Anti-Malware , Governance , Incident Response

Too few organizations have in-house incident response teams. As a result, they lack the native ability to even detect evolving threats such as ransomware, says security expert Ann Barron-DiCamillo. What are the must-have response capabilities?

See Also: Vulnerability Management with Analytics and Intelligence

Barron-DiCamillo, formerly the director of US-CERT, is now chief technology officer at Strategic Cyber Ventures, a cybersecurity technologies investment firm, and part of her focus is on studying incident response capabilities. What she sees, frankly, concerns her.

"From my perspective, a lot of organizations ... have little to no ability to detect activity and then to mitigate it," Barron DiCamillo says.

One inherent problem with many incident response organizations is their "firefighter" mentality, she says.

"There is this tendency to react, resolve, remediate ... expeditiously," she says. "As a firefighter, you want to put out the fire." But adversaries have responded to this tactic, and they now are deploying exploits that detonate secondary, retaliatory strikes as soon as their primary attacks are countered, Barron-DiCamillo says. "You need to do some aspect of 'watch and learn' as you contain," she says. "Understand the landscape of where the adversaries are within your network."

In this video interview at Information Security Media Group's recent Washington Fraud and Breach Prevention Summit, Barron-DiCamillo discusses:

As CTO at Strategic Cyber Ventures, Barron-DiCamillio leverages her expertise gained from 18 years in information technology development and cybersecurity operations to identify emerging technologies that fulfill capability gaps as they are created in the dynamic environment of the internet. Barron-DiCamillo previously was the director of the United States Computer Emergency Readiness Team, where she led DHS's efforts in cyberspace to respond to major incidents, analyze threats and share critical cybersecurity information with trusted partners around the world.

Anti-Malware , Anti-Money Laundering (AML) , Compliance

Officials in several nations are probing the security of the SWIFT interbank messaging system in the wake of recent hacker attacks.

See Also: Secure, Agile Mobile Banking: Keeping Pace with Last Best User Experience

The scrutiny was triggered by a February incident in which hackers stole $81 million from the central bank of Bangladesh's New York Federal Reserve account via the messaging service provided by Brussels-based SWIFT - the Society for Worldwide Interbank Financial Telecommunication (see Banks, Regulators React to SWIFT Hack).

Meanwhile, news of another SWIFT hack has come to light, via a lawsuit filed by Banco del Austro in Ecuador against San Francisco-based Wells Fargo (see Another SWIFT Hack Stole $12 Million). And a Vietnamese bank recently revealed it foiled a plot to transfer $1.36 million out of its accounts - via the interbank SWIFT messaging system - in the fourth quarter of 2015.

A SWIFT spokeswoman tells Information Security Media Group that it just learned of the hack attack against Banco del Austro, despite the attack having occurred in January 2015 and BDA filing its lawsuit in January 2016.

"We were not aware," spokeswoman Natasha de Teran tells ISMG. "We need to be informed by customers of such frauds if they relate to our products and services so that we can inform and support the wider community."

U.S. Senator Wants Answers

In the United States, Sen. Tom Carper, D-Del., has written to the New York Fed and SWIFT to request details about how they're responding to hack attacks.

That follows the Association of Banks in Singapore inviting SWIFT officials to brief them in June on the hack attacks and the organization's related security response, and the Bank of England in April having ordered all U.K. banks to detail how they were responding to the SWIFT hacks, Reuters reports.

On May 19, Sen. Carper, the ranking Democrat on the Senate Homeland Security and Governmental Affairs Committee, wrote to William Dudley, president of the Federal Reserve Bank of New York, and Patrick Antonacci, SWIFT's managing director, asking them how they've been responding to the hack-attack reports.

"Institutions that use SWIFT commit to certain actions to protect the security of the network. Please describe the technical, operational, managerial and procedural controls required of SWIFT members to access the network," Carper wrote to SWIFT's Antonacci. "Does SWIFT plan to revise its cybersecurity policies or its own internal control environment in response to these recent attacks? If so, please explain."

Carper also asked both the New York Federal Reserve and SWIFT how they've been coordinating with each other - as well as with the central bank of Bangladesh, the U.S. Department of Homeland Security, the U.S. Department of Treasury and any other institutions "to strengthen the security of the SWIFT system since the attacks."

