The number of ways to rob a bank is apparently limited only by the imagination of hackers, which is to say, nearly infinite.
Wired reported last week on the comprehensive takeover of an anonymous Brazilian bank last October that exploited a new vulnerability: the Domain Name System (DNS). The information came via security firm Kaspersky, which described how cyber thieves “changed the DNS registrations of all 36 of the bank’s online properties, commandeering the bank’s desktop and mobile website domains to take users to phishing sites.”
The most devious part of hijacking the bank’s DNS is that the switch to the imposter URLs was undetectable by users. As the article describes, “those sites even had valid HTTPS certificates issued in the name of the bank, so that visitors’ browsers would show a green lock and the bank’s name, just as they would with the real sites.”
The hijack lasted for at least five hours, allowing the cyber criminals to steal not just banking logins, but also install a Trojan horse that gathered email and FTP credentials as well as contact lists from Outlook and Exchange. Kaspersky said it was hard to even quantify the extent of the theft. From the article:
“But the firm says it’s possible that the attackers could have harvested hundreds of thousands or millions of customers’ account details not only from their phishing scheme and malware but also from redirecting ATM and point-of-sale transactions to infrastructure they controlled. We really don’t know what was the biggest harm: malware, phishing, point-of-sale, or ATMs,’ Bestuzhev says.”
Perhaps the most disturbing part for banks is that the thieves came in through trusted third-party vendors — those who ran the DNS system. And, according to the article, the unnamed bank is far from alone in this vulnerability, since half of the top 20 banks ranked by total assets don’t manage their own DNS.
The insecurity of third-party vendors is a weak point throughout the financial sector, and one that regulators have been warning about for years. The CFPB issued guidance on the subject as early as 2012, followed by three enforcement actions to drive home its point. In 2013 the Office of the Comptroller of the Currency issued new requirements for banks in managing third-party risk, and new regulations on cybersecurity issued by the New York Department of Financial Services went into effect on March 1 of this year.
It isn't as if financial institutions are ignorant of the risks posed by third-party vendors, but enforcing those standards is still no easy task. Considering the multitude of vendors that each bank might have, especially legacy vendors from years ago, the first hurdle is just identifying all of their vendor companies, as well as who is in charge of cybersecurity at each.
As late as 2015, one out of three banks didn't even require vendors to report that they had experienced a data breach. That's a far cry from the requirements that NYDFS laid out, which are certain to be adopted by other regulatory bodies as well.
But there is hope. The Wired article offers this advice to counter a DNS hack: "And regardless of who controls a bank’s DNS, they can take special precautions to prevent their DNS registrations from being changed without safety checks, like a 'registry lock' some registrars provide and two-factor authentication that makes it far harder for hackers to alter them."