Hackers Exploit Payments InfrastructureTargeting Transactions to Access Intellectual Capital
Cyberthieves are targeting and exploiting weaknesses in the U.S. payments infrastructure as an easy-to-travel avenue for access to intellectual capital, says Bill Wansley, a financial fraud and risk consultant for Booz Allen Hamilton.
"The payment process, by itself, may just give you a transaction," Wansley says in an interview (transcript below). "But access to payment processes can get you additional information."
One group may hack a transaction to steal money, while another group might intercept the same financial transaction for personal data that will help it target a phishing attack, he says. "What you believe at first to be just a minor cybercrime can actually be a much deeper operation to get inside an organization."
Nation states often use the Internet for cyberespionage, stealing intellectual capital by targeting financial transactions, he adds. "Access to payments processes can get you access to other things, beyond financial."
The good news is that U.S. banking institutions are well-equipped to monitor and thwart those threats, he says. Banks and credit unions are taking the risks seriously, and are better equipped than other industries to mitigate exposure and financial losses.
"They spend a great deal of time and money to try to protect our financial resources and their own intellectual property," Wansley says.
During this interview, Wansley discusses:
- The root of most attacks, and why industries have to increase their efforts to get to the source;
- The role information-sharing between the government and the financial-services industry is playing in enhancing national security; and
- Steps organizations can take to improve their risk-mitigation strategies to ensure they are adequately protecting data and warding off socially engineered attacks.
Wansley leads multidisciplinary consulting teams at Booz Allen Hamilton, where he provides operational-level management and technology consulting services, including advanced analytics of financial data, operational and technology risk management, compliance and regulatory risk assessments, and payment process redesign. He has 30 years of professional experience as an operational U.S. Army officer, a national security policy planner and a management consultant for the U.S. intelligence community. Wansley's operational military experience includes serving as a field commander, division level war planner, and national security strategist. For the past 13 years, he has supported U.S. Intelligence Community clients in solving national security risk-related challenges through strategic planning and advanced analytics.
Making A Dent
TRACY KITTEN: Bill, we spoke in late June about the FBI's takedown of cyberthieves linked to underground forums where stolen and intercepted credit and debit card details were being sold. At the time, you said the bust would not have a significant impact on card fraud, because shuttering these underground forums is next to impossible. Do you still believe that the late June takedown made no difference? And if so, can you explain how you've come to that conclusion?
BILL WANSLEY: Sure, I'd be happy to address that. The reality is that there is quite a bit of credit card fraud that goes on globally. It is really a global business, and organized crimes are being conducted by groups all across the world - in Russia, Ukraine, China, United States. So it really is a very pervasive form of organized crime and financial crime. While it is very important that the FBI is able to take down a group, they still have a long ways to go to start catching up with the rest of them. What we really have to do is think more systemically about the threats to our financial infrastructure and think about ways to stop it - from credit card transactions to major bank transactions and all sorts of threats to the financial system.
KITTEN: So why are we facing an insurmountable task where attacking some of these cybercriminals is concerned?
Cybercrime Is Attractive
WANSLEY: Well, in a number of parts of the United States, criminal activity is on the decline. A lot of criminal groups and individuals are just moving to the web, because, as you know, the Web is becoming increasingly easy for the younger generation to get around, and finding ways to conduct crime online is easier than ever. You can actually go out on the Internet and buy tools that will allow you to attack and to penetrate different organizations. So we have a whole new generation of criminals that are coming up cybersmart and they are able to take advantage of that, and, frankly, the openness of the Internet, to move their crimes from the streets now to organized crime on the Internet.
Attacks for Political Gain
KITTEN: You've noted that the U.S. payments infrastructure is a prime target for attacks, and that these attacks are waged more for political reasons than monetary gain. But clearly some of these attacks are waged by fraud rings who are after financial assets. Would you not agree?
WANSLEY: Sure, there are a broad range of threats on the Internet, and we all need to think about what they are trying to go after. So there are certainly criminals looking for financial gain. You're still going to have individuals and financial organized crime groups that prosecute that kind of crime, but more and more we're seeing attacks for other reasons. A lot of countries now are taking advantage of the Internet for cyberespionage. That is, to steal intellectual capital or bank transactions that would indicate, perhaps, a major trade that is going to happen or a major deal that is going to happen. So there is a lot more to be gained from stealing information off the Internet than just a credit card number that could be used for a small transaction before it hits some sort of trigger.
Nation State Attacks
KITTEN: If some of these attacks are nation state attacks, and if, in fact, these nation state attacks do pose the greatest risk, can you pinpoint who these potential nation state adversaries actually are?
WANSLEY: Well, really, there are a number of countries that have a deliberate policy of taking advantage of the Internet to increase their access to emerging technology and intellectual capital for building business. Most notably, in the past year, the National Counter-Intelligence Executive report to Congress identified China first and Russia, to a lesser degree, as countries that are involved in this. But they are not the only ones. Frankly, there are a number of countries and small organized crime groups that also want intellectual capital that will allow them to make smart investment decisions globally and get their financial rewards in that way.
