Anatomy of a hacking

How, exactly, does a hacker break in to a bank account? There are a number of ways, but veteran investigators point to some familiar methods.

8 min read
Cracking the nest egg

Anatomy of a hacking
By Sandeep Junnarkar
Staff Writer, CNET News.com
May 1, 2002, 4:00 AM PT

Buy all three parts of this exclusive report in PDF for $19.95.
Even if you have never banked online, your money may never be completely safe from an electronic heist.

Nearly every bank in the United States runs its operations on an internal network that connects to the Internet at some point. Although the banking industry claims that its security is virtually foolproof, others say that any technology can be penetrated under the right circumstances.

Electronic break-ins are often carried out with the help of factors that have nothing to do with technological wizardry, such as an inside source, simple carelessness, or an intruder's persistence in trying different passwords and account numbers.

Breaking the bank "I don't know how high-tech the hacking is," said Hale Guyer, a special investigator and member of the Illinois attorney general's Task Force on the Investigation of Internet Crime and Child Exploitation. "Someone who knows a system could hack it by sneaking in a back door."

Given the conflicting opinions and dearth of public information on specific incidents, it is impossible to assess with any certainty how safe one's bank accounts are online. But one way for people to judge their accounts' security is to examine how a typical break-in might be carried out.

In interviews with federal regulators, security experts and hackers, some common patterns emerge. Following are the basic steps a computer criminal is likely to take to get his hands on your money.

Casing the target
The easiest way to siphon cash from a bank is not to target the bank itself but to crack into one of the many companies hired by financial institutions to process bill payments and transactions. In many cases, a bank will allow these companies to run its entire network.

"In the period of 1998 to 2000, we estimated that 50 percent of non-bank online banking services had existing vulnerabilities," said James Molini, chief executive of security firm Brink's Internet Security and a former executive for data security at First USA Bank. "The numbers have not diminished significantly since that time."

If the intruder settles on outsourcing companies, the next step would be to study how the companies process payments and move money. "You would troll around for a while looking for sites with poor security," Molini said. "When you find out who has got exposures on how they process payments, you go after them."

Others said they would focus on small regional banks, many of which have rushed online to keep up with larger competitors. In their haste, these banks may have opened gaping holes when altering off-the-shelf security and transaction software to meet their specific needs.

Bank mergers also create opportunities for computer criminals. Although the pace of mega-mergers in the banking industry has slowed since the J.P. Morgan and Chase Manhattan union in 2000, smaller banks continue to join forces, hoping to remain relevant at a regional level.

"Mergers present unique problems to financial institutions, especially in technologies," said Mark Rasch, the former head of the U.S. Justice Department's computer crimes unit. "You have to attempt to fuse diverse technologies from databases of customers to transaction systems. When you are going through rapid change, you don't have time to go through every line of code to determine whether it presents a vulnerability."

In a problem seen often in mergers, an internal search feature in one company's database may publicly index a critical, private link belonging to its partner, basically leaving an unguarded back door to a restricted area.

"It is just as likely to involve obscure network structure issues that don't get noticed until a hacker realizes he has trusted access to an internal system," said Adrian Lamo, a self-described "ethical hacker." While working within a company's intranet, he said, "employees don't tend to notice if a change to firewall rules suddenly allows access to a resource from the outside world."

The upheaval during mergers can also create irresistible temptations for disgruntled employees who might have considered breaking in to accounts or other malicious activity, especially if they are uncertain about retaining their positions after the corporate combination is complete.

"It is a dangerous time because you don't even know who is watching the store," Rasch said.

Befriending the insider
Teaming up with an insider or planting someone within the organization is often a necessary step. A recent U.S. Treasury Department analysis noted that more than 60 percent of reported computer intrusions involved an insider.

"Transaction systems are so isolated that it is even hard for people whose job it is to legitimately move money to move it--and that makes it nearly impossible for outsiders to do it," said Kawika Daguio, an officer with the Financial Information Protection Association, a security think tank. "Insiders are the only ones who can make money go where it's not supposed to go."

One kind of insider is a person who may have stumbled upon a glitch unknown to system administrators. Another type gets a job at the financial company specifically with criminal intent.

Those who work in the customer service department may try to steal entire consumer information databases, while others join technology staff to find weaknesses in the network and software.