Carper set a deadline of June 17 to receive answers to his questions as well as brief his staff. SWIFT declined to comment on the senator's requests, or how it planned to respond.

SWIFT Promises More Security Help

On May 20, SWIFT issued a letter to its 11,000 customers, informing them that their access to - and continued use of - the messaging system requires that they report all instances of fraud. "We specifically remind all users to respect their obligations to immediately inform SWIFT of any suspected fraudulent use of their institution's SWIFT connectivity or related to SWIFT products and services," the letter states. "In such cases, SWIFT may require certain diagnostic information from you as set out in our terms and conditions."

SWIFT says that it will also begin maintaining and offering a centralized repository of all security-related information "in the restricted customer section on SWIFT.com," which it will keep updated with the latest information on SWIFT-targeting malware, including indicators of compromise. "SWIFT will continue to notify you as soon as possible of any cases of malware known to us so that you can better target your preventative and detective efforts in your local environment," it says.

The cooperative has also promised to improve the security guidance that it offers to members. "We are currently working to further reinforce our support to customers in securing their access to the SWIFT network; we are receiving feedback from the relevant board committee and overseers in the coming days and will be sharing plans with the wider community," it says. "We will provide further information on a new program shortly."

The latest letter to customers follows earlier communications from SWIFT warning customers that they are being targeted and urging them to use strong security defenses. Those warnings came in the wake of reports that Bangladesh Bank was failing to use strong passwords and lacked such basic controls as firewalls on systems that it allowed to connect to the SWIFT network (see SWIFT to Banks: Get Your Security Act Together).

SWIFT's May 20 communication also appeals to all users to pitch in. "The security of our global financial community can only be ensured through a collaborative approach among SWIFT, its users, its central bank overseers and third-party suppliers. SWIFT is fully committed to leading the community effort. To this end, it is essential that you share critical security information related to SWIFT with us."

SWIFT promised that such information would be used to help troubleshoot any technical problems, track attack patterns as well as help all users better secure themselves. "Any information shared will be treated confidentially within the existing framework between SWIFT and its users," it said.

Some security experts say that SWIFT must begin offering much more detailed and actionable security guidance. "Their security guidance is accurate, but weak - it's broad brush stroke," networking expert Doug Gourlay, corporate vice president at security startup Skyport Systems, tells ISMG (see: Blocking Hack Attacks: SWIFT Must Do More).

Will Banks Police Banks?

One outstanding question relating to battling fraudulent SWIFT messages is the extent to which SWIFT will - or can - crack down on users. Gourlay of Skyport Systems says SWIFT might adopt a compliance model akin to the Payment Card Industry's Data Security Standard. Under such a system, for example, SWIFT could require all users to obtain third-party security audits.

But SWIFT's 25-member board of directors is mainly composed of representatives from larger banks, Reuters reports, and it's not clear that they would want to impose any such regulations on their own industry.

Furthermore, SWIFT has struggled to stay abreast of fraud committed using SWIFT's messaging network because banks have failed to share such details, John Doyle, who held a variety of senior roles at SWIFT between 1980 and 2005, tells Reuters.

"The banks are not going to tell us too much," Doyle said. "They wouldn't like to destabilize confidence in their institution."

Anti-Money Laundering (AML) , Compliance , Fraud

(This story has been updated.)

See Also: Unite & Disrupt: Mitigate Attacks by Uniting Security Operations

Another series of SWIFT-enabled hack attacks against a bank has come to light, following the theft of $81 million from the central bank of Bangladesh, and SWIFT warning that other banks are also being targeted (see Banks, Regulators React to SWIFT Hack).

Security experts say the newly revealed hack attacks, leading to fraudulent SWIFT interbank messages, highlight the dangers facing any financial institutions that attempt to implement real-time payments or automated clearinghouse systems.

The attacks, which occurred on Jan. 21, 2015, resulted in the theft of $12.2 million from Banco del Austro, or BDA, in Ecuador. The theft was revealed via a lawsuit filed by BDA against San Francisco-based Wells Fargo on Jan. 28, as Reuters first reported.

Meanwhile, a Vietnamese bank recently revealed it foiled a plot to transfer $1.36 million out of its accounts - via the interbank SWIFT messaging system - in the fourth quarter of 2015.

