Cybersecurity Module 3: Finance Industry Cyber Attacks

(45 min) - Emmanuel van de Geer

Through security in the banking industry, and specifically I am going to take you through why
information security is different in banks from other industries and particularly different pronged
paths to technology industry. I'm gonna take you through my career in banking, and particularly in
security, what banks worry about, and then we're gonna have a bit of a look at Zeus and SpyEye,
which are two specific types of malware which cause banks globally a fair amount of concern. So
why is security different in banking? We'll start with Sutton's Law.
Willie Sutton was a bank robber, and when he was interviewed, some reported asked him why he
robbed banks, and he said, "Well, that's where the money is." So no surprise--if you work in a
bank, guess what. You actually do get attacked. People try and steal from you all the time
because you have a lot of money. The other reason that it truly is different is because banks work
because customers trust them with their money, right? Banks have to be a safe, reliable, and
secure place, right? So, you know, what would you think if you went to the branch and you
couldn't get your money? What would you think if you went online and the bank wasn't there? So
it's very fundamentally important to banks that we have a safe and reliable place for people to
store their money. Is there a problem with the slides?

Importance of information security in banking (01:31)

So at my bank, we have basically a value promise to our customers. We should heed the rule, all
right? I don't know if you've seen yet the advertisements, but heed the rule actually speaks about
how fundamentally important risk instability and security of our banking is, all right? The bank is
here for the customers. It's here in good times, it's here in bad times, and we are always there.
You can always take your money out, and you can always get a home loan, all those sorts of
services. It's very, very important that we're there.
And this is particularly important the current climate, you know, where you've got GFC and those
sorts of things going on, where people are very concerned about the security of our financial
systems. Sorry, this slide's going wrong. - Slide's not working. - So what you find is that, for
banking, security is less of a technology problem, and it's more an asset to the bank itself, right?
The other reason that security is different in the banking industry, it's because the way that
money works, all right, in the way that banking works. And so I'm just gonna take you very, very
briefly through how a banks works and why security risk actually affects how much money we
make.

Workings of a bank (02:53)

So as you're aware--okay, risk management in banking. So as you're aware, the banks have
customers, and the customers are generally in two forms. They're either depositors or investors,
and either lenders, right? So a depositor comes along and gives the bank some money; in return,
we give him a small increase either through shares, right, so basically through shareholders or
through people that actually have a deposit account and put money into the deposit account and
you get a small incremental percentage back.
We then take that money and we invest it, right? So the investment could be in assets such as
commodities or we could trade it through FX exchange, or we could give people home loans,
which is an investment for us. And then basically our properties is a difference between how
much you pay to our investors and how much we get back from investing the money ourselves.

