Many banks with less than $50 billion in assets have a problem that payment systems like Apple Pay will make even more attractive to exploit, a team of security researchers says.
By altering electronic-transfer files before they are uploaded to the national transaction clearinghouse, criminals can redirect funds to accounts they control and make off with millions of dollars at a clip, according to researchers at TrustCC, a consultancy specializing in financial institution IT security.
They presented their findings at (ISC)² Security Congress 2014.
The problem is that many banks and credit unions place these sensitive files on their corporate LANs before uploading them to the Automated Clearing House (ACH), a commercial network that processes a variety of financial transactions. That leaves them vulnerable to hackers who have successfully infiltrated the LAN.
While the attack isn't common yet, it could become moreso as consumers shift from traditional magnetic-strip credit cards to more secure chip-and-pin credit cards and alternative payment systems such as Apple Pay. These more secure method will mean more work for professional hackers, say TrustCC researchers Andy Robbins and Brandon Henry.
When that happens, criminals may seek to steal directly from banks because they will present easier targets with larger potential payoffs per compromise, they say. "Then banks are a pretty juicy target," he says.
TrustCC researcher Brandon Henry
Victims of the attack the researchers describe would be among the roughly 4,000 banks and credit unions in the U.S. that have less than $50 billion in assets considered small banks. Larger banks that actually control the vast majority of funds involved in ACH transfers use an architecture that doesn't expose the same vulnerability, Henry says.
But in smaller banks, batch files in ACH format are generally created in secure core networks. At the end of the day these files are shifted to shares on the corporate LAN to be reviewed by persons on the institutions' accounting teams. Once approved, these files are sent to ACH.
The flaw in the system is that ACH files are often left as shares for some period of time. If hackers can access them before the person in accounting, they can alter them, Henry says.
The accountants verify what is known as the 10-digit file control record, the sum of the routing numbers in the folder. So the hacker code would alter the relevant numbers to divert the transfer to thieves' accounts and recalculate the folder's control record so it corresponds to contents of the altered folder. If automated, the process takes about a tenth of a second using 35 lines of Python code. "It's so painfully simple any competent programmer could put this together in a day," he says.
These fraudulent transfers can easily go unnoticed for 24 hours, he says, but even if it's a shorter period it's certainly long enough for the criminals to shift the funds again and make them impossible to recover.
Before the exposed batch folders can be altered, though, hackers first have to break into bank LANs and gain enough privileges to access the shares that contain them. Robbins says in his penetration-testing experience hackers can escalate to domain administrator in financial institutions about half the time using phishing in combination with other common hacking methods. Once they've done that they can almost always find ACH folders, he says.
The researchers have come up with a proof-of-concept of this hack they say they've presented it to various financial institution associations and to NACHA which manages development and administration of ACH. After two months of responsible disclosure, they've decided to publicly reveal it. Recently they have been in touch with NACHA and they feel some progress is being made toward fixing the problem.
One way to address the problem is to encrypt all transaction files before they come out of the secure core network, Henry says. If that can't be done, the ACH system and the means to electronically send funds should be replaced.
All access to these files should be logged and write access to these files should be prohibited by machines outside the core network, he says.
Robbins admitted that the largest of banks those that account overwhelmingly for the monetary value of total transactions upload transfers electronically directly from their core banking networks.
Some smaller banks outsource their core networks to outsourcers but still expose ACH files to their business networks, he says. Sometimes the outsourcers place their core networks on the bank's corporate LAN.