In the BDA theft incident, both Wells Fargo and BDA believe the money was indeed transferred by hackers. BDA holds Wells Fargo responsible for not flagging the transactions as being suspicious and has demanded that Wells Fargo return the full amount that was stolen, according to court documents. BDA says that it noticed the fraud the same day that it occurred and "promptly informed its correspondent banks."

Wells Fargo has fired back, however, blaming BDA's information security policies and procedures for the fraud having occurred and noting that it honored a valid request received via the SWIFT messaging system, according to court documents. Wells Fargo successfully recovered and returned to BDA $1.85 million of its stolen funds, court documents show.

In a statement provided to Information Security Media Group, Wells Fargo states: "With respect to the Banco del Austro case, Wells Fargo properly processed the wire instructions received via authenticated SWIFT messages, and Wells Fargo's computer systems were not compromised in any way. Wells Fargo is not responsible for the losses suffered by Banco del Austro and intends to vigorously defend the lawsuit. Wells Fargo continually assesses our SWIFT platform and monitors systems searching for potential threats and takes action as warranted through updates to our security tools and practices."

BDA did not immediately responded to a request for comment.

SWIFT Messages

SWIFT, which stands for the Society for Worldwide Interbank Financial Telecommunication, is a Brussels-based cooperative that maintains a messaging system used by 11,000 banks. Its "secure" messaging system has long been used to handle the majority of the world's money-moving messages, experts say. Not surprisingly, criminals have long attempted to issue real-looking but fake messages to move money from victims' accounts into attacker-controlled ones.

SWIFT says that it is not a party to the BDA lawsuit and that it only just learned of the hack attack.

"We were not aware," spokeswoman Natasha de Teran tells Information Security Media Group. "We need to be informed by customers of such frauds if they relate to our products and services so that we can inform and support the wider community. We have been in touch with the bank concerned to get more information and are reminding customers of their obligations to share such information with us."

It's not clear, however, if banks are obligated to report such attacks to SWIFT, and the cooperative didn't immediately respond to a related query, or questions about whether it tracks fraud that gets committed via the SWIFT network (see Blocking Hack Attacks: SWIFT Must Do More ). According to Reuters, current agreements with members require only that SWIFT be alerted to any problems that impact the "confidentiality, integrity or availability of SWIFT service."

Remote Attacker Hacked Banco del Austro

In the case of the BDA hack, the transfers were made from its HSBC account in San Francisco to HSBC and Hang Seng Bank accounts in Hong Kong, a Wells Fargo account in Los Angeles, a Mashreqbank account in Dubai, and a JPMorgan Chase account in New York, according to court documents. "BDA discovered that for each unauthorized transfer, an unauthorized user remotely accessed BDA's computer system after hours, logged onto the SWIFT network purporting to be BDA, and redirected transactions to new beneficiaries with significant dollar amounts," one court filing reads.

BDA's lawsuit also slams Wells Fargo for failing to spot the fraud. "Each and every one of the unauthorized wire transfers were performed outside normal operating hours of Banco del Austro; it included transactions of significant amounts, which undoubtedly should have triggered an alert at Wells Fargo in their control and verification of the transactions that were being processed," BDA officials wrote in an April 7, 2015, letter to Wells Fargo's financial crime manager that was included in documents filed in support of BDA's lawsuit.

Under the terms of the banks' contractual agreement, "WFB [Wells Fargo Bank] agreed to verify the authenticity of SWIFT payment orders pursuant to the SWIFT authentication procedures in accordance with the SWIFT User Handbook," BDA says in its lawsuit. It adds that the bank also agreed to abide by "general U.S. commercial bank practices" and "follow 'know your customer' and fraud detection policies and procedures designed to detect and deter suspicious activity in the accounts."

BDA adds that attackers also attempted to transfer another $1.4 million from its Citibank accounts to accounts in Dubai and Hong Kong, but those attacks were blocked. "On the same day of January 21, 2015, an unauthorized wire transfer was made from the account that Banco del Austro maintains at Citibank, in identical circumstances; the prompt response and controls of Citibank resulted on (sic) the immediate refund of the funds to our account," BDA says in its April letter to Wells Fargo. BDA also says that those fraudulent wire transfers had attempted to move money to accounts in Dubai and Hong Kong.

Wells Fargo has petitioned the court to dismiss the case, blaming the theft on BDA's information security practices, noting that hackers obtained and successfully stole and used a valid SWIFT logon. "BDA and Wells Fargo agreed that SWIFT authentication was a commercially reasonable security procedure for verifying SWIFT payment orders," Wells Fargo says in a court document.