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 1 of 10

Module 3: Finance Industry Cyber Attacks

Risk management of a bank: credit, market, operational

(03:50)
However, as we discussed before, banks have to be very, very stable places, and there are a
number of issues-- you know, WorldCom, the GRC, those sorts of things, where people said,
"Well, basically banks need to be able to provide risk incidents, right?" And so to do that, we need
to reserve the money aside, all right, and that security reserves money aside for three specific
reasons: credit risk, which is the risk that everyone pay it back; market risk, which is the risk that
our assets or the assets of our customers will lose value; and operational risk, and this is where
we're gonna spend a bit of time looking at it. Operation risk encompasses failure of our
processes, platforms, people. Yeah?
So this process of reserving capital aside is called capital allocation, where the amount of the
capital allocated is actually to do with how much risk you have, and you could-- how much fraud
you have, how much tech you have how many documents you have, all right? So operational risk
is actually made up of all these various things: legal risk, compliance and regulatory risk, internal
fraud, external fraud, security risk, all right?
And we're going to talk a bit about--later on about some of things that we're concerned about,
particularly in terms of external fraud, and things like people getting loans through us and never
paying us back because they forged their identity all the way through to criminals using us for
laundering their own money. And we'll also talk about security risks as well. And how this affects
the bottom line, right, from a banking perspective, is that the more risks the banks have, the more
money it has to reserve, the less it can invest, the less it can make-- less it can invest, less it can
make-- the less it can pay. The less is can pay to its customers, the less customers it will have.
So actually security and risk affect what we call the comparative equilibrium, right? How
competitive we are against our competitors, all right? Less risk in terms of more security, the less
we're in control, the less in turn that we have to reserve. Less capital aside, and can afford to
have better deposits returned to our customers, we can afford to make more money. Yeah? So
this--you know, as we talked before, its business asset, right. It's not really about technology
problem. And actually it's not really about security, you know, itself. It's a combination of
compliance, fraud, and risk management.
This combined space is called GRC, or government risk and compliance. So it wasn't always like
this, right? And in 2000, online fraud is actually unheard of. I know because I was actually
working at a bank in 2000, all right? And in fact, online fraud now costs U.S. banks a lot-- $60
million a year. That's money that people actually steal from U.S. banks, and we're going to later
on and we'll be talking about actually how much money people lose through online fraud and all
that sort of stuff and putting that in context with some other things that we are concerned about.
So a brief history of my career and what a career in security banking can mean to you. So, as I
said before, in 2000, I started my information security career as a firewall engineer, all right, so I
was used to doing network security. I built firewalls. I managed RAS connectivity. I built proxies.
All the sorts of things that you're probably quite familiar with. Today what I do is, I design
systems. I'm kind of like an enterprise architect for a range of capabilities, including operational
risk platforms, anti-money laundering, trade surveillance, as well as all of the security aspects as
well. And a bit about how this all came about, right?

Brief history of online fraud (07:56)

Because in banking as, you know, we've faced a large number of threats over the last ten years
or so, and it really started when phishing started. So phishing was where people actually tried to
trick online banking customers into giving them their username and passwords. This was well
before the days when we had, you know, a true vector authentication, transaction authorization
control that you're probably familiar with in terms of SMS OTP or tokens. And before that, you

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 2 of 10

Module 3: Finance Industry Cyber Attacks

know, online fraud really didn't occur. It really started to emerge when people started to move into
online banking and the Internet started to take off.
Soon after that, sort of around, you know, after we started to put in better controls around
phishing, all right, they moved in to man the browser. And that's some of nuisance via stuff that
we're touching later on, and these days they're moving into mobiles. So BlackBerrys, iPhones,
that sort of thing. They're migrating them out into there. Sort of around the same time... Right
about the same time, the regulators started to get more interested in banks.
They started in California with the data breach laws. Before the data breach laws existed, if you
lost the information, you didn't tell anyone, right? But now it's actually a regulatory need, and if
you lose customer information in multiple geographies, you have to tell them, and this actually
kicked off a whole range of technologies around data leakage protection and a really big focus on
this issue. Soon after that, and what we talked a bit about around capital allocation, that really
kicked off with Basel II and actually we can see that it's continued on with GFC. I put the TJX data
breach in here because that was a moment when, you know, data leakage became a really big
issue. TJX lost about 14 million credit cards, all right? So Citibank had to conceal those. Main
suppliers had to reissue millions of credit cards at a lot of cost, and they sued TJX for hundreds of
millions of dollars, and the company went down.
One of the other interesting aspects is that we've been seeing more recently, and we'll cover this
in a bit more detail later on, is the evolution of hacktivism recently, all right? We'll talk a bit later
about some of the drivers behind DoS. It's a real trend at the moment through Lulz, Anonymous.
Those sorts of things that are taking off. And just a story about RSA. RSA has a really, really
interesting case. I don't know how many of you are familiar with the RSA incidents, but what we
started to see is a change in attack paradigm. What used to happen was, people would look for a
hole in software, all right, or infrastructure. You know, vulnerability to write some code, and they
would then find a target, all right? It wasn't--you know, it wasn't a very good way of attacking
someone to get money out.
What we've seen is a complete change. People choose a target. All right, let's choose a target
first. After choosing a target, then try to find a hole in that target. And this is a big concern to
banks, because, you know, used to be that we could probably pretty well protect ourselves by
managing the technology. All right? But now what we're finding is, that people are turning that
paradigm around, and they're gonna attack us specifically, because we have the money, all right,
and they'll want to steal money, so they're gonna attack us. But RSA took it to a new level. What
they actually did was, they hacked RSA not because they wanted to hack RSA. They hacked
RSA because they wanted to cause a weakness in RSA's customers and specially three
weapons manufacturers. All right? So this is at the espionage end of, I guess, the security
paradigm, but a very, very disturbing trend. I guess the story behind this is that it's been a
massive evolution in terms of the attacks that banks face, which is good for anyone with a career
in security in banks, because as the treats grow and the role of security in risk management
grows within these organizations, so does the career opportunities for anybody doing security
within the bank.

