The latest breach of an offshore account owned by Union Bank of India is raising new questions about the security of interbank payments, which fraudsters have been seen to easily compromise due to outdated backend authentication methods.
Union Bank of India confirmed to Reuters in July that a breach of one of its Nostro account had been spotted and the fraudster’s attempts to transfers funds from the account had been foiled. Nostro accounts are kept in banks in other countries in foreign currencies and are commonly used to facilitate foreign exchange and trade transactions.
Experts believe the Union Bank’s Nostro account breach may involve the same attackers who compromised an outrageous $81 million SWIFT transaction by the Central Bank of Bangladesh to the Federal Reserve Bank of New York back in February 2016.
Head of Fraud and Security at Javelin Strategy & Research, Al Pascual, feels interbank payments have become the ideal target for cyber criminals. “While I cannot confirm the particulars, it appears that we are in that window where criminals have identified a high-value, poorly protected asset and are taking advantage of that. These attacks will migrate to those institutions where regulators have allowed lax cyber security to be the norm, and some of them will learn hard lessons in short order… We’re not done hearing about these multimillion-dollar heists.”
It’s been noted that Citi, not Union Bank of India, flagged the fraudulent request for a transfer from the Nostro account, ultimately stopping the criminals in their tracks and immediately notified Union Bank. Information on the amount of money the attackers attempted to transfer is still unknown.
Other security experts believe both the Union Bank and Bangladesh breach was inside jobs. In regards to the Bangladesh bank attack, experts speculate whether an employee with SWIFT administrative privileges may have had their login credentials stolen through a malware attack. The Union Bank attack involving Nostro accounts required multifactor authentication, meaning credentials for at least one person with administrative or transaction approval power had to be stolen.
The Bigger Picture
Indian banks have notoriously been known to focus more on ensuring compliance with regulatory requirements instead of ensuring cyber security and resilience again attacks. By using traditional tools and technologies, banks are finding it impossible to detect irregularities in their networks, or to prevent vulnerabilities that could be potentially catastrophic to the organization.
Organizations need a way to detect the presence of malware and to ensure hardening measures and user access controls are being enforced. Any configuration drift or breach activity needs to be alerted in real time to stave off threats and potential damage. While all compliance and regulatory standards require a hardened build standard, control of user rights and change control is too focused on fighting external threats, when the internal threat is potentially more significant.
File Integrity Monitoring is proven to drastically decrease the risk of security breaches, raising an alert related to any change made in core file systems or configuration settings. The potential breach is detected regardless of whether it’s been instigated by an insider or an unwittingly phished employee.