sarcastic here)? I’d love to see banks, or anyone, doing this better.

A simple one would be for them to have a safe word for each client, I should think, which confirms to me that they are who they say they are. It seems silly that they can’t give some information — it doesn’t even have to be private information — that would show who they are, but only a customer would know.

The Bangladesh Bank Hack, Part XIV

Lots of attention at the moment on the implications of the Bangladesh Bank hack, now four months old. This is a piece I contributed last week. Quite a bit of water has gone under the bridge since then. We not only don’t know who was behind the hack – North Koreans have been put somewhere in the frame, but that’s by no means a certainty – but we still don’t really understand how all the pieces fit together. Meanwhile, the blame game continues.

Cyber firms say Bangladesh hackers have attacked other Asian banks

WASHINGTON/SINGAPORE | BY DUSTIN VOLZ AND JEREMY WAGSTAFF

Hackers who stole $81 million from Bangladesh’s central bank have been linked to an attack on a bank in the Philippines, in addition to the 2014 hack on Sony Pictures, cybersecurity company Symantec Corp (SYMC.O) said in a blog post.

The U.S. Federal Bureau of Investigation has blamed North Korea for the attack on Sony’s Hollywood studio.

A senior executive at Mandiant, the cybersecurity company investigating the Bank Bangladesh heist, also told Reuters the hackers had recently penetrated banks in Southeast Asia.

In the blog post published on Thursday, Symantec did not name the Philippines bank or say whether any money was stolen, but said the attacks could be traced back to October last year. It did not identify the hackers.

The Philippines central bank’s deputy governor, Nestor Espenilla, told Reuters that no bank in the country had lost money to hackers, although he did not rule out the possibility of cyber attacks.

“We are checking if there are similar attacks on Philippine banks,” Espenilla said. “However, no reported losses so far.”

He added: “It is one thing to be attacked. It is another to lose money.”

Marshall Heilman, vice president for Mandiant, a part of U.S.-based FireEye (FEYE.O), said it was not known whether any money was lost in the other attacks he described or whether the hackers had been successfully blocked.

“There is a group operating in Southeast Asia that definitely understands the bank industry and is at more than one location,” he said.

Heilman declined to identify the country or countries, or the institutions attacked. He said it was the same group as the one involved in the Bank Bangladesh theft and that the attacks were recent, but declined to be more specific.

Central banks elsewhere in Southeast Asia – Singapore, Indonesia, Brunei, Myanmar, Laos, Cambodia, Vietnam, Thailand and East Timor – have declined comment or denied knowledge of any other breaches.

There have been at least four known cyber attacks against a bank involving fraudulent messages on the SWIFT payments network, one dating back to 2013. SWIFT, the Society for Worldwide Interbank Financial Telecommunication, urged banks this week to bolster their security, saying it was aware of multiple attacks.

Banks around the world use secure SWIFT messages for issuing payment instructions to each other.

“HARD CONNECTION”

SWIFT said earlier this week that February’s Bangladesh Bank hack was a “watershed event for the banking industry” and that it was “not an isolated incident.”

Spokeswoman Natasha de Teran said on Thursday that SWIFT was “actively looking into other possible instances of such fraud,” but would not comment on individual entities.

Symantec said it had identified three pieces of malware that were used in limited targeted attacks against financial institutions in Southeast Asia. (symc.ly/1sRNHc7)

One of the malicious programs has been previously associated with a hacking group known as Lazarus, which has been linked to the devastating attack on Sony’s Hollywood studio in 2014.

“There is a pretty hard connection now to the Sony attacks and the actor behind them” and the Bangladesh heist, Eric Chien, technical director at Symantec, said in an interview.

Another cybersecurity firm, BAE Systems, said this month that the distinctive computer code used to erase the tracks of hackers in the Bangladesh Bank heist was similar to code used to attack Sony.

Chien said that if North Korea was responsible for the hacks on banks via the SWIFT messaging network it would represent the first known episode of a nation-state stealing money in a cyber attack.

Policymakers, regulators and financial institutions around the world are stepping up scrutiny of the cyber security of the SWIFT payments system after hackers used it to make fraudulent transfers totaling $81 million out of Bank Bangladesh’s account at the Federal Reserve Bank of New York.

Symantec and other researchers have also linked the hack to a failed attempt to use fraudulent SWIFT messages to steal from a commercial bank in Vietnam.

In addition, Reuters reported last week that Ecuador’s Banco del Austro had more than $12 million stolen from a Wells Fargo account due to fraudulent transfers over the SWIFT network.

Bangladesh police are also reviewing a nearly-forgotten 2013 cyber heist at the nation’s largest commercial bank, Sonali Bank, for connections to the central bank heist, a senior law enforcement official told Reuters. The unsolved theft of $250,000 at Sonali Bank also involved fraudulent transfer requests sent over the SWIFT network.

(Additional reporting by Narottam Medhora in Bengaluru and Karen Lema in Manila; Editing by Siddharth Cavale, Leslie Adler and Raju Gopalakrishnan)

Elitism’s Big Security Hole

You would expect that if you choose an elite, premium product or service that it was more secure than its lesser, bog standard one. But after an incident today I’m not so sure.

