Interbank Payments: Attackers' New TargetFraudsters Exploiting Weaknesses in Bank Processes, Practices
The breach of an offshore account owned by Union Bank of India is raising new questions about the security of interbank payments, which often rely on antiquated back-end verification processes that fraudsters seem to be compromising with relative ease.
In July, Union Bank of India told Reuters that a breach of one of its nostro accounts had been quickly detected and that attackers' attempts to fraudulently transfer funds from that account had been foiled.
Nostro accounts, which are held at banks in other countries in foreign currencies, are widely used to facilitate foreign exchange and trade transactions.
Now, some financial sector security experts are speculating that the breach of Union Bank's nostro account, which is believed to be held by Citibank in New York, may have involved the same attackers who compromised an $81 million SWIFT transaction initiated in February by the central bank of Bangladesh to the Federal Reserve Bank of New York (see SWIFT Deduction: Assume You've Been Hacked).
SWIFT, formally known as the Society for Worldwide Interbank Financial Telecommunication, is a bank-owned cooperative that maintains a messaging system for interbank payments (see SWIFT Heists: The New Account Takeovers? ).
"It's entirely possible" that the same attackers were involved in the two attacks, says financial fraud expert Avivah Litan, an analyst at the consultancy Gartner. "There is definitely a criminal group that well understands the intricacies and detailed processes of SWIFT and foreign exchange transactions, and it's entirely plausible that this knowledge enabled the criminals to breach Union Bank's India nostro account," she says.
If the Union Bank and Banladesh Bank incidents are, indeed, connected somehow, new questions will be raised about the standard security practices banks use to authenticate back-end bank payments, Litan says.
Al Pascual, head of fraud and security at Javelin Strategy & Research, says interbank payments are clearly a new target for bad actors. "While I can't confirm the particulars, it appears that we are in that window where criminals have identified a high-value, poorly protected asset and are taking advantage of that," he says. "These attacks will migrate to those institutions where regulators have allowed lax cybersecurity to be the norm, and some of them will learn hard lessons in short order. ... We're not done hearing about these multimillion dollar heists."
Until banks worldwide shore up their back-end transaction verification methods, as well as customer and account authentication, these attacks will increase, Litan predicts.
"One thing is very clear: The criminals have started going after major foreign exchange systems where billions of dollars move between banks around the world every day," she says. "It would appear that at least one gang has studied these systems very carefully, either through their own crafty reconnaissance or with the help of recruited insiders. These types of high-stakes attacks are only likely to increase in frequency going forward. There will surely be copycats who want to cash in big time as well. And they are most likely to go after foreign banks, where controls are the weakest."
Detecting Suspicious Activity
Union Bank did not respond to Information Security Media Group's request for comment. But security experts in India tell ISMG that Citi, not Union Bank, flagged the fraudulent request for a transfer from the nostro account as suspicious and immediately notified Union Bank.
"There was providential intervention in the case of Union Bank," a CISO from a multinational bank who's spoken with sources at Union Bank tells ISMG. The CISO asked not to be named.
"The message was halted as the American bank receiving the funds raised a query before clearing the transfer," the CISO says. "The [U.S.] bank could spot a discrepancy."
Union Bank has not released information about the amount of money the attackers attempted to transfer.
"A cybersecurity forensics audit has commenced to identify the vulnerabilities, plug any gaps and strengthen the system," Union Bank said in a statement to Indian stock exchanges, Reuters reports.
An Inside Job?
Some security experts also believe that in both the Union Bank breach and the Bangladesh incident, attackers may have leveraged insiders to carry out their attacks (see Insider Threat Detection: How to Develop a Successful Program).
In the Bangladesh heist, experts speculate that a bank employee with SWIFT administrative privileges may have had their login credentials stolen through a malware attack. In the Union Bank breach, experts suggest something similar may have happened. That's because interbank transactions involving nostro accounts require multifactor authentication, which means credentials for at least one person with administrative or transaction-approval power had to be compromised.
"It's possible the attackers obtained credentials through insiders or by hacking the PC having such credentials ... then submitted fraudulent messages by impersonating them," says Sivakumar Krishnan, head of IT at Mumbai-based financial services firm M Power Micro Finance Pvt Ltd.
C.N. Shashidhar, founder of Bangalore-based security firm SecuriT, notes: "The hackers may have targeted the concerned employee of UBI and sent a spoofed email with a malicious attachment or drive-by malware on the most frequented site or phishing email, which might have been used to compromise the target's machine."
Indian Banking Challenges
Krishnan says a big issue for Indian banks is that they focus more on ensuring compliance with regulatory mandates than they do on ensuring cybersecurity and resilience against cyber-aggression.
"The challenge facing Indian banks is their inability to detect anomalies in their network," says one cybersecurity expert at a large consulting firm, who asked not to be named. "They use traditional tools and technologies. Banks are unable to prevent vulnerabilities, which provide access to attackers in the dark web."
CISOs need to focus more attention on educating IT teams about how to properly protect identities and proactively respond to threats, he says. "Most organizations fail to train them in handling phishing communications, use of passwords and password policy, as well as implementation of single sign-on with multifactor authentication," Krishnan says.
To address security shortcomings, all Indian institutions should implement board-approved cybersecurity resilience frameworks, he adds. "The policy should include the APIs [application program interface], various delivery channels, online/mobile products and services, besides documenting the inherent risk of various systems and processes as low, medium or high risk," Krishnan argues.
The Reserve Bank of India recently issued cybersecurity guidance for banks to help them mitigate risks.