From this vantage, doors will open more smoothly and with less notice. Guyer notes that when law enforcement officials investigate computer crimes, they invariably find passwords somewhere on paper within five feet of an administrator's terminal. One former executive at a small bank said that passwords to the network are even left on Post-it notes stuck on people's monitors.

This happens because systems that require high security randomly generate passwords that are difficult to memorize. And most administrators are inundated with numerous passwords--one for each of the many databases and networks, as well as for clearance into increasing levels of restricted areas.

The break-in
One strategy is to attack the hardware itself, exploiting notoriously glitch-prone Web systems to gain access to the servers running the bank's online operations.

"Most banks run Unix Web servers or Microsoft IIS (Internet Information Server), and both are prone to remote attacks that can allow a hacker to take control of the server itself," said David Ahmad, the moderator of the Bugtraq mailing list, one of the leading e-mail lists dedicated to reports of software vulnerabilities.

Companies including financial institutions subscribe to the list. In April, Microsoft issued a security patch to plug 10 new holes that could allow hackers to take full control of computers running the company's IIS program.

In seizing control of a server, security experts say, a hacker can also modify any trusted applications to perform malicious operations. An attack that manipulates such internal applications is more likely to escape notice by the network's electronic guards.

"Intrusion-detection systems only spot known attacks or behaviors that indicate a certain class of attack," Ahmad said. "Attacks against a server might be detected, but a complex application-based attack might look like normal behavior."

Financial institutions do make it difficult for employees to move money, but their systems must be flexible enough to work with customers who are not subject to the same level of scrutiny. This could allow an insider to create a fake customer transaction and authorization to shepherd the money right out of a system.

"Those kinds of things work--and work fairly quickly," Molini said. "If they are able to do this effectively, they can do it to many institutions both inside and outside the U.S."

The getaway
Security experts say that a theft of $5,000 to $10,000 can be carried out over a few weeks. Higher amounts of up to $1 million are likely to take four to six months.

How often such thefts are successful remains unclear. The financial industry generally claims that insiders are hunted down and prosecuted, but records of such incidents are often kept out of the public eye to avoid tarnishing the image of banks that have been robbed.

As special investigator Guyer put it, "The odds are that smaller banks aren't going to want the notoriety that something went wrong."

Dark side of cyberlife


Secret's out for hacks
The new millennium saw the Bank Secrecy Act of 1970 pushed into the electronic age.

The act requires banks and other financial institutions to file reports of certain types of suspected criminal activity to the U.S. Treasury's Financial Crimes Enforcement Network (FinCEN). The reports are used to help law enforcement with investigations of tax evasion and money laundering by organized crime.

With the increasing incidents of electronic attacks reported by financial companies, the Treasury Department added computer intrusion as a new category of suspicious activity in mid-2000.

Banks must now fill out Suspicious Activity Reports, commonly known as SARs, if they suspect someone has gained access to their computer network to steal funds or customer information, or to disable the institution's computer network.

Although finding a bank Web site defaced by a hacker may shake customer confidence in the institution's security, banks do not have to report such incidents, because no funds or sensitive information is stolen.

Critics say that SARs are the wrong vehicle to keep tabs on computer intrusions, noting that banks are only required to file a report when a suspicious activity amounts to $5,000 or more. Banks may file at lower amounts, but they rarely do.

The Treasury recently released a summary of computer intrusions for the first year these types of incidents were tracked, from June 1, 2000, to May 31, 2001. Financial institutions in 34 states and Puerto Rico filed 83 SARs that met the Treasury's criteria for computer intrusion.

• 50 described an intrusion in which a bank employee was involved in breaching internal controls to embezzle or defraud the bank.

• 2 described an attempted hack using a worm or virus.

• 2 described attempts to get into critical information systems that were foiled by banks' intrusion-detection systems.

• 1 described how someone created a Web site mimicking that of a credit union, deceiving members and obtaining their sign-on and password information. The perpetrator then gained access to their real accounts.

• 1 described a situation in which someone overrode Web protocols and created a near-duplicate bank site, also capturing critical information from customers.

• 4 described a bill-paying service whose customer information was breached by an insider who stole valid ID and PIN numbers, and then initiated transfers from their accounts.

• An unidentified number described unsuccessful attempts to break in to the banks' systems, mostly to send bulk e-mail to overwhelm the systems.