Cybercriminals Target Our Fragmented Payments Infrastructure
In the past week, news of the massive cybercrime ring uncovered by Kaspersky targeting multiple banks in multiple countries has been all over the press. Labelled “Carbanak,” this episode evidently hit approximately 100 banks, mainly located in Russia, Germany, China, Ukraine, and the US. After a few days of letting the news sink in, and as we consider the lessons this incident may provide financial services organizations, a few key items emerge that are worth commenting on.
- Sophistication: This attack is sophisticated not so much in how it infected the banks’ own internal systems (apparently plain-vanilla emails that were highly targeted) but rather in how it successfully mimicked real bank employees with specific responsibilities in payment processing, ATM cash dispensing, electronic payment flow, and money transfer systems. Think about that for a moment. Your own employees are basically being shadowed and their behavior is being observed, all with the goal of trying to mimic their normal pattern of behavior.
- Speed: I don’t think this was an inside job, but I do think it was perpetrated by people with detailed knowledge of how payment processing and money transfer systems work. The reason I believe this is that banks’ internal systems are not simple and easy to use in most cases. Legacy software products, odd customized integrations, and unfamiliar (read: old) user interfaces characterize such environments. Based on their focused attempts to take over machines with certain financial processing software on it, one has to assume that the cyberthieves were fairly proficient with banking systems and processes. And if, as the report indicated, the entire infection and theft processes really only took the approximately two to four months that the researchers claim, this was relatively quick for such a sophisticated attack.
- Fragmentation Helps the Bad Guys – and Will Continue to Do So: A fragmented payments landscape that includes such a wide variety of players (think issuers, merchants, banks, payment processors, money transfer systems, mobile wallet providers, telcos, and others) is by its very nature vulnerable to these sorts of attacks and will remain so for the foreseeable future. The reason for this is simply the broad and varied surface area of the payments ecosystem. Therefore, the most important thing the banks can do is to assess and prioritize their risks and then mitigate them accordingly, knowing full well that it is not possible to eliminate all risks. Moreover, they need to take a broader view of supply chain risk, partner risk, and the like.
- Back-office & Front-office Coordination: The apparently coordinated back-office and front-office tactics appear to be quite unique, especially the real-time manipulation of ATM cash withdrawal amounts and by extension, the use of money mules. It is not uncommon for adversaries to attack internal systems. It is also not uncommon for them to attack end-users. But to attack both and to perpetrate the attack in a combined manner is a rarity. In some ways, the only incident which this one is reminiscent of is the 2012-2013 ATM theft across 20 countries in which thieves stole approximately $45 million.
For a long time now, financial institutions have been encouraged to address fraud in ways that both break down silos and that factor in social engineering, still all the while addressing a holistic view of risk regarding their overall institutional profile. This particular cybergang proved both knowledgeable and patient and demonstrated that they have deep familiarity with the inner workings of the payments industry, its programs and processes, and even its people. While this current rash of raids appears to follow a formula that seems to be common in the breach world, the massive undertaking and the global scale of the attacks make this Carbanak incident the great bank robbery that just might force banks to take a broader view of risk across our payments landscape rather than within their own four walls.