Banking security concerns (12:31)

So what are banks concerned about, from a security perspective? Obviously we have cards and
transactions, right, so it's this payment processing, you know, both domestic and overseas
payments, credit cards, ATMs. You see a lot of scheming these days. It's always a bit of cat and
mouse between the controls we physically put into ATMs or the controls that we physically put
onto credit cards and the innovation that you see coming out from criminal elements.
These days, with ATM fraud, they do things like they manufacture a complete ATM, right? You
know those free-standing ATMs you see in, like, a 7-Eleven or something? They go off and they
make one that looks exactly the same. Doesn't serve any money. It just skims people's cards and
collects the PINs. They also do things like creating facades for specific banks to do the skimming

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 3 of 10

Module 3: Finance Industry Cyber Attacks

as well. It's a very, very, very big multimillion dollar issue, and we'll see a little bit how big it is later
on.
Another one that we're going to talk bit more about is online fraud. Online fraud, holistically in
terms of the entire market is quite big. Banks actually make up a fairly small component of that,
though it's definitely an evolving space. We saw before in terms of, you know, phishing starting in
2000, all the way through to people hacking into people's phones through man-in-the-mobile, to
defraud banks and customers. And there's been some activity particularly in the Asia Pac region
recently. Historically in this geography, Australia has been the focus, but that's starting to move
now.
We have seen insider threats, all right, an insider threat is an interesting one, right, so you would
have seen, you know, perhaps recently in the news something about Credit Suisse and trading
fraud. You would remember SocGen, those sorts of things. They are very, very big issues. They
literally can end a bank. So Barings Bank had a massive trading fraud back in--I think it was early
1990s out of Singapore that actually literally closed the bank down. All right? These are what we
call catastrophic risks. Obviously payments processing. You know, our staff has to be very, very
trusted, but obviously, you know, there's a lot of money flowing through the system. When you
think about, you know, how much money we clear-- we literally clear in terms of moved money in
terms of billions of dollars a day. You know, so there's a lot of room for people to start trying to
sneak money through.
And obviously we talked a bit before about data leakage, information fits. It's a big issue. And
actually, you know, people often don't do it to sell the information; sometimes they're moving
employees, all right? You know, you might have someone who works for us who does corporate
banking and has some very, very influential customers and they move to Citibank and they want
to return the customers and they attack our customer information. And then it's data leakage
again. But data leakage in this context actually has a bit of a broader connotation, because it's
not just an insider threat. Any mistake these days on the Internet is noticed within minutes, so,
you know, I think Citibank lost or exposed a couple of thousand credit card numbers on the
Internet accidentally through their website. All right?
These things, in terms of data leakage, aren't always deliberate, so you have to be absolutely
assured around the services that you're delivering specifically to the Internet to make sure that
the content that you're providing is deliberate content, all right? You're not accidentally publishing
some of this information. And of course denial-of-service. As we talked a bit before about
hacktivism, right? So I'm just gonna talk about what the motivations behind denial-of-service are.
So broadly speaking, denial-of-service falls into three categories.
There's geopolitical tensions, all right? So this is a Taiwan-- you know, sites going down, or a
South Korean site going down, and generally it's because, you know, there's geopolitical tensions
between China and Taiwan, or North Korea and South Korea, or China and the U.S. Hacktivism,
obviously there's a major move on hacktivism at the moment, and that is loosely related to
geopolitical, but it's much more around crowd sourcing. All right? This is, you know, similar to the
Arab Spring context where people are voicing-- a bit of protesting in the streets. You know,
they're joining Anonymous and downloading the Low Orbit Ion Cannon, if you've ever heard of
that, and targeting sites in a coordinated fashion.
And lastly, there's extortion. Now, extortion, I think a couple slides back I talked a bit about the
DoS that was occurring until the mid-2000s. Extortion used to be the key reason for DoS. And
that changed; it doesn't happen that much anymore. But people--what used to happen was that
organized crime would literally DoS a major organization, like a bank, as an example, and then
demand payment to make it stop. Now obviously, with things like banks, it doesn't work very well,
but banks don't do that sort of negotiation, all right? But gaming sites, gambling sites,
pornography sites, would generally pay up.

