27

From reading a lot of info on this website I came to the conclusion that if someone with enough skill really badly wants to gain access somewhere, then there is absolutely nothing stopping them from doing so. Additionally I learned that getting access to a company computer is much easier than a singular computer at home.

However I am completely confused. What exactly prevents someone from for example, stalking one(or more) of the bank employees, getting information on them and then gaining access into their system? As far as I have seen financial fields have one of the most soul sucking programming tasks which usually end up in small amount of security holes. So what would prevent someone from waltzing into the bank's system, causing gigantic chaos (not for sake of stealing money, but for sake of screwing them up), and then walk out.

For example I know from internal sources that this has one of the worst security methods implemented. This makes me assume that this is not the first software that a bank would release that would allow data to be stolen and/or modified.

Does this actually happen but the banks do not care because they suffer very small damages? Or is a bank completely impossible to get into and destroy data?

Quillion
  • 1,134
  • 5
  • 16
  • 25
  • 26
    In a nutshell: your premise is invalid: banks do get hacked. However, they have a lot of infrastructure in place to trace the perpetrators, to keep going if a subsystem fails, and to put a muzzle on people reporting incidents. Also, compared with their total budget, the damages do end up fairly small most of the time. – Gilles 'SO- stop being evil' Nov 07 '13 at 21:26
  • _If someone with enough skill really badly wants to gain access..._ - Well, what is enough skill to break into, let's say, some Google servers? And if you have that amount of skill, you already work there. – Jeyekomon Nov 07 '13 at 22:23
  • They don't? That's news to me... Citation please. – Fiasco Labs Nov 08 '13 at 02:43
  • 1
    Even if you do manage it, get caught and you're in big trouble. And just as there's no 100% solid way to secure an organisation, there's no 100% solid way to hide an infiltration. – AlbeyAmakiir Nov 08 '13 at 05:24
  • They do, often, but not usually seriously. They have massive amounts of security measures in place, and a key part of this is the early detection of attacks. By noticing sooner they limit damage, and what they lose they write off. One of the most valuable system cracks of all time was CitiBank, when their VAX/VMS system was hacked in the 80s. – Owen Nov 08 '13 at 14:32
  • Being "too big to fail" also means you get to pass the cost of successful hacking attempts to others. – curiousguy Aug 15 '18 at 22:26
  • Why hack the bank itself when phishing its users is far easier? When doing the dirty, the less noticeable, easier path is the one that people will prefer to use. – T. Sar Aug 17 '18 at 20:34

8 Answers8

26

I think it's fair to say that the idea that any large organisation is entirely impervious to attack has been proven false over the last five years or so. Everyone from nation states through large corporations, security consultancies and other security minded companies have had breaches.

One reason that a bank hasn't been thrown into "complete chaos" as you put it is likely down to a combination of the security measures they have in place to react to attacks, the size and complexity of their systems and the motivations of people who have the resources to effectively attack them.

If you think about people who are most motivated to attack banking systems, it's criminals who want to steal money from them. From their perspective there's no reason to cause chaos, they want to get in, steal things and get away without being noticed, if possible.

Rory McCune
  • 61,541
  • 14
  • 140
  • 221
  • So no one has ever attempted to try and just destroy it as a practice challenge? And you are saying then that banks are just good at recovering rather than protecting data? – Quillion Nov 07 '13 at 21:43
  • 1
    Exactly, recovery is an important part of business continuity management – Lucas Kauffman Nov 07 '13 at 21:54
  • 2
    @Quillion what I'm saying is that the level of resources and skills necessary to completely destroy a large/complex organisation like a bank aren't something many/any actors would waste on a "practice run" :) I would say that banks are (relative to other organisations) good at protecting and recovering. but these days protection is not absolute so recovery becomes more important.. – Rory McCune Nov 07 '13 at 21:57
  • 4
    Also helps that banks are still running really old hardware like AS/400 for core payment processing, which most regular blackhat folk don't have much experience with ;) – Polynomial Nov 07 '13 at 22:09
  • 1
    Oh, and things like PCI-DSS help control the isolation of payment systems, too. – Polynomial Nov 07 '13 at 22:11
  • 1
    Heh, I'm pretty sure none of the guys I know could find a bug in a COBOL framework if it hit them in the face. Not that banks don't still get hacked, even huge ones... – forest Mar 08 '18 at 06:37
  • I see a lot of answers here from people who have clearly never worked for a bank – Gaius Aug 26 '19 at 13:13
9

To turn a quick profit, It is easier to go after end users. This is why there are so many phishing attacks and password stealing Trojans.

