Fraud , Risk Management

A report that the $81 million Bangladesh Bank heist was linked to a customized malware attack that compromised SWIFT software used to transfer funds has raised questions about the security of those transactions (see Bangladesh Bank Attackers Hacked SWIFT Software). But the more critical issue, fraud experts say, is the need for banks to have proper security controls in place to detect and prevent network intrusions.

See Also: Unite & Disrupt: Mitigate Attacks by Uniting Security Operations

SWIFT is a Belgium-based cooperative of 3,000 organizations that maintains a messaging platform used by banks, mostly in Europe, to transfer money across borders, often in real time.

"It was the bank's systems or controls that were compromised, not the software," says William Murray, an independent payments security consultant. "The SWIFT software behaved as it was intended to, but was not operated by the intended person or process. This is a bank problem, not a SWIFT problem."

The attack waged against Bangladesh Bank, the nation's central bank, in February was similar to account takeover attacks waged against commercial customers, Murray contends. "This is an account takeover attack, similar to those that the industry has been dealing with for years," he says. "However, it is the account of the bank with SWIFT, rather than that of the bank's customer, that is being taken over. ... Banks should be using the very same controls over their own systems that they expect of their own customers. Good security is good security."

Banks should conduct SWIFT transactions only on computers that are isolated from other devices on their networks, says Sean Sullivan, an adviser at the security firm F-Secure. "It should be a dedicated computer for its single task," Sullivan says. That's the same advice banks have for years been giving to their commercial customers who schedule wire transfers and ACH payments online.

"The malware was able to be installed on the SWIFT software computer because the attacker was in Bangladesh Bank's network with access - presumably with enough access to override any locally installed security software if there was any," Sullivan adds.

Shirley Inscoe, an analyst at consultancy Aite, says the breach likely involved an insider connection. "While hackers can successfully access many systems without insider assistance, almost certainly insider knowledge of how the system operates was used to overcome the fraud detection controls," she says. "This knowledge could easily have come from a current employee at SWIFT or Bangladesh Bank."

Malware Methods

The malware used to compromise a computer used for SWIFT transactions was designed to hide traces of fraudulent payments from the bank's local database collections, according to technology consultancy BAE Systems Applied Intelligence.

What's more, once money is transferred via SWIFT, it's typically not reversible, which makes this attack even more clever, Murray says.

"Keep in mind that SWIFT is a messaging system that banks use to communicate with correspondent banks," he says. "Multiple banks and transfers may be involved in completing a transaction, all taking place within seconds. And because multiple banks and accounts may be involved, by default, the transfers are not reversible when disputed."

This kind of "straight-through" payment process gives fraudsters an advantage, says Tom Kellermann, CEO of security firm Strategic Cyber Venture. Banks should be bracing for more of these types attacks, especially as the U.S. moves toward faster, real-time payments, he advises.

"Straight-through processing empowers the cybercrime community. SWIFT has been over-reliant on PKI [public key infrastructure] to protect the payment system for years. Private keys are being compromised as credential theft explodes."

SWIFT Taking Action

In a statement provided to Information Security Media Group, SWIFT notes that it is aware of the risks and is taking steps to help banks shore up security.

"We understand that the malware is designed to hide the traces of fraudulent payments from customers' local database applications and can only be installed on users' local systems by attackers that have successfully identified and exploited weaknesses in their local security," the statement says. "We have developed a facility to assist customers in enhancing their security and to spot inconsistencies in their local database records.

"However, the key defense against such attack scenarios remains for users to implement appropriate security measures in their local environments to safeguard their systems - in particular those used to access SWIFT - against such potential security threats. Such protections should be implemented by users to prevent the injection of malware into, or any misappropriation of, their interfaces and other core systems."

Executive Editor Mathew Schwartz also contributed to this story.

Fraud

A Georgia couple and a neighbor have pleaded guilty to a scheme involving illicitly obtaining taxpayer names and Social Security numbers to access the IRS' Get Transcript database, which helped them to file false tax returns to obtain refunds deposited to prepaid debit cards.

See Also: How to Illuminate Data Risk to Avoid Financial Shocks

Get Transcript, launched in January 2014, allows taxpayers to view and download their tax transcripts or have them mailed to their addresses. Since revealing a breach of the service, which affected as many as 724,000 taxpayers, last May, the IRS suspended Get Transcript's online viewing and downloading features, although the information can be obtained through an email request (see IRS Doubles Number of Get Transcript Victims).

