By Moses Kaketo
A local commercial bank recently lost millions of shillings to fraudsters when they gained access to her main banking system before walking away with customer deposits.
Through our sources at the said bank, we were able to gain access to the investigator’s report. The report highlights the weakness in the financial institution’s banking system which the fraudsters exploited to walk away with millions of depositors money. We will save you from the name of the commercial bank. Below are some of the gaps that were identified and perhaps exploited.
The report reveals that some of the key network devices on the bank’s network were either: open source, obsolete or both. For example while Cisco announced the end-of-life for the ASA 5510 to be 16th September 2013. Three years after the expiry date, the bank was still using the same system. Never mind that this firewall does not support Next Generation Firewall services like application visibility and control.
A close look at the CV’s of the 16 bank’s I.T staff reveals that while each had a bachelor’s degree in the relevant field, however there was no evidence of entire team was having the requisite experience in the job they were doing. According to the investigators report, integrity and professional background checks on staff were not seen on their personnel files. With the low salaries paid to staff, it is assumed, the employees could have been part of the fraud.
It was also discovered that the Admin access to bank’s key network devices was not restricted to specific IP address. This is against the best practices and the hackers could have used this to smile away, this time from the bank.
For example the ISO 27001 computer security standard e. HTTP administration access allowed without source IP restriction from the Internet. This exposed the firewall, the armed guard himself, to attack from the Internet. Above all, the investigators discovered that the firewall accepted traffic like Internet Control Message Protocol from any source on the Local Area Network which left bank’s system vulnerable to internal deadly attacks like Man-In-The-Middle, which the hackers could have used to their advantage to runaway with millions.
In the course of doing their work, the investigators conducted a scan of the bank’s network to establish whether an internal malicious user could be able to sniff and acquire bank’s unencrypted password. True to this, within seconds, they were able to see several clear text passwords
It was also discovered that the bank uses Access Point Name modems to among others: back up, remote administration; point of sale services and for senior managers. The modems fall in three categories: Modems for personal use for senior managers to access the bank’s E-mail account and Internet through a proxy while out of office.
The second category is modems for remote branch connectivity: these act as a fallback in case the branch’s primary link goes down. The last category is the Modems for administrators meant for system administration and support of all systems.
‘‘ The firewall configurations we obtained upon request from the Manager Networks and infrastructure had clearly been modified in response to the fraud incident. Given that firewall logs are never backed up or stored offsite, our efforts to recover logs were futile.’’ The report reads in part.
Bank last conducted penetration test four years ago
Regular penetration test is a must for any financial Institution as it acts as a way to test bank’s defenses and preparedness in the event of a cyber-attack. It helps the bank know whether her technical staff, using the resources available, can detect an attack in the offing, be able to take measures to stop it, and as a result prevent it.
However, the investigators noted with concern that the bank’s I.T team was relaxed. They last carried out a penetration test four years ago, that was in 2012.
‘‘Good practice calls for the bank to conduct attack and penetration testing at least twice a year to harden network and production system considering the high rate of changes in application development and new threats. The more frequent the pen tests, the better as potential threats can be identified before they materialize.’’
It was also found out that data transmission between the bank and her vendor’s servers was over the internet. The best practice demands that these links be over a secure connection preferably utilizing modern cryptographic techniques. A leased line or VPN tunnel that is encapsulated is highly recommended. Perhaps end-to-end encryption
During the investigators simulated Man-In-The-Middle attack, it was discovered the bank I.T team uses very weak passwords like “password10”. Besides being transmitted in clear text, such kinds of password are very easy to guess and crack. Indeed the investigators found a pattern of creating password-for example, password10, password11. This is against best practices as it makes it easy for one to guess the next
It was also found that the password for the administrator account for the bank’s main server was freely shared among Bank’s 16 ICT staff. The password for the firewall administrator was also shared freely. These practices are regrettable in the era of high cyber fraud.
It is understood that the bank had no sandbox environment where new scripts and software updates are first tested prior to installation on the live production servers. According to investigators, this practice is very bad as exposes the bank to unnecessary back-doors, software bugs common in new applications.
Don’t miss part two, coming soon