I happen to have a fancy premium account at my bank. I didn’t really want it, and object to such things on champagne socialist grounds, but it happened that way. So I arrive in town, and am looking for an ATM. I espy the logo of my bank on the airport concourse and head that way. Three members of staff stand around the branch entrance, doing that half-welcoming, half-bouncer thing that staff do. I asked if there was an ATM inside, and they said yes, but instead of letting me in, pointed me back across the vast concourse to the railway terminus. “None in here?” I asked, surprised. By then I was fishing inside my wallet for my ATM card and they caught a glimpse of its fancy charcoal greyness. Their attitude changed in a flash to one of abject obeisance. “This way, kind sire,” they said (or something like that) and ushered me inside the darkened interior, round a couple of corners to my very own ATM machine, before withdrawing to a discreet but accessible distance. Butlers passed bearing flutes of champagne; customers carrying men’s purses perused glossy brochures with names like “Managing Your Family’s Wealth So You Can Have Trouble-free Weekends in Your Phuket Condo With An Office Secretary” or something.

Offputting, but I was happy to get some my hands on some cash. Until I realised I had forgot my PIN. No problem, one of the staff said, and led me around more corners to a bank of eager customer advisor executives, or something, all with perfect teeth and wide smiles. They happily gave me cash and balances, none of it requiring any proof of identity on my part. I got to suck a sweet while they did. The three bouncers led me outside as if I was the King of Siam collecting tribute.

I was happy with all the deference and genuflecting, but it made me realise that premium service isn’t really about premium service; it means paying through the nose not to be troubled by impertinent little serfs asking me for proof of identity when I want to move millions of dollars around/see my jewelry collection in a bank vault/pass through immigration. It’s actually about dismantling security, not about enhancing it.

It’s a simple equation: Companies charge more fees to these kinds of people, providing what looks like a Rolls Royce service. People love getting star treatment, assuming that fake veneer and snow-white smiles equate quality. Of course all it really means is that the basic service — in this case the ATM machine — has been moved off to a remote corner for the unwashed who refuse to pay for the premium service. But more importantly, the actual quality that should be a feature of the improved service is severely compromised, if not entirely absent, since the implicit agreement is that customers won’t be asked for proof of identity. That may seem like an advantage to the customer, but if someone had stolen my wallet they would have been able to empty my account without breaking a sweat. They might even have been offered a shoulder massage while the staff counted the money.

There must be a name for this skewed security thinking. And it must apply to all sorts of services.

Me? I’m downgrading my account and rejoining the plebs. It’s safer there: They won’t let me in the branch without flashing my ID card.

Cash With a Human Face

Here’s a useful innovation for foiling scammers stealing money from ATMs with their heads covered to avoid identification: a system which “can distinguish between someone whose face is covered or uncovered, and only grant access to those who bare their faces.”

No face, no dosh

No face, no dosh

According to Taiwan’s Central News Agency (no story URL available; first paragraph here), the system was developed by a research team headed by Lin Chin-teng, dean of the College of Computer Science, National Chiao Tung University in Hsinchu, “and can deny ATM access to users who have their faces covered”:

The system’s developers said they hoped the device would assist law enforcers in stopping a common crime involving ATMs: thieves disguise their face with motorcycle helmets or masks, even while their images are being captured by ATM surveillance cameras.

Worm Hits Diebold’s Windows ATMs

It’s not happy days for Diebold, the company behind ATMs and electronic voting. Its e-voting machines have been the source of much controversy — earlier this month it withdrew its suit against people who had posted leaked documents about alleged security breaches in the software. Now its automatic teller machines have been hit — by viruses.

Wired reports that ATMs at two banks running Microsoft Windows software were infected by a computer virus in August, the maker of the machines said. The ATM infections, first reported by SecurityFocus.com, are believed to be the first of a computer virus wiggling directly onto cash machines. (The Register said in January that the Slammer worm brought down 13,000 Bank of America ATMs, but they weren’t directly infected: the worm infected database servers on the same network, spewing so much traffic the cash machines couldn’t process transactions.)

But how can an ATM get infected? SecurityFocus says that while “ATMs typically sit on private networks or VPNs, the most serious worms in the last year have demonstrated that supposedly-isolated networks often have undocumented connections to the Internet, or can fall to a piece of malicious code inadvertently carried beyond the firewall on a laptop computer.” In other words: the folk who write worms are smarter than we are.

News: When An ATM Isn’t An ATM

 From the These Thieves Are So Smart, Why Can’t They Get A Real Job Dept comes a story about ATMs. The Canadian Press reports of a scam in Ontario where the bad guys have rigged a number of existing bank machines allowing them to make working copies of customers’ debit cards by putting on a mask.
 
 
The thieves install a false front on an ATM machine for a few hours, painted identically to the actual front of the real machine.When a customer slides a debit card into the card slot on the false front, a small electronic device attached to the front reads all the information contained on the card. A tiny camera installed just above the machine’s number pad videotapes customers as they type in their personal identification numbers. The thieves then produce their own magnetic cards containing identical information to customers’ cards.