In its announcement of the guilty pleas, the Justice Department did not say whether the defendants who pleaded guilty masterminded the Get Transcript breach scheme or were lower-level operatives.

Defendants Face Prison Terms

Anthony Alika of Austell, Ga., 42, on April 22 pleaded guilty to one count of conspiracy to commit money laundering, according to the Justice Department. His wife, Sonia Alika, 27, pleaded guilty to one count of illegally structuring cash withdrawals to evade bank reporting requirements. Sentencing for the couple is set for July 27. He could be sentenced up to 20 years in prison; she, 10 years. A third defendant, Rapheal Atebefia, 33, also of the Atlanta suburb of Austell, pleaded guilty last month to one count of money laundering. He is scheduled to be sentenced on that charge on June 22. All the defendants also face substantial monetary penalties, restitution and forfeitures.

Authorities charged the defendants with laundering the proceeds from a stolen identity refund fraud scheme. The indictment alleges that Anthony Alika and Atebefia obtained names and Social Security numbers of taxpayers from unknown sources and used this information to access the IRS Get Transcript database.

Stemming the Tide to Protect PII

"Criminals continually discover more sophisticated methods of stealing personal information and unfortunately seek to capitalize on this theft by filing phony tax returns demanding excessive refunds," John Horn, U.S. attorney for the Northern District of Georgia, said in announcing the guilty pleas. "Because this is a growing problem, we are applying additional resources to help stem the tide and protect both our personal information and precious tax dollars."

In an attempt to disguise the filing of the false tax returns, the defendants and others used websites referred to as anonymizers, which act as an intermediary and privacy shield between the computers used by the defendants and others and the rest of the internet, the indictment says.

Authorities say Anthony Alika, Atebefia and others obtained prepaid debit cards from stores located in several states, registered the cards in the names of the stolen identities, filed false income tax returns using the stolen identities and information obtained from the Get Transcript database, and directed the IRS to deposit the tax refunds onto these cards. To conceal their fraud, the defendants and possible accomplices used the prepaid debit cards to purchase money orders, which the Alikas and Atebefia deposited into bank accounts at Wells Fargo and Bank of America, and then structured cash withdrawals of the proceeds to prevent the banks from filing currency transaction reports.

Keeping Transactions to Less Than $10,000

As part of his guilty plea, Anthony Alika admitted that during 2015 he received money orders from several individuals and deposited those orders, ranging from $250 to $9,000, into bank accounts in his name or had his wife deposit them into bank accounts in her name. Withdrawals were limited in size to evade requirements for banks to report transactions valued at $10,000 or more. Justice Department attorneys say the funds used to purchase the money orders were the proceeds of illegal activity, including the filing of fraudulent tax returns using stolen identities.

Sonia Alika admitted as part of her guilty plea that between February and June 2015, she withdrew more than $250,000 from multiple bank accounts she controlled in amounts less than $10,000.

The Justice Department, in announcing the guilty pleas, did not say how the Alikas and Atebefia obtained the names of taxpayers and their Social Security numbers to instigate the Get Transcript fraud. DoJ also did not explicitly say how much money the defendants allegedly stole or whether any of it was recovered.

Data Breach , Data Loss

Like last year's breach of the online dating site Ashley Madison - tagline: "Life is Short. Have an Affair." - this year's release of the "Panama Papers" is holding individuals accountable for actions which, if not always illegal, in many cases appear to have at least been unethical.

See Also: 2016 State of Threat Intelligence Study

The Panama Papers comprise 11.5 million records - emails, databases, images - leaked from Panama-based law firm Mossack Fonseca. The firm offers a service to help clients set up offshore shell companies, and while there are legal uses for such firms, they can also be used to hide income to avoid taxes.

Now, prosecutors and public officials around the world have begun taking a close look at the secrets that were spilled in the Panama Papers breach and scrutinize the activities of the law firm involved.

Police in Panama recently raided the offices of Mossack Fonseca "to obtain documentation linked to the information published in news articles that establish the use of the firm in illicit activities," the BBC reports.

In Europe, meanwhile, the leak has prompted an EU Commission paper calling for stronger measures against tax evasion, which was discussed at a meeting of EU finance ministers in Amsterdam, Reuters reports. While no agreement was reached - and some ministers favor not requiring organizations to publicly release tax records - Dutch Finance Minister Jeroen Dijsselbloem, acknowledging "different views," has promised to formally address the issue soon, Reuters reports. The Netherlands holds the EU's rotating presidency through the end of June.