Banks internet-facing operations tend to be well secured. The internal office environments less so, although they tend to have good AV. This stops casual metasploit users, although an advanced attacker with zero day exploits could readily compromise an internal workstation through the browser, and proceed to a major attack.

I expect at the moment both the NSA and Chinese have large scale hacks at many banks around the world. But they wouldn't be so crass as to just wipe the bank. It's far more valuable to quietly sit and harvest data. If they did decide to wipe the bank, there would be backups, but it would be incredibly hard to resume day-to-day operations - your looking at weeks even with crack teams of contractors on it. The bank would be commercially destroyed.

I read that during the 2nd gulf war the US could have done this to Iraqi banks, but they made a strategic decision not to.

It's a scary world out there :)

paj28
  • 32,906
  • 8
  • 93
  • 130
  • Do you have some source about the 2nd gulf war? I would be interested in reading more on this. – Marc-Andre Nov 08 '13 at 14:07
  • 1
    @Marc-Andre there's some info here: http://www.infosecisland.com/blogview/6750-Cyber-Warfare-and-the-Conflict-in-Iraq.html I originally read about this on the Dailydave list, which is worth following. – paj28 Nov 08 '13 at 14:11
6

When one secure a box, he puts several defenses layer so, would some "hacker" defeat a protection, the immediate consequences will be limited, and by the time a defeats the next following protection layers his action will hopefully be detected and neutralized.

This is for a simple box. Now with a bank which is one of the largest international institution, main body of the financial system, you just multiply these layers at the whole company level, and restrict at the minimum the interaction within them, and for each interaction you define very strict procedures imposing that, the most potential impact has this interaction, the most people must be involved (in such domains the four-eyes principle is widely applied).

By distributing widely the responsibilities and the data, you distribute the power, so when a part of the bank gets hacked (or if an employee turns against the system) it provides very little power so the few backup restoration and access cancellation would most likely annihilate the damages.

However, no system can never be taken as 100% safe, and that's why what you describe just happens from time to time. For instance, here in France, just a few years ago a trader defeated these protections and caused a loss of 4.9 billions of dollars to his bank (see Jérôme Kerviel ; interesting to note that the most critical danger are not external hackers as one may think, but internal employees...), and yes, as you said, it was a "gigantic chaos".

So, to answer your question, banks actually get hacked, as any other information systems, but hopefully due to their size this does not happens very often.

WhiteWinterWolf
  • 19,142
  • 4
  • 59
  • 107
  • 2
    Jerome Kerviel example is bad, he just used bots to deals automatically, and they end up screwing everything up. (Unhauthorized trading != taking the system) – DrakaSAN Nov 08 '13 at 11:53
  • 1
    @DrakaSAN: bots used to deal automatically are just, as far as I know, daily tools for nowadays traders (see [high frequency trading](http://en.wikipedia.org/wiki/High-frequency_trading) ). Jérôme Kerviel used forged emails to gain privileges and avoid some human controls, and exploited the system to insert non-existent operations in order to counter balance his own and avoid automatic controls. Yes, maybe he did not got 'root' privilege on any server, however I think that such kind of actions are not as off-topic as that... – WhiteWinterWolf Nov 08 '13 at 13:35
  • 1
    Interesting, I didn t knew he had gone that far, don t know how to say it in english so in french: "je retire ce que j ai dit". Thanks for the info. – DrakaSAN Nov 08 '13 at 14:15
5

Let's debunk a misconception: banks do get hacked, they are just (way) more controlled then the average company. From my experience as a penetration tester, it is not unusual for banks and financial firms to have vulnerable systems, but there are elements that make them harder to succesfully attack.

