Naavi.org

The UK based Tesco Bank recently observed suspicious transactions in around  40000 Current Accounts and had to temporarily shut down transactions in the accounts. Subsequently it was indicated that about 9000 accounts saw fraudulent withdrawals to the total extent of about UK Sterling 2.5 million (About Rs 21 crores). The average loss per account was around Rs 21000/-.

Some reports allege that over 21000 accounts have seen the fraudulent withdrawals putting the potential loss at over Rs 50 crores.

Most of the fraudulent transactions occurred overseas such as Spain and Brazil.

The exact nature of the breach is yet to be ascertained/published. However it appears to be a hacking of the Bank’s systems at some level caused by failure of internal processes including negligence of intermediary service providers. An investigation by the national crime agency s underway. We may not be surprised if this breach finally leads to some BPO located outside UK hopefully not India.

For More information: Guardian.com report

It is expected that regulators may impose a multi million pound fine. (See report) The share prices have also been adversely affected. Tesco has been offering 3% interest to the current account customers and hence provided competition to other bigger Banks. But this incident could put a brake on its business growth for some time. The general allegation is that the Bank has systematically neglected cyber security and the breach is a result of such compromise…much like the Indian Banks.

The Bank has after the incident taken steps to inform their customers through SMS and has also put up a note prominently on its website indicating the latest position.

 Indian Banks often deliberately avoid notification of  breaches on their website and even to RBI. For such Banks it is important to notice the response of Tesco Bank to the breach.

The complete update as available on the website is available here: 

The update contains an apology, contact information, and an FAQ for further information. In contrast Indian banks fail to admit breach, refuse to refund the amount to the customer, deny their failure to notify customers individually and enter into a prolonged legal battle with the customers.

What RBI and Indian Banks should note

RBI should make a note of this incident and issue suitable instructions on “Data Breach Notification” for Indian Banks. Ofcourse we need to remind that it should not be a toothless advisory but an action oriented directive. RBI should also stop cheating the public with an issue of draft circular for public comment and going silent there after.

It is also recently found that RBI has not provided Banks with any guideline on Social Media Banking and Banks have started using Twitter and Facebook Banking on their own. Even after RBI was questioned in a RTI application, they have not taken any action to distinguish Internet Banking and Mobile Banking from the less secure Twitter and Facebook banking. This gross negligence on the part of RBI will come to haunt Mr Urjit Patel sooner than he may anticipate.

Presently the Banks are grappling with the “Note Exchange” program and in the process using “Mobile Centers” armed with “Micro ATMs”. Customers will be exposing their Banking credentials to these POS machines which could result in a new security risk.

We are not sure if Indian Banks and RBI are alert to the security issues. If the attitude of Vijaya Bank cashiers at M S Ramaiah Hospital in Bengaluru recently (Sitting in a Maruti Van with Open doors and dispensing cash instead of closing the doors and operating through the window) without any physical security, is any indication, Banks could be not even aware of the risks to which they are exposing themselves and their customers in a bid to satisfy the critical politicians of the opposition who are anyway habitual critics to be ignored.

Hope the current crisis in Indian banks pass off peacefully without a Tesco or SBI Card type of incident recurring.

Naavi

In the recent DDOS attacks on OVH and DYN, the attacks were committed with redirection of terrabytes of data using botnets of video devices.

It is already known that earlier botnets of millions of computers were being created to conduct such attacks. Now it appears that in certain cases, data traffic of as little as 4Mb per second could bring down networks.

A research organization TDC has reported that a single laptop producing around 180 Mbits per second can send certain commands that can trick the firewalls of CISCO and others to bring down the network.

More details are available here

Security managers need to check the vulnerability in their servers and implement the corrective steps that are being recommended by the security companies.

Naavi

n amendment bill has been tabled in Australia to amend the Privacy Act 1988 to prohibit conduct related to the re-identification of de-identified personal information published or released by Government entities. (See Details here)

According to the provisions of the amendment, when an agency is entrusted with de-identified information, they shall not act in any manner that the de-identified information gets re-identified.

The exception to the rule is when

 (i)  the act was done in connection with the performance of the agency’s functions or activities; or

  (ii)  the agency was required or authorised to do the act by or under an Australian law or a court/tribunal order.

(iii) the entity is a contracted service provider for a Commonwealth contract to provide services to the responsible agency; and  the act was done for the purposes of meeting (directly or indirectly) an obligation under the contract.

(iv)  the entity has entered into an agreement with the responsible agency to perform functions or activities on behalf of the agency; and  the act was done in accordance with the agreement.

(v)  the entity is an exempt entity for the purposes of this section in accordance with a determination in force and  the act was done for a purpose specified in that determination in relation to the entity and in compliance with any conditions specified in the determination that apply in relation to the entity.

The penalty for the offence could be an imprisonment upto 2 years and also civil fines.

There is also a provision for “Disclosure” if re-identification is done failing which there could be civil and criminal penalties.

The amendment indicates a specific attempt to focus on prevention of re-identification and enhances the Privacy protection.

In the Indian Context a protection of this nature is implicit in the contractual agreement of the sub contractor failing which the responsibility for disclosure lies with the agency (which is recognized as an “intermediary” in the ITA 2008)

The DDOS attack on the Internet service provider Dyn which suffered a massive DDOS attack on October 21 with  1.2 Terra Bytes of data directed from about 145000 CCTV/DVR instruments working as a botnet shook up US internet and brought down many critical services. (Dyn headquartered in New Hampshire offers DNS services to resolve internet addresses and when it fails, the users were unable to reach several popular websites.)