"BDA ... [discusses] whether Wells Fargo behaved as a prudent bank and followed the USA Patriot Act, the Bank Secrecy Act, and other anti-money laundering and 'Know Your Customer' statues and regulations. BDA speculates that these rules required Wells Fargo to conduct due diligence for BDA's benefit and to stop the transfers at issue. But compliance with these statutes and regulations is irrelevant to Wells Fargo's obligation under [New York Uniform Commercial Code]," Wells Fargo says in a court document.

Banks' Liability Concerns

The BDA lawsuit against Wells Fargo comes as more banks around the world are moving to real-time payment systems. Indeed, a Bangladesh police investigation reportedly concluded that a SWIFT technician left exploitable loopholes after connecting the bank to SWIFT's network to facilitate real-time payments. SWIFT has dismissed that report.

But despite any talk about "know your customer," real-time payment transfers are designed to operate automatically and in real time. So when an institution such as the Federal Reserve Bank of New York - in the case of the Bangladesh Bank hack - receives a valid-looking request via the SWIFT messaging system, "it has controls in place to ensure that it completes the transaction as ordered because it might be liable if it failed," says information assurance consultant William Murray.

"The Fed is a bank, one whose customers are other banks," he says. "If it gets an order from a customer to pay someone, it does it. Like any other bank, it has a responsibility to ensure that the transaction is properly authorized in accordance with its agreement with its customer. While [Bangladesh Bank] might wish that the Fed failed in this case, wishing will not make it so."

No Margin for Error

There is zero margin for error where money-moving systems are concerned, especially with real-time transactions, Gartner analyst Avivah Litan says in a blog.

"Irrevocable real-time payments are fraught with risk," she says. "There is no time for bankers' fraud staff to manually review transactions, and there is no time to retrieve a fraudulent payment on its way to an unknown bank account far from the reach of U.S. banks and authorities."

Litan says SWIFT hacks have repercussions for any institutions that employ real-time payment systems. In the United States, for example, banks hope to have real-time Automated Clearing House - an electronic network for financial transactions in the United States - payments in place soon.

"But is the U.S. really ready for faster payments? The recent news on the SWIFT heists strongly suggests the answer is no," Litan says. "According to industry sources, a few banks started opening their faster payment systems up to their customers, but adoption was slow - except among the criminals."

ATM Fraud , Fraud , Payments Fraud

Upticks in point-of-sale fraud and surges in ATM skimming are hitting community banks hard, says Doug Johnson of the American Bankers Association.

See Also: Security Shouldn't be Boxed: The Cloudified Edge & End of an Era for Hardware Box Providers

Johnson, who oversees cybersecurity efforts for the ABA, says 75 percent of the fraud affecting community banks is linked to POS fraud at merchant locations, according to the ABA's most recent Deposit Account Fraud Survey.

"If you look at all of the various types of fraud that you have across financial institutions, that fraud at the point of sale is something that essentially community banks are seeing to a greater degree, in terms of the proportion of the overall fraud they're seeing," Johnson says in this video interview with Information Security Media Group. "That's not what happens in the large financial institutions."

Looking ahead to the next year, Johnson says increasing attacks against ATMs also are expected to plague community banks. The EMV fraud liability shift date for ATMs is not until October 2016 for MasterCard and October 2017 for Visa, and fraudsters will increasingly target ATMs until EMV is completely rolled out, Johnson predicts.

"What we've seen is a migration of fraud, to not just ATM skimming, but physical crimes against customers at ATMs and physical crime against ATMs, where ATMs are essentially taken," he says. "In July, we're going to extend the database we call ABA Bank Capture, which captures the bank robbery data, to [include] ATM skimming. And we're going to very aggressively market that to the community banks. ... We believe, because ... EMV is coming to the ATM, there is going to be some escalation of skimming over the course of the next year and a half."

In this interview at ISMG's recent Washington Fraud and Breach Prevention Summit, Johnson also discusses:

Johnson leads the ABA's enterprise risk, physical security, cybersecurity, business continuity and resiliency policy and fraud deterrence efforts. He represents the ABA on the Financial Services Sector Coordinating Council, which advises the federal bank regulatory agencies on homeland security and critical infrastructure protection issues.