In this series of posts, we are going to discuss the challenges facing financial institutions in these days of ever growing cybercrime and how a number of financial institutions are failing to rise to the challenge.
“Unlimited Operation” Attack
United States District Attorney’s Office Press Release dated May 09, 2013 details an indictment charging eight defendants with participating in two worldwide cyberattacks that inflicted $45 million in losses on the global financial system in a matter of hours, in a type of attack known as “Unlimited Operation” among cybercriminals. An Omani Bank was among those hit and suffered a loss of $39 Million. Many will be familiar with details of the case, as it was extensively reported in newspapers.
The indictment defines how an Unlimited Operation Attack is carried out:
1. Over a period of months, hackers plan and execute sophisticated cyberattacks to gain unauthorized access to the computer networks of card processors that are responsible for processing prepaid debit card transaction.
2. They then proceed to compromise the prepaid card databases which hold card limits and balances. This provides them the ability to manipulate how much is available for withdrawal.
3. They distribute the target prepaid cards details (remarkably, a very small number of cards), such as magnetic stripe data (this holds essentially all details required to process the card, apart from PIN), to cashing teams across the world who then make duplicates of the cards. These teams will be the ones to withdraw cash from the ATMs.
4. At the agreed time, the PINs are sent to all the teams across the world, who spring into action and start withdrawing cash simultaneously as quickly as possible. The hackers manage and monitor the hacked card processors systems to allow the cashing operations to proceed without hindrance. This phase typically lasts a few hours, but the speed and number of transactions is very high, resulting in very large losses. In one operation, teams across 24 countries worldwide performed approximately 36,000 withdrawal in a span of 10 hours, netting almost $40 million.
5. At the end of the operation, the cards are disposed of and the cash is subsequently converted into commodities such as jewels and expensive goods by the cashing teams.
After the first Unlimited Operation attack carried out against prepaid cards of an UAE based bank (thw cash withdrawal phase was carried out on 22 December 2012), VISA issued an alert (January 2013). The alert, addressed to all concerned (Issuer/Processors/ATM Acquirers), described very accurately the method of the attack, the products most at risk (prepaid products) and the means to mitigate risk. It recommends reviewing transaction monitoring rules and paying attention to the speed of transactions hitting card accounts. It also describes contributing network vulnerabilities and associated mitigating controls.
Despite the alert, on 19 February the cash-out phase of the second Unlimited Operation attack was executed successfully by the cybercriminals in exactly the same manner as the first, this time against prepaid cards of an Omani based bank.
Both banks targeted in the Unlimited Operation attacks had outsourced their prepaid cards processing, as it turns out to card processing companies based in India. Since both attacks targeted institutions that were outsourcing their prepaid card processing, it stands to reason that the cybercriminals must have identified this as a weak link in the card payment system.
The VISA alert issued in January 2013 also very clearly describes the mechanisms of attack and contributing factors. However, even after the alert was issued, I could not uncover any evidence of extra precautions that, either the bank affected in the second attack, nor its card processor, took to mitigate the risk.
To me the biggest lack was a lack due diligence by both parties.
The card processor was unable to respond to transactions velocity in the order of 36,000 transaction hitting 12 cards in the span of 10 hours. This amounts to an average of 5 ATM transactions a minute per card. In addition, these transaction are coming in from 24 separate countries across the globe. Even if hackers had compromised the card processors’ systems, the flow of transactions was still proceeding as per payment systems rules. These two parameters alone were sufficient to trigger an alert, unless:
· There was minimal transaction monitoring
· Transaction monitoring was carried out within a system which was also compromised.
Most transaction monitoring is performed through rule-based systems. This proves inadequate in case the systems are hacked. Proactive inspection by a dedicated security team monitoring the Payment systems and network in an Information Security Operations Center is essential to respond to complex attacks such as Unlimited Operation.
Financial Institutions outsourcing critical information technology services must perform due diligence. In most cases, these institutions outsource these services due to lack of capabilities internally and therefore depend on the service provider to manage for them all complex aspects of the services. However, the institutions are still responsible for customers’ funds and for shareholders’ value. They must protect these by ensuring due diligence. In the Financial and Payment systems industries, in light of the ever growing threat of cyber fraud, institutions must develop the capability to assess these threats, formulate strategies to mitigate them and monitor the evolving landscape. Therefore, even if operations are outsourced to a third party, the ability to assess technology related risks, formulate strategies to mitigate risks and ensure that service providers implement these strategies rests solely with the financial institutions.