First of all, banks usually respect the minimum privilege principle, reducing the people allowed to do certain tasks (critical or not) to a limited group. This practice effectively reduces phishing capabilities and also provides a specific perimeter whenever a problem arises (e.g. attack, fraud).

Furthermore, specific country laws often require banks to thorougly monitor and log activities on their systems, making it harder to perform an attack without being detected in a short amount of time. Also consider that money trails can be followed and stopped (within certain limits) if considered fraudolent.

Finally, banks usually perform several security assessments of their critical applications, especially the ones exposed on the Internet and used by their clients. This effectively lowers the risk of getting hacked, but doesn't eliminate the risk entirely.

In the end, no system is completely secure and the human factor can indeed be the weak link. However, in a heavily controlled environment, such as the one found in banking companies, the efficacy of attacks (external and internal) is mitigated by the severe security implemented.

Gurzo
  • 1,117
  • 6
  • 18
4

While it sounds odd to someone who is focused only on the technical aspects of hacking into a bank, one reason banks are more secure than many organizations is that they have a comprehensive set of information security policies. These policies guide the organization through many areas that help protect their customers.

A good example is a policy that defines exactly who should have access to what information. By ensuring that only the people in department X can edit the accounts, they limit the ability of an attacker who might be trying to social engineer his way into the accounts. Another policy might be that all passwords are 16+ characters long, and another might state that people with access to cash may not have access to systems, etc. They could have policies on firewalls, IDP devices, USB devices, smart phones, Wi-Fi authentication, etc. A bank might have dozens or even hundreds of these policies.

It's all part of an overall strategy called "defense in depth". Just as you wouldn't call a bank secure simply because their fence gate is locked, you don't rely only on firewalls to stop attackers.

John Deters
  • 33,897
  • 3
  • 58
  • 112
3

The critical resource assuring the security of banks is, surprisingly, not technical at all. :)

Most importantly, banks maintain large internal security departments staffed with considerable number of security specialists. Banks are more or less the only organizations who are capable of footing the bill for this sort of operation.

The rest is rather simple: internal security guys are constantly performing audits and security stings. In fact, bank fraud instigated by employees is very common (dozens of cases per year per bank), but we seldom hear of these things, because normally fraud is rather quickly identified by the security guys, damage reverted and the offenders get kicked out (in a fairly hush hush manner, as to not spoil the bank reputation).

To summarize, the technology is not quite ready yet to solve social problems, thus big battalions and good shots are still necessary to maintain proper security.

oakad
  • 327
  • 1
  • 3
2

It is pretty darn hard to rob a bank,while hacking a bank may just be relatively easier,as well as giving you the obvious advantage of getting away with how much ever you want to. Just to clarify,banks have security analysts and committees that decide the framework of the security of the servers or the website.As a result,unless you are Jonathan James or Mr McAfee himself,you will require a team or group of dedicated hackers,insider info,and a large chunk of incompetence on the bank's behalf to even think about hacking a bank. If you do ***get away with it,***you can safely retire and spend the rest of your life in a penthouse in Brazil or Isle of Man.

Bangladesh Bank Robbery

650 Million Pounds

13 Million Dollars

So in conlusion,banks are hackable with adequate resources,but extorting money from stupid users would be a easier method of earning money in the summers.

-5

Banks usually buy huge systems to prevent these kinds of attacks and discover vulnerabilities with a click of a button (Qualys for example). Money isn't a problem when it comes to banks. Mostly they do not need high skilled personnel to defend their systems.

Optimus Prime
  • 298
  • 3
  • 12
  • No technology, no matter how expensive, means that one is impervious to attacks. So much more can go wrong than just vulnerabilities, too. – schroeder Aug 25 '19 at 08:41
  • You have neither worked for a bank nor used Qualys @optimus prime – Gaius Aug 26 '19 at 13:15