[BreachExchange] Bank Attacks Put Password Insecurity Back in the Spotlight

Destry Winant destry at riskbasedsecurity.com
Mon Nov 12 02:02:56 EST 2018


https://securityledger.com/2018/11/bank-attacks-put-password-insecurity-back-in-the-spotlight/

Two separate attacks on banks in the United States and Pakistan
revealed this week highlight once again the inherent weakness of a
security practice that relies on passwords or knowledge-based
credentials to protect critical information.

International bank HSBC said it was a victim of a credential-stuffing
and became aware of unauthorized access to online accounts between
Oct. 4 and Oct. 14, according to a notice filed with the state of
California. Credential stuffing attacks use “botnets” of compromised
systems to flood websites with lists of usernames and passwords
gathered from data breaches to assume an identity, gather information,
or steal money and goods.

Attackers were able to access a plethora of customer information,
including full name, mailing address, phone number, email address,
date of birth, account numbers, account types, account balances,
transaction history, payee account information, and statement history
where available, the company said.

“HSBC regrets this incident, and we take our responsibility for
protecting our customers very seriously,” the bank said in a
statement. “We have notified those customers whose accounts may have
experienced unauthorized access, and are offering them one year of
credit monitoring and identify theft protection service.”

Meanwhile in Pakistan, banks were hit with what officials said is the
biggest cyberattack in the country’s history, one that also was traced
back to activity that began in October, according to Pakistan’s
Computer Emergency Response Team, PakCERT.

Analysis by PakCERT found that data from 19,864 cards belonging to
customers of 22 Pakistani banks was up for sale on the dark web in
late October. Hackers had used the cards to make transactions
unauthorized by the actual account owners, suspicious activity that
drew the attention of one Pakistani bank, Bank Islami, which
temporarily blocked its international payment scheme. Other banks that
had customer cards used and/or dumped on the dark web include the
largest bank in the country HBL, as well as UBL, Standard Chartered
Bank, MCB and Meezan Bank.

Common attack thread

While these were separate attacks, what both have in common is that
attackers exploited the all-too-common practice of using passwords or
other knowledge-based credentials to protect critical customer
information, one security experts highly frown upon because they’re so
easy to exploit.

“With over 5 billion credentials already compromised, it’s clear that
expecting security based on passwords or knowledge-based credentials
that consumers create and manage is doomed to fail,” said Bimal
Gandhi, CEO of security firm Uniken.

Indeed, recent research has found that credential-stuffing attacks are
on the rise, particularly in the vulnerable financial industry, where
nearly half of financial organizations don’t have resources or
protocol to prevent these types of attack. This is resulting in a loss
of credibility, profit and other negative effects, researchers said.

Though it hasn’t been revealed, Gandhi said he expects that this
method also was used in the Pakistan bank attacks, as it’s a common
way bad actors get access to customer card information so they can use
it or put it up for sale.

The reason using even multi-factor credentials–not just passwords but
also “secret” questions that only authorized users would know–to
verify customer identity is that passwords can “often be either easily
guessed, phished or socially engineered from the user, or purchased on
the dark web where they’re available for sale as a result of various
data breaches,” Gandhi said.

Other kinds of credentials also are highly susceptible to attack
either because of the user or because the infrastructure that the
verification method depends on, he said.

Time’s up for passwords?

It’s not a big news flash that passwords and other credentials are a
highly insecure way of protecting sensitive customer data if they are
all that stand between hackers and that data, with evidence mounting
with every new high-profile attack that surfaces.

Last year a brute-force cyber-attack on U.K.’s Parliament went on for
12 hours, forcing temporary shutdown of the government’s e-mail
service as attackers repeatedly tried to guess passwords to gain
access.

Companies and agencies with access to sensitive information don’t
deliberately try to be targets for attackers, but the nature and
sophistication of cyber attacks in today’s political and economic
climate demand that they step up even the most careful measures,
Gandhi said

“Most banks and institutions are incredibly security minded and
careful,” he said. “The masses of consumer data unleashed in recent
(unrelated) breaches has provided organized cyber-crime syndicates
with opportunities to go after these institutions, and they’re of
course constantly probing to see who’s vulnerable.”

To avoid scenarios in which hackers exploit customer information for
financial gain or other purposes, Gandhi and other researchers
recommend that companies abandon their reliance on passwords and
credentials and incorporate a defense-in-depth posture, validating
customers and transactions with cryptographic certainty that’s tightly
integrated with other authentication factors.

“To secure transactions, institutions need to move to something that a
user isn’t required to know, manufacture or receive, and then have to
manually enter,” Gandhi said. “Such a move eliminates the ability for
the data to be guessed, leaked, phished, socially engineered,
mimicked, or captured on the device or over the network.”


More information about the BreachExchange mailing list