KITTEN: Do these online gangs sometimes work with nation states?
WANSLEY: Sure. Attribution on the Internet is very difficult because people can hide behind servers and different switches. So it is really difficult to find out who is working for whom on the Internet. But certainly there are some cybercriminals who work on their own sometimes, or they can be hired by a nation state or other organized crime groups. So you'll see talent actually move around to support different purposes. There will be people that work for the nation state for a significant period of time, and then the next day they will be working on their own.
Intellectual Property: The End Goal
KITTEN: And so when we take a step back and we look at causes for some of these attacks, why is the quest for intellectual property at the root of these attacks? Why is that of so much interest?
WANSLEY: It is really fascinating. ... Think about how much money the United States and the companies in the United States spend on research and development to create cutting-edge new technologies or products that are going to be desired by consumers. One way to get around those major expenses is to spend $5,000 on a cybertool that is going to allow you to steal it from somebody. So frankly, it can be a very cost-effective way to accelerate your advancements in technology and consumer products.
KITTEN: And then what about the vulnerabilities that are inherent in financial transactions and payments? Why are these types of transactions of interest to nation states?
WANSLEY: Well, the payment process, by itself, may just give you a transaction. But access to payment processes can get you additional information. You have probably heard stories of these nation states being able to do social engineering to understand details about individuals who may have access to more sensitive information. So even though one group may be stealing money through a financial transaction, other groups will take the same transaction and garner personal information that will link back to social engineering to route on a specific individual or a certain company to get them to get access to what they really are after. What you believe at first to be just a minor cybercrime can actually be a much deeper operation to get inside an organization.
Fighting The Battle to Win
KITTEN: And so, are we fighting the battle in the right way, or have we been blind to what is really going on in the cyberworld?
WANSLEY: I think we are blind in a number of ways. But the U.S. financial institutions, in a way, take this threat very seriously, and they spend a great deal of time and money to try to protect our financial resources and their own intellectual property. Specifically, the financial services industry funds a group that shares information between major institutions, and this allows them to try to identify breaking criminal trends to identify who is coming after whom and what techniques they are using and how to block them. So, frankly, I'm really pleased to say that most U.S.-based financial institutions take on this challenge and are spending an awful lot of time and money trying to get in front of it.
The United States government does take a pretty active role in trying to understand what the threats are to our country in general. The Department of Homeland Security has responsibility for defending the U.S. infrastructure, so they have established working groups to share information with financial institutions to ensure that different companies are aware of the risks and the threats to the infrastructure. That said, there's legislation that the Obama administration is trying to pass right now, and has some support from both sides of the aisle, that would allow for even more enforcement and information sharing for the nation's infrastructure. And this is a step in the right direction because the nation does have to take a more comprehensive approach to protecting our payment processes and our financial infrastructure.
Organizational Knowledge Lags
KITTEN: How well informed are organizations about some of these threats? We've talked about financial institutions, but what about other entities?
WANSLEY: Well, financial institutions, I think, are ahead of the rest, in terms of the general industries. A number of the other critical infrastructures of our country, utilities, for example, and communications and healthcare, have groups that are attempting to enhance information sharing, but they are not quite as advanced as the financial services. Again, this legislation I mentioned will help solidify support for these information sharing bodies and allow for more sensitive information to be passed from the government to these different critical sectors.
KITTEN: And so how can organizations and others educate themselves about some of these threats, and what about educating consumers? What obligation do these organizations have to educate the end-user?
WANSLEY: First of all, I'm pleased to contribute in a small way, as you are, to the public awareness of these challenges. I think it is really important for the media to understand the issues surrounding our vulnerabilities and to get word out there. Second of all, we tell all of our clients that they should start with awareness training for their staff. It is very difficult to know when you're being attacked by a cyberattack unless you are aware of the tell-tale signs of that. These people that do the social engineering are very sophisticated and they are very good at collecting information from people who are unwitting that they're targets. Finally, I think it is important for the United States, as a government, and all business here to share information as we see things change. Some of the attacks that we see now weren't present three years ago, and some of the patterns we used to be very comfortable with are now gone. So it is an emerging and evolving threat. And it's up to all of us to try to ensure that we are aware of it as it goes along for the next couple of years.
Improving Online Security?
KITTEN: Moving forward, what would you say needs to change in our payments infrastructure, as well as any other type of interaction that may touch the online space?
WANSLEY: Well, I tell you, it's not really prudent for me or anybody, frankly, to identify specific vulnerabilities we have in our payment system, because someone may want to take advantage of that. But the reality is that we need to have thorough assessments of the vulnerabilities and linkages to other systems - minor systems that may not be as secure as the primary systems. All of that contributes to the potential risk to our infrastructure. It would not be that difficult for somebody from the outside to cause great havoc within our markets by putting some code into the system that would upset the trading systems we have, the algorithms we have. So it really is important for us to just be very much aware, have the assessments and ongoing monitoring to ensure we know what has changed in our environment and what is likely to happen for the next wave of cybercrime.