A bit of a revisit to an unfortunate breach that was disclosed earlier this year. As it seems the old tricks are still working, customers of a Swedish bank, Nordea, were sent some phishing emails and after following the links, downloading and installing the trojans, and inputting their bank logins to fake sites the blackhats were able to pilfer $1.2 million. It is believed that this cyber-bank-robbery was the mastermind of the Russian organized criminals. There are a few details to this incident that are surprising, and should be considered for those in the security field.
- First off – 250 account holders were tricked into following the link. This may be minor number of individuals, but how did the intruders gain access to the entire bank’s customer database? Is there a deeper concern with regards to the banks own security.
- Secondly – none of the customers who were robbed had anti-virus software installed. If this is true then one could state the customer didn’t properly address their security due diligence. This would be similar to writing your ATM pin on the card and giving it to the bartender for the night – not smart.
- Finally – the bank covered the losses! This is both a wonderful turn where the financial institution has taken full responsibility for the management of the client’s finances. Even if the customer made a few mistakes along the way. This is truly a pearl in a sea of corporate strong arming, and is something that should be commended.
To consider this with a security / risk management point of view – what could have prevented this event of occurring, lasting 15 months in duration, or lessened the exposure to their clients. Here are some additions and changes that may be considered by Nordea, or others of similar size and risk exposure.
Add two factor authentication on the customer facing website. This can include technology similar to sitekey, or another program that presents a User unique phrase or graphic after being provided with the user name. Once the user acknowledges that the second factor authentication response is correct the customer password would be entered. This can be done simply or robustly to the point of introducing randomly changing codes attached user keyfobs, such as RSA or SecureComputing.
There is not much technology that can be added for this type of attack, as the Nordea spokesman stated that this “…is more of an information rather than a security problem,”. The only additional safeguard could be the communication of such variances in account activity to the user. This should be mailed in the regular monthly statement and clearly highlight the changes in behavior to the user. I.e. In bold: Money transfers occurred that never have occurred before, or a lot of online purchases to XYZ occurred.
In total the bank has 2 million clients, so that boils down to a very small percentage. All in all, the bank responded commendably, once the crime had been discovered, and the attack required a custom trojan so it is dubious that all but a very strong anti-virus solution would have detected and removed the trojan.
Interesting lessons that should be considered…