According to the chair of the SEC, the greatest danger to the world financial system is cybersecurity. And it made me wonder, at what point, while the financial transactions are happening that money is vulnerable?
Mike Buckbee and Kilian Englert joined me for an interesting conversation as I inquired about shopping online, using wearables and how to steal millions from a bank.
Here’s the best of what you might have missed:
Where Do Financial Services And Cyber Security Intersect?
Cindy: Lets say I am shopping online for Korean face masks, and that site uses Magento. It’s a really popular web platform and handle about 50 billion dollars in transactions a year.
Mike, you found a really interesting article about a Magneto vulnerability. What is this vulnerability doing and how it is impacting all of these transactions?
Mike:Magento is an open source e-commerce system.
So if you decide, ‘Hey, I want to sell Korean face masks,’ or anything online, you can set this up on your own server and then supply your own credentials through Stripe, or some other bank, or Paypal…
So what Magento supplies is the shopping cart and the ability to show inventory, so it’s like a self-hosted version of Shopify…
There’s a single remote code execution issue where someone could execute arbitrary code (it’s written in php) on the server, without being authenticated to it. This is something where someone would escalate their attack. So maybe they can go in and take all the emails from everyone who ever bought anything from it.
They could maybe change things around to where, by default, like Stripe, won’t actually let you store credit cards on the machine, so that’s not a part of it. But maybe they could manipulate it where you could get those out of a transaction, you wouldn’t know.
The worrisome part about this is, it’s one remote code execution, on all Magento instances all over the world. A lot of times people set something up and they don’t maintain it. There’s a real tension between systems like Shopify, where they’re maintained and have security teams, and then there’s “doing it yourself.”
Cindy: So what about places that say your credit card is encrypted?
Mike: In most cases, when people say they are using 256-bit bank-level encryption, what they’re talking about is SSL/TLS, the traffic going over the wire from your computer and to the site is actually encrypted…
Much rarer is actually encrypting the data that’s going on in the systems. And out of the box, Magento wouldn’t be doing that.
Cindy: Who do you trust to go online shopping, because everyone is using the same platform?
Mike: Yeah. Well, to tie it back to the SEC.
Have you heard of Metcalfe’s law?
The more people are in a network, the more objects in a network, the more valuable it is…One computer is pretty nice, but if you have two connected, it’s worth the square of that, and if you have a thousand. So, we have this exploding situation, where we have the internet, the increase in technology, everything is getting more and more networked, and everything is getting more and more valuable and because of that, it’s getting more and more tempting.
The SEC is worried about financial cybersecurity because everything is networked. One person, strategically placed inside a big financial institution, can wreak havoc around the world, literally. It’s not a hyperbole.
IoT Connected To Bank Accounts
Cindy: yeah, I’m just thinking about networks and the Internet of Things. There’s this new wearable device, where it gives you an electric shock, every time you go overbudget. It’s great that it’s helping me break a bad habit, but it’s connected to my bank account, how secure is my bank account to my wearable?
Kilian: There are a lot of factors that come into play. Assuming there isn’t a direct integration. You have to give it credentials for your wearable to connect to your bank account. Your credentials to log into the bank account is being stored somewhere else…in a database.
And if you look at a lot of the big attacks, one of the easiest things for the bad guys to do is exploit a sql injection, for instance. If the fields aren’t protected properly, you could run a really simple table query and pull up a lot of information you’re not supposed to see. And there are a lot of automated tools to do that.
As soon as you entrust your bank credentials to some other 3rd party, and they’re stored somewhere else, you run the risk of someone taking your credentials to login to your bank site directly.
How Is It Possible To Steal 951 Million From A Bank?
Cindy: There was a scenario where an insider got unauthorized access to a bank in Bangladesh and then instructed an American bank to transfer money from the bank in Bangladesh to an account in the Philippines. They tried to steal 951 million dollars, how is that even possible?
Mike: It was really interesting…there was a tremendous amount of insider information, one of the things that was happening. As transactions were going through, one of the approval steps is that PCL commands were being sent across the network to individual printers.
It’s sounds like sort of a kludge. To get old systems to run mainframes to work with newer networks, for transactions over a certain amount, they would print out a notice and someone, like an executive would check, ‘Oh, 15 million is going to leave our bank today. We should physically sign off on this.’
One of the hackers suppressed this command, so some of the safeguards were missing. The assumption is, you needed to be intimately familiar with…this opportunity.
When You’re Shopping Online, How Can You Protect Your Privacy?
What’s were your fave tips from Troy Hunt? Or your own tip?
Cindy: Create a fake email.
Mike: Use Tor, the anonymity-focused system!
Kilian: Use paypal when shopping online!
- Follow the Inside Out Security Show panel on Twitter @infosec_podcast
- Add us to your favorite podcasting app: