LPS Training Services

Articles

  • Home -
  • Article -
  • Bank Security -
  • All Criminals Need Is Your Data—How They Gain Access To Your Computer


Non-Verbal Behavior

What does it mean to read people?
Why Body Language Always Tells the Truth!
Training Your Eyes To Assess and See Sub-Conscious Movements!
HOW TO PROFILE A CRIMINAL!
WHY BODY ALWAYS TELLS THE TRUTH
CLOSED BODY LANGUAGE
DECEPTIVE BODY LANGUAGE
DEFENSIVE BODY LANGUAGE
DOMINANT BODY LANGUAGE
EMOTIONAL BODY LANGUAGE
EVALUATING BODY LANGUGAE
GREETING BODY LANGUAGE
OPEN BODY LANGUAGE
POWER BODY LANGUAGE
READY BODY LANGUGAE
RELAXED BODY LANGUAGE
ROMANTIC BODY LANGUAGE
SUBMISSIVE BODY LANGUAGE
BORED BODY LANGUAGE
ATTENTIVE BODY LANGUAGE
AGGRESSIVE BODY LANGUAGE

Liar Behavior

Eyes Can Not Lie
How Our Bodies Betray Us in a Lie
EYES CANNOT LIE
IS A LIE A TRUTHFUL ACT?

Terrorist Behavior

What is Terrorism?
What is Religious Terrorism?
Charming History Of Terrorism

Criminal Behavior

How to Profile a Criminal!
How to Detect Human Smugglers!
What goes On in A Criminal’s Mind?
What Is Criminal Behavior?

Student Behavior

What is Behavior?

Learner Behavior

Why training is important to big organization?
What is Training?

Emotional Behavior

Criminal Emotions-Before, During and After the Crime!
CRIMINAL EMOTIONS
HOW OUR BODIES BETRAY US IN A LIE?
HOW TO DETECT HUMAN SMUGGLERS!
TRAINING YOUR EYES
WHAT GOES ON IN A CRIMINAL'S MIND?
WHAT DOES IT MEAN TO READ PEOPLE?
HOW HUMANS ACT TRUTHFULLY
WHAT IS ACTING?
WHAT IS REALITY?
REALITY vs PERCEPTION

Bank Security

How Fraudsters Move Money To Africa
How Bank Criminals Get Away With Their Crime
How To Recover Your Money From A Scammer
Bank Robbery Success Rate
 Major Unresolved Bank Robberies
Alternative Security Methods For Banks
How criminals recruit bank employees
Fighting Bank Fraud With Video-Based Security Surveillance
Bank Security Training Ideas
Being Sensitive To Attacks On Banks
All Criminals Need Is Your Data—How They Gain Access To Your Computer
Credit Card Fraud and Theft
Types of e-Commerce Fraud
Taking a leap into the past of bank robbery to determine the present
How To Detect An Intruder In A Bank
The Procedures Involved In Robbing A Bank With A Note

Brain Behavior

Knowing All That Pertains To Your Brain

Building Security

The History Behind Vandalism
Understanding the Concept of Vandalism

Hospital Security

Hotel Security

All Criminals Need Is Your Data—How They Gain Access To Your Computer

Elangovan, October 2, 2019

If a criminal wants to poison your bank, they don’t need to run after you or take any of your family hostage, all they need is to have an access to your data. Cyber attackers work day and night targeting banks that will slack in any form so that they can seize the loopholes to harm such financial institutions. In this piece, our main preoccupation is to learn how criminals gain access to your computer and perform their tricks.

You might be surprised to know your social networking login details can often be worth more to cybercriminals than your financial information, because there are many protections for consumers against financial fraud but next to none for online accounts like email and social networking. Your social information gives hackers access to your friends on those networks, who then become susceptible to cybercriminal attacks as well (Myers, 2013). So, it is a web of chain that if care is not taken, all of you can fall victim of.

Need an example? Think of your financial information as a car dealership and your social networking details as a discount store. The discount store carries a ton of items sold for little profit but they sell products all the time, while the car dealership sells fewer items at a lower frequency but a much greater profit. Most cyber-attackers work more like a discount store than a car dealership. Financial data is only worth a few bucks for each account, and social networking data isn’t worth a whole lot more. But criminals work to gather enough low-ticket pieces of information to sell in bulk to rack up a big payday (Myers, 2013).

There are two main ways cybercriminals can attack you: the first is by luring you into using malware to open up your system to them, and the second is by hacking into your accounts or computer directly. The attacks come in form of replay attack, bypassing payment to the wrong person, among others.