The U.S. Attorney for Manhattan, Preet Bharara, has written to the International Consortium of Investigative Journalists - which helped research and shepherd the release of the Panama Papers - requesting further details about some individuals named in the leaks. Bharara notes that his office has "opened a criminal investigation regarding matters to which the Panama Papers are relevant," the Guardian reports. At least 200 U.S. citizens were named in the papers, and some were already under investigation by Bharara's office, according to the news report.

A spokesman for the U.S. Attorney's Office for Manhattan declined to comment on that report.

Ashley Madison Redux

Like the release of the Panama Papers, last year's Ashley Madison breach also put a spotlight on those whose actions may have been unethical, to put it nicely.

Without a doubt, the Ashley Madison breach embarrassed scores of people who appeared to have registered for the pro-infidelity dating website. The leak, by a group calling itself "Impact Team," also led to the resignation of the company's CEO Noel Biderman - who's married and has children - after leaked emails contradicted his earlier denials that he'd never had affairs (see Top 10 Data Breach Influencers).

Some divorce attorneys, likening the breach to "Christmas in September," predicted that spouses of the site's users would be tapping the list of members - and their sexual fantasies - to bolster their forthcoming divorce suits.

Shell-Using Politicians React

While the Ashley Madison leak highlighted those who were clandestinely pursuing affairs, the Panama Papers revealed some individuals who were acting clandestinely with their money. And some electorates reacted more strongly than others to the news.

Iceland Prime Minister Sigmundur David Gunnlaugsson, for example, resigned after his name appeared in the leaked documents - tied to a previously undeclared shell company - and scores of Icelanders took to the streets in protest.

A defensive Russian President Vladimir Putin has claimed that while leaked details of some offshore funds owned by his friends are correct, they reveal no illegal activity.

British Prime Minister David Cameron, meanwhile, took the unprecedented step - for a U.K. official - of releasing a summary of his recent tax returns after the leak revealed that he has profited from an offshore company set up by his late father. But Cameron stopped short of issuing any of his actual tax returns. And in a blatant anti-transparency and anti-accountability move, U.K. Chancellor George Osborne, who heads the Treasury, last week also confirmed that the government has amended a draft bill to exempt families of "politically exposed persons" - including members of Parliament - from money-laundering investigations.

Obama Calls for Crackdown

U.S. President Barack Obama, however, has used the Panama Papers leaks to highlight the challenges related to cracking down on tax evasion. "There has been some progress made in coordinating between tax authorities of different countries so that we can make sure that we're catching some of the most egregious examples," he said.

Obama said the Panama Papers leaks have highlighted the scale of global tax avoidance schemes, which hide trillions of dollars. "We shouldn't make it legal to engage in transactions just to avoid taxes," he said, noting that he instead favors a system that makes sure that "everybody is paying their fair share."

Let's Talk Cheating

Individuals have a relationship with the state, which provides the infrastructure for a stable society - including government agencies, schools, roads, health systems - from which we all benefit. Failing to pay taxes on trillions of dollars in income means cheating everyone else out of what that tax revenue would have provided.

Whether discussing the Ashley Madison breach or the Panama Papers leak, the takeaway is the same: No one likes a cheater.

Data Breach , Litigation

In the aftermath of the settlement of banks' post-breach lawsuit against Target, a financial institution is now suing Wendy's seeking to recoup breach-related expenses.

See Also: Rethinking Endpoint Security

The suit against Wendy's alleges, among other things, that the fast-food chain failed to meet industry best practices for securing card data because it was not EMV-compliant at the time of its breach, which is believed to have occurred from Oct. 22, 2015, until March 10, 2016.

In its preliminary 2015 annual report, published Feb. 9, Wendy's confirmed that malware designed to steal payment card data had been discovered on some of the chain's point-of-sale systems.

The lawsuit, filed by Pennsylvania-based First Choice Federal Credit Union on April 25, seeks class-action status on behalf of all affected financial institutions. The suit seeks to have Wendy's compensate affected card issuers for breach-related losses and expenses, such as card-reissuance expenses and paying cardholders for fraud losses. It also asks that the court ensure that Wendy's shores up its security.

