Between the hours of 5am and 8am Japan time on 15 May last month, cyber attackers used compromised card details of customers from a Tier 1 bank in Africa to make transactions on a number of customer accounts.
Well over 100 cyber crooks made physical cash withdrawals to the tune of at least $13-million (R195-million) at specific ATM cash points.
This heist was conducted over a number of ATM cash machines, for a total of 1 400 transactions.
Tunde Ogunkoya, consulting partner at DeltaGRiC Consulting, says a specialist in enterprise applications cyber-security, including the SAP, PeopleSoft and Open Source Software industries – particularly the FSI.
“This incident is not that different from the numerous cyber breaches making the rounds on the corridors of cyber reportage, for example the Bangladesh Bank.
“The problem is that we don’t have transparency; few cyber heists are reported. Only the biggest data breaches capture enough attention to make headlines. The rest get to suffer quietly away from the public eye. We just don’t get to the facts, or the admissions, from banks.”
According to the CEO of SABRIC, Pillay Kalyani, 2015 saw a total of R788-million in losses due to crime across all card types in South Africa.
He says it interesting to note that the media often speaks heavily about the sad outcomes: how much data was stolen/compromised and often not about the intelligence behind the breach or how the crime skipped the security measures that institutions put in place.
It is needless to point out the numerous regulatory guidelines on data security are now regularly being breached.
“The bottom line is that there is little information for cyber journalists to work with to adequately report on these occurrences,” says Ogunkoya. “This is due, to a large extent, that ‘confidential’ banks do not want to let the public know about any security breaches. It can have a profound impact on their reputations.”
Ogunkoya looks at a few assumptions surrounding the actual breach at the Tier 1 African bank last month and tries to reconstruct what may have led to the breach:
* The bank runs a third-party Tier 1 enterprise application to handle its business processes, as well as customer card details.
* The bank also uses custom-developed applications (which contain open source codes) to augment some process shortcomings in its Tier 1 application.
* The bank has new-generation firewalls, endpoint security, IDS/IPS, antivirus/anti malware solutions.
* The bank performs regular training for its employees to prevent phishing attacks.
* A single ATM source point (7 -Eleven ATM) was used in completing the attack.
“To attempt to answer the big question of how the heist was a success from an external observer perspective – without making the uncertain certain – would be to shoot into the dark,” Ogunkoya says. “Still, going by the assumptions above, and without any privileged details, I will start by eliminating some possible calls that don’t add up to explain the ‘how’.
“Just as it is with most broad cyber breach forensics, the key to understanding what may have happened is to narrow down the numerous attack vectors, eliminate the unlikely possible method by which the attackers would have perpetrated their actions, and then drill down further on the possible attack methodology.”
In order to try to guestimate the method of attack in this Tier 1 African bank, one needs to examine all attack vectors.
“Having read some press releases from online media agencies I need to rule out some assertions in mainstream media,” says Ogunkoya.
He says some things can be ruled out:
* The ATM software was hacked: This assumption could have been true when you consider the fact that: only the 7-eleven store ATMs were purportedly used in this attack. After all, there are numerous ATM hacks and methods in the public domain, even on YouTube. For this assertion to be valid, it would mean that for all the 100 location points – ATM attacks – the actual owner of the compromised card details would have also used the ATM within the last 24 hours: An unlikely probable occurrence – hence ruling this assertion out – is that this hack would have been possible only for a local bank and not a bank outside Japan.
* Compromised merchants: Normally, PCI standards do not allow merchants to store CVV details in their process of receiving payments. Had this breach been a few handfuls of card details (five to10), it could have been said that the compromised card details were those of certain merchants.
“But, if that was the case, the hack would have gone beyond only one bank, being the main casualty in this case – hence this assertion is again overruled,” says Ogunkoya.
Having ruled out ATM hacks and compromised merchants, this leaves one question: where is it probable to find all the card details hosted in numerous quantities from a single source? And, together with that, having a complete information view of all the parameters that could allow anyone to easily re-create the cards (card numbers, expiry dates, CVV, CVV2, CVC2 & CID). Potentially, this could be the banking application that the bank uses.
Interestingly, the bank has NGFW, IDS/IPS and endpoint security – essentially all the perimeter fencing capabilities.
Ponemon Institute research found that organisations continue to invest little or nothing on application layer security when compared with other areas of enterprise security. Also, just recently, a SAP statement on Forbes magazine claimed that 84% of cyber-attacks now occur on the application layer.
Even with PCI DSS regulations in place, it’s been possible to decrypt credit card data in some applications as far back as 2011.
“To be frank, with the method of this heist – over 100 people and 14 000 transactions – I can bet that my suspicions of potentially more card details being exposed is a valid suspicion,” says Ogunkoya.
He paints a scenario of what he believes probably happened at the Tier 1 Bank:
* Bulk card details were compromised at the application layer using known/disclosed or zero-day vulnerabilities;
* The bulk compromised card data was then decrypted and filtered;
* The filtering was most likely done using parameters like regular travellers or high net worth spenders in order to avoid raising suspicions in the fraud anomaly detection system;
* These filtered cards were then skimmed/recreated;
* After skimming the cards, physical “pawns” were recruited for the cash withdrawal/collection exercise;
* Cash collection was ordered between the targeted hours of 5am and 8am in Japan – or 10pm and 12-midnight in South Africa, the least responsive time in both countries.
“To simply hope – as we do in Africa – that no such heist will happen again is simply not wise,” says Ogunkoya. “Rather, as it is likely there will be more attacks of this nature, we advocate checking all areas of Application Security in mission critical applications benchmarking them against third-party frameworks.”
Regardless of how the heist happened, Ogunkoya says attacks like this could have a long-term impact regarding the confidence of investors, customers and partners of this particular Tier 1 bank in Africa.
While firewalls, intrusion detection/prevention systems and anti-virus software are main go-to mechanisms for blocking attack vectors, no protection method is totally attack-proof, he adds.
“We must note that while this bank, like any forward thinking bank, will continue to do many things right from a cyber-security perspective, we must come to terms with our new world reality: with 84% of cyber breaches occurring at application layer, a defence method that is effective today may not necessarily be so by tomorrow.
“This is an obvious conclusion because hackers are constantly updating attack vectors – and seeking new ones – in their quest to gain unauthorised/unauthenticated access to applications, which are mostly ignored in terms of actionable budgets. These breaches can certainly affect the economic balance of corporations, as well as nations,” says Ogunkoya.