In order to describe the attacks, consider a fictional bank, “SPDL Bank”. The customers of the bank are Alice and Bob, and the hacker is Eve. We want to reflect flaws in logic, and we use Charles Proxy to sniff SSL traffic between the mobile bank and the bank server. A mobile banking application should allow the users to perform a subset of operations they can perform at the bank. Thus we lay down our assumptions of how the mobile banking application should actually function. While making a payment, a payment request should be valid only once. Similarly, transfers should be possible only to approved and trusted beneficiaries. Moving on to the challenge response, banks, as an added layer of security may ask for certain digits of a password (like 2nd, 3rd and 7th digit), or a similar form of secondary authentication. Only upon responding with what was asked for, is the transaction processed (Shah, 2016).

Replay Attack

Suppose Alice is transferring money to Bob through the mobile banking application. The payment request should be valid only once. Any attempts to provide the same to the bank should be treated as invalid. In a practical scenario, suppose Alice is transferring 10$ to Bob legitimately. Bob can pair up with the hacker Eve, and can have replay the request 10 times. Thus 90$ is siphoned off from Alice’s account without her authorization. The deference against replay attacks is a nonce, or a secret between the client and the server as a function of time (Shah, 2016).

Bypass Payment Attack

As part of everyday business, Alice transfers 100 $ to Bob. This is a valid transaction since Bob exists in the list of approved beneficiaries.

The steps in completing a transaction are as follows-

Alice->Server : Transfer 100$ to Bob

Server-> Alice: OK ; Give me authentication numbers : 1 , 5 ,8

Alice->Server : Transfer 100$ to Bob ; Authentication 1:22 5:45 8:12

Transfer Successful

The Authentication characters can be considered to be Key Value pairs, where there are 16 Keys 1…16. There exist authentication digits for each of these (Shah, 2016).

The Bypass payment hack happens in step 3. Eve, the adversary can tamper the request as:

  1. Alice -> Server : Transfer 10000$ to Eve ; Authentication 1:22 5:45 8:12

The server accepts it, and the transfer is successful. The problem is

  1. Lack of check in step 3, if recipient is a beneficiary
  2. State not maintained between step 1 and 3

Thus money can be diverted to malicious entities (Shah, 2016).

Two Factor Authentication Bypass

As described in the transaction steps, authentication values need to be provided. The server asks for 3 values randomly out of 16, as a two factor authentication. An attack is changing the challenge response questions.

In Step 2, When the Bank asks for the 2FA.

  1. Server-> Alice: OK ; Give me authentication numbers : 1 , 5 ,8

Eve can tamper with the request response, and provide the 3 valid key value pairs she knows. Thus irrespective of what the server asks for, Eve can provide the key value pairs she knows, and the transaction still goes through. Thus she effectively bypasses the security mechanism since she can spoof each transaction.

Alice->Server : Transfer 100$ to Bob ; Authentication 1:22 2:99 3:10.

This attack is an advanced one, and requires Eve to possess the session key. However once she has it by sniffing a live transaction, By combining vulnerability 2 & 3, She can create malicious transactions. These flaws are related to the logic and may not fall under the banks threat model, as they assume the application to be in the trusted computing base. However, this assumption, may not hold true, given how easy it is to poison the phone certificate store through an application with misleading permissions (Shah, 2016).

MsMash (2018) narrates the story of how hackers crashed computers in an attempt to hack a bank’s SWIFT. He wrote: “Hackers have used a disk-wiping malware to sabotage hundreds of computers at a bank in Chile to distract staff while they were attempting to steal money via the bank’s SWIFT money transferring system. The attempted hack took place at the end of May 2018 when hackers wiped the HDD MBR of over 9,000 computers and over 500 servers. Fortunately the hackers failed to steal money from the bank (an estimated $11 million). This is the same hacker group who failed n April when they tried to steal over $110 million from a Mexico bank.” So, banks need to be vigilant at all times. Even though the said attack was said not to have been successful, crashing all the bank’s systems is alone worth more than the amount in question.

References

MsMash (2018). Hackers Crashed A Bank’s Computers While Attempt A SWIFT Hack. Retrieved from https://it.slashdot.org/story/18/06/10/1629230/hackers-crashed-a-banks-computers-while-attempting-a-swift-hack

Myers, L (2013). How A Cybercriminal Can Steal Information Off Your Computer. Retrieved from https://www.intego.com/mac-security-blog/how-a-cyber-criminal-steals-information-off-your-computer/

Shah, D (2016). Hacking A Bank: 101. Retrieved from https://hackernoon.com/hacking-a-bank-101-507d64d5b836

© 2019 LPS Training Services All Rights Reserved.