Hey, you! Want to know a secret? Your adversaries are after money. Taken the „cyber shoot-outs“ of governments aside, no sophisticated attack happens without economical benefits. Attackers don’t care where the money comes from. However they care for efficiency. They do not compromise web server after web server to hope for some loot which can be turned into profit. Instead they go after the places where people store and move their money. Financial institutions have been battling attacks against their customers and their infrastructure since their services entered the Internet. It’s an arms race, and if you are involved you need to keep up. We are proud to have Konstantinos Karagiannis at DeepSec 2013 talking about the future of banking and financial attacks.
Advanced User Enumeration and DDoS
Every attack needs a proper target. When it comes to accounts the user identifications (IDs) are your targets (think of them as the login part). Adversaries will try to collect them during reconnaissance when preparing their move. Since the user ID is part of the account credentials it should be protected in the same way as the password. Surprisingly few organisations go out of their way to protect user IDs. It is a matter of time before the get harvested. This opens two attack vectors. Compromising is obvious. A second attack is to lock out users. This works if the application suspends the account after a couple of unsuccessful logins. If you don’t care about gaining access, then you can lock out others thus staging a (distributed) denial of service attack.
Trading Turret and Timing Attacks
Competition is hard in the financial sector. Combine this with online resources that absolutely need to be online and you got a very fertile ground for attacks that push services off the Internet. This can especially be dangerous for time-critical transactions at stock markets. Network-based attacks disrupting transaction time by milliseconds can cost millions of dollars. The motive is there, so the motivation for undertaking attacks will follow.
Internal User Attacks and APTs
Attacks do not come from the outside only. Imagine attacker are inside your financial organisation. They could have taken a foothold by using elusive advanced persistent threats (APTs) to get their attack tools in position. Provided your defences do not look in any direction, your adversaries have an unobstructed view on your internal network. They can do a lot more damage then. APT cases have been documented. Right now they are rare and expensive – but if the profits are right, this might change.
External User Attacks and MitE
Malicious software evolves, just like any other software product. It comes with a warranty. This means that the developers follow the evolution of the defence mechanisms and constantly avoid them. In turn attacker don’t need to crack your password or watch your network traffic any more. They can virtually sit right next to you while you use your trusted session. They can record, intercept and manipulate transactions. This is a classical external attack, but it is done from the end-point.
Konstantinos Karagiannis’ presentation is an outlook on the future. Just as your adversaries keep track of your defences, you should follow the capabilities of your adversaries. If attacks would stop as soon as we understood the mechanisms, then securing networks, applications and infrastructure would be a whole lot easier. This is why we absolutely recommend to attend this talk.