Anatomy of a hacking
By Sandeep Junnarkar
Staff Writer, CNET News.com
May 1, 2002, 4:00 AM PT
Nearly every bank in the United States runs its operations on an internal network that connects to the Internet at some point. Although the banking industry claims that its security is virtually foolproof, others say that any technology can be penetrated under the right circumstances.
Electronic break-ins are often carried out with the help of factors that have nothing to do with technological wizardry, such as an inside source, simple carelessness, or an intruder's persistence in trying different passwords and account numbers.
Given the conflicting opinions and dearth of public information on specific incidents, it is impossible to assess with any certainty how safe one's bank accounts are online. But one way for people to judge their accounts' security is to examine how a typical break-in might be carried out.
In interviews with federal regulators, security experts and hackers, some common patterns emerge. Following are the basic steps a computer criminal is likely to take to get his hands on your money.
Casing the target
"In the period of 1998 to 2000, we estimated that 50 percent of non-bank online banking services had existing vulnerabilities," said James Molini, chief executive of security firm Brink's Internet Security and a former executive for data security at First USA Bank. "The numbers have not diminished significantly since that time."
If the intruder settles on outsourcing companies, the next step would be to study how the companies process payments and move money. "You would troll around for a while looking for sites with poor security," Molini said. "When you find out who has got exposures on how they process payments, you go after them."
Others said they would focus on small regional banks, many of which have rushed online to keep up with larger competitors. In their haste, these banks may have opened gaping holes when altering off-the-shelf security and transaction software to meet their specific needs.
Bank mergers also create opportunities for computer criminals. Although the pace of mega-mergers in the banking industry has slowed since the J.P. Morgan and Chase Manhattan union in 2000, smaller banks continue to join forces, hoping to remain relevant at a regional level.
"Mergers present unique problems to financial institutions, especially in technologies," said Mark Rasch, the former head of the U.S. Justice Department's computer crimes unit. "You have to attempt to fuse diverse technologies from databases of customers to transaction systems. When you are going through rapid change, you don't have time to go through every line of code to determine whether it presents a vulnerability."
In a problem seen often in mergers, an internal search feature in one company's database may publicly index a critical, private link belonging to its partner, basically leaving an unguarded back door to a restricted area.
"It is just as likely to involve obscure network structure issues that don't get noticed until a hacker realizes he has trusted access to an internal system," said Adrian Lamo, a self-described "ethical hacker." While working within a company's intranet, he said, "employees don't tend to notice if a change to firewall rules suddenly allows access to a resource from the outside world."
The upheaval during mergers can also create irresistible temptations for disgruntled employees who might have considered breaking in to accounts or other malicious activity, especially if they are uncertain about retaining their positions after the corporate combination is complete.
"It is a dangerous time because you don't even know who is watching the store," Rasch said.
Befriending the insider
"Transaction systems are so isolated that it is even hard for people whose job it is to legitimately move money to move it--and that makes it nearly impossible for outsiders to do it," said Kawika Daguio, an officer with the Financial Information Protection Association, a security think tank. "Insiders are the only ones who can make money go where it's not supposed to go."
One kind of insider is a person who may have stumbled upon a glitch unknown to system administrators. Another type gets a job at the financial company specifically with criminal intent.
Those who work in the customer service department may try to steal entire consumer information databases, while others join technology staff to find weaknesses in the network and software.
From this vantage, doors will open more smoothly and with less notice. Guyer notes that when law enforcement officials investigate computer crimes, they invariably find passwords somewhere on paper within five feet of an administrator's terminal. One former executive at a small bank said that passwords to the network are even left on Post-it notes stuck on people's monitors.
This happens because systems that require high security randomly generate passwords that are difficult to memorize. And most administrators are inundated with numerous passwords--one for each of the many databases and networks, as well as for clearance into increasing levels of restricted areas.
"Most banks run Unix Web servers or Microsoft IIS (Internet Information Server), and both are prone to remote attacks that can allow a hacker to take control of the server itself," said David Ahmad, the moderator of the Bugtraq mailing list, one of the leading e-mail lists dedicated to reports of software vulnerabilities.
Companies including financial institutions subscribe to the list. In April, Microsofta security patch to plug 10 new holes that could allow hackers to take full control of computers running the company's IIS program.
In seizing control of a server, security experts say, a hacker can also modify any trusted applications to perform malicious operations. An attack that manipulates such internal applications is more likely to escape notice by the network's electronic guards.
"Intrusion-detection systems only spot known attacks or behaviors that indicate a certain class of attack," Ahmad said. "Attacks against a server might be detected, but a complex application-based attack might look like normal behavior."
Financial institutions do make it difficult for employees to move money, but their systems must be flexible enough to work with customers who are not subject to the same level of scrutiny. This could allow an insider to create a fake customer transaction and authorization to shepherd the money right out of a system.
"Those kinds of things work--and work fairly quickly," Molini said. "If they are able to do this effectively, they can do it to many institutions both inside and outside the U.S."
How often such thefts are successful remains unclear. The financial industry generally claims that insiders are hunted down and prosecuted, but records of such incidents are often kept out of the public eye to avoid tarnishing the image of banks that have been robbed.
As special investigator Guyer put it, "The odds are that smaller banks aren't going to want the notoriety that something went wrong."