 (Report in Wired.com). ( Also see earlier report on OVH attack in naavi.org)

While the DDOS attacks on DNS service providers or others is not new, what attracted attention in this case was that the botnet consisted not of computer zombies but the CCTV cameras and DVRs working within many corporate networks and public utilities. These devices working on IP connections send the images captured to a central server and being a video files, the data size is large. Most of these devices are configured with a default password as supplied by the manufacturers which is either known or can be easily broken.

The available network of such devices with IP addresses are easily searchable in some search engines such as Shodan and therefore an easy fodder for those who are trying to do mischief.

In fact just a few weeks earlier, another similar attack had been launched on OVH a web hosting company. The attack on OVH failed to evoke preventive steps which lead to the next attack on Dyn. Even now if one searches Shodan search engine it spits out the IP addresses of about 27000 cameras in Germany, 26000 in US and about 1000 in India. Hackers use an exploit that can bruteforce these devices and divert the feeds to a target server to cause a DDOS attack.

The Shodan search engine also showed 48 Banking hosts in India whose IP addresses could be easily obtained for further analysis. May be these are not exploitable, but it indicates how the internet facing devices may easily be open to attacks from unknown persons. While servers used by Banks and other responsible users may have a tough password which cannot be easily broken, the same cannot be said of IoT devices used by common people.

The “Mirai” malware is one of the tools with which these DDOS attacks are being carried out.  One can see the latest Mirai attack map (fossbyte.com) and how the attacks are spread all over the globe including India.  

Now the news has just come that the latest Mirai Botnet attack has brought down the internet in the entire West African country of  Liberia.  (See report here). This could be a test attack and would be followed by another attack elsewhere soon.

In the map above India is showing a huge number of attacks.

A realtime Mirai botnet infection activity  shown in the adjoining  picture shows intense activity in India including around Bangalore.  How these  infections will play out is anybody’s guess. If there are any further DDOS attacks in which  the devices owned by the infected systems participate, there would be a “Cyber Crime” incidence and possible prosecution under Section 66 read along with Section 79 of ITA 2008.

If the attack is on a nation crippling attack like the Liberian attack then such devices would be exposed to the charge of a “Cyber Terror Attack” or participating in a “Cyber War” on an otherwise friendly country.

Information Security professionals working in companies in which any Internet facing devices are being used need to first check if these devices are secured from external attack. Each CCTV exposed to IP should be secured like a “Server” containing “Confidential Data”.

At a time we in India are facing cyber attack challenges from Pakistan and China, it is essential that we take care that our assets are not part of an international botnet that can cause DDOS attacks elsewhere.

Some of these devices may actually be owned an operated by Government agencies where the security awareness may be insufficient. Just yesterday, it was reported that the Digital India website had been hacked indicating the security vulnerabilities of high profile websites maintained by the Government. I will therefore not be surprised if there are a number of IP devices including CCTVs in Government hospitals, Departments, Public sector companies and also with the Police as part of traffic management systems which are capable of being compromised and made part of the Mirai botnet.

I therefore urge the Government to undertake a study of the security of IP connected CCTVs to start with and secure them before it is too late.

Naavi

It has been pointed out in these columns that after the recent changes made in the account numbering system in Corporation Bank there have been many customer service issues. One issue that was pointed out was that though the account numbers were changed a few months back and the new cheque books carrying the new account numbers have been issued to the customers, the back end system is still not migrated to the new systems.

As a result, I had pointed out that any NEFT remittances sent to the new account number was not being accepted by the system and is being returned. It was pointed out that this amounted to a “Denial Of Service” to the customer which amounted to both “Deficiency of Service” under Consumer Protection Act and a cognizable offence under ITA 2008.

Today I observed two other issues. some of the customers who had linked their Gas Agency accounts to corporation bank account for the purpose of LPG subsidy are finding that the subsidy is not getting credited to their account. This means that the gas agency is sending the payment to the old or new account number which is getting rejected by the system. If this money goes back to the gas agency there is a possibility that it can never be recovered from the Indian Oil or HP.

I also observed that within the branch, the systems are still working under the old account system and the system is not able to recall the specimen signatures of the customers with the new numbers. The staff therefore has a problem to identify the old number and pick up the specimen signature before a cheque can be passed.

All this indicates that there is a serious flaw in the implementation of the new account numbering system. First of all it is not clear why the Bank had to change the account numbering system. They had already migrated from the old manual system to a 15 digit account numbering system which had the IFSC code, the account code and the old account number as part of the number. It was easier to remember and was already in use. The new account numbering system is a completely new set of numbers which does not identify the branch IFSC or the old account number. It appears that who ever provided the core banking system could not use the legacy account numbering system of the Bank and persuaded the bank to change its account numbering system to suit the deficient core banking system and this has led to all the problems.

There is an indication that a deficient system was thrust on the Bank without proper technical evaluation. Some body must be held accountable for this decision which is apparently does not indicate a good business decision.

I will be happy to know from the Bank if this inference is incorrect.

In the meantime, the status of the system gives rise to a possible information security risk which needs to be attended to. If the mapping of the old and new account numbers is not working, then it is quite possible that the linkng of mobile numbers of the customers to their accounts as well as their Debit and ATM cards may also get affected. This could result in problems for the customers and phishing opportunities for the fraudsters who may call the Bank customers with offers to change the ATM/Debit cards and ask for card details for committing frauds.

It is also possible that the accounts may be wrongly linked to other accounts. (Recently I found such a flaw in the NPCI when my HDFC Bank account was linked to an unknown mobile number which was subsequently corrected on my complaint). This could result in fraudulent encashments as well as denial of genuine service requests.

There is therefore a need for RBI to make an information security audit of Corporation Bank system pertaining to the new migration of accounts from the old system to the new system. Additionally the share holders of the Bank should demand that the management explain if the decision to change the systems was warranted by any business requirement or was a result of somebody puling the right strings.

Naavi