The new lawsuit comes on the heels of a consumer class-action suit filed against Wendy's in February seeking compensation for cardholders affected by the breach. Earlier this month, Wendy's filed a motion seeking to have that case dismissed.

Would EMV Have Prevented Breach?

The latest lawsuit against Wendy's makes strong allegations that the restaurant chain's inability to accept EMV cards for payment contributed to the breach. While several card fraud experts say those claims are baseless, one argues they could help bolster the case.

"The payment card industry set rules requiring all businesses to upgrade to new card readers that accept EMV chips," the suit alleges. "Such technology greatly increases payment card security, because if an EMV chip's information is stolen, the unique number cannot be used by the thieves, making it much more difficult for criminals to profit from what is stolen."

The suit goes on to say that the "deadline" for EMV compliance was Oct. 1, 2015. "Wendy's did not meet that deadline," the suit claims.

Avivah Litan, a financial fraud expert and analyst at the consultancy Gartner, offers a harsh assessment of that argument.

"First off, the card brands did not set a hard deadline to switch to EMV - they set a deadline on the [fraud] liability shift," she says. "Also, even if Wendy's had EMV acceptance turned on, they probably would still have been accepting at least 50 percent mag-stripe cards, since that's about the amount of card transactions that would have still been mag-stripe transactions in that time period. Secondly, the litigants are not even recognizing the POS terminal certification backlog that is preventing many merchants, including perhaps Wendy's, from turning on EMV acceptance."

The EMV certification backlog has been highlighted by the Merchant Advisory Group and other retailer associations, which argue that merchants are not to blame for the delay in implementing EMV (see EMV: Chargebacks Hitting Merchants of All Sizes).

Other fraud experts also call into question the lawsuit's EMV-related claims.

Al Pascual, head of fraud and security at Javelin Strategy & Research, notes: "The argument that EMV acceptance was a requirement is something that Wendy's will be sure to jump all over - the card brands have explicitly said otherwise."

And John Buzzard, the former head of FICO's Card Alert Service, who now works as director of product management for security firm Rippleshot Fraud Analytics, points out: "Many merchants, not just Wendy's, are in various stages of accepting chip payments. Likewise, issuers are all over the map with regard to chip issuance. This creates holes in the assumption that a lack of preparedness for EMV would prevent this scenario."

But cybersecurity attorney Chris Pierson, general counsel and CISO for invoicing and payments provider Viewpost, contends that the court may view Wendy's failure to implement EMV as a sign of security weakness.

"This present case before the court alleges that EMV was not in place at Wendy's as a means to demonstrate that the company did not implement 'reasonable security measures' to protect card data as a part of its negligence claim," he says. "If true and the case progresses, this could be relevant to whether Wendy's deployed controls are now considered to be best security practices. An EMV-enabled point-of-sale terminal is certainly one of those controls that is a best practice, and the liability shift that occurs post-breach is an important one to consider."

Neither Visa nor MasterCard responded to Information Security Media Group's request for comment.

A Regional Attack?

The new lawsuit against Wendy's also alleges that because fraud tied to the breach only affected issuers in specific regions of the U.S., the impact to those issuers was greater than fraud losses and expenses they suffered as a result of the Target and Home Depot breaches.

"Unknown perpetrators also specifically targeted and drained debit accounts with large amounts of money in them, concentrating the damages and causing individual financial institutions, such as the plaintiff and members of the class, to suffer losses that are much greater than what was experienced after the Home Depot or Target data breaches," the suit alleges.

But Litan claims that argument is unjustified. "The Target and Home Depot fraudsters 'regionalized' their stolen data so that the stolen cards were bought and used by criminals in the regions where the victimized cardholders also lived. This minimized their chance of being caught."

The lawsuit also implies that Wendy's was not in compliance with the Payment Card Industry Data Security Standard at the time of its breach.

But Pierson argues that "passing PCI-compliance testing has a low correlation rate with whether a compromise can happen. It is, however, true that not being PCI compliant and meeting these hurdles positions a company for a higher than average likelihood of a breach."

Meanwhile, Buzzard argues that card issuers could have played a role in shortening the length of the breach if they had better analytics in place to trace fraud back to Wendy's.

"We just don't manage fraud the same way in 2016 as we did in 2014," Buzzard says. "Less card reissues and way more predictive and preventive fraud strategies is the new mantra."

Wendy's declined to comment about the pending litigation. Attorneys representing the plaintiff did not respond to ISMG's request for comment.