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 4 of 10

Module 3: Finance Industry Cyber Attacks

One of the key questions that someone like me asks is, when we start to remove or enhance the
controls in online banking, the criminals aren't going to go away. They earn money now; they're
gonna want to retain that money. And in fact, you know, the criminals that we're dealing with
aren't, you know-- they're not individuals. They're organized crime, generally out of Eastern
Europe, but serious business, right? They make a lot of money, they employ a lot of people, and
they're not gonna disappear. So one of the key things for us is keeping an eye on this one to
make sure that they don't-- you know, if you're locked out of online banking, we're real mitigated
particularly to DoS, and you got to come back to that sort of way of making money.
But if you have look over the last year, and this is a new phenomenon, it actually started sort of
toward the end of 2010, is that almost all of the major DoS incidents have been hacktivism, all
right, people protesting. And actually just recently there was a broad-ranging denial-of-services of
all the banks in Brazil, which was orchestrated by Anonymous. Bank of America also got DoS'd,
because in the middle of being resuscitated by the government after the GFC, they decided to
slap a $5 fee on top of the debit cards. The customers didn't like it very much, and they got
DoS'd. I think one of the ones that I'm watching at the moment quite closely is the movement in
Australia.
So in Australia, there's been a large amount of layoffs, from financial organizations and major
organizations like Qantas, and so you might suspect that that might incentivize some people to
game together and protest about it. But it's a very interesting movement, right, away from
criminals and inter-democratized sort of protests, but nonetheless, still quite a pertinent research
to an organization. It obviously needs to be up and available all the time.

Zeus and SpyEye (20:06)

So I'm gonna talk about now, I'm gonna do a bit of a more of a deep dive in terms of Zeus and
SpyEye and some of the things that banks all the around the world are seeing. So Zeus and
SpyEye, if you don't know, they're two specific variants of malware, and in fact they call it
crimeware. Zeus used to be the number one player in that space and constitute 80% of all online
fraud globally. SpyEye, a newcomer to the area and is changing particularly the way that it
attacks and also the targets its choosing have changed recently, and in fact what's happened is,
they've joined forces. So what you're seeing now is that Zeus and SpyEye are more of a blended
product.
Now, these things interesting enough are software as a service crimeware, all right? So the
people that make this code aren't the people that use it. They sell it; they sell it to other people to
actually steal money from banks. So it's actually something you can purchase. It's generally used
in conjunction with another kit called the Phoenix Exploit Kit, and that's used for developing
exploits for browsers, and so the general mechanisms by which these sorts of malware get into
your machine is by what is called a drive-by download. Drive-by download means you browse a
site and it exploits your browser and installs the malware without you even knowing it.
One of the other ones we're keeping a very close eye on is drive-by jailbreaks. Similarly, you
know, familiar with jailbreakme.com, using that, you know, in a different context to install malware
on the phone. So these are the sorts of things that occur quite a lot. Now, the reason why these
things are successful is because people generally don't do the right thing by themselves. So a lot
of people don't run antivirus in their home machine. If they do, it's out of date. They never patch
their OS. Most people with an Android handset don't even conceive of running antivirus on their
Android handset, right? Not something you think you would have to do. But nevertheless, you
definitely do have to do it.
So what are the impacts? So here you see that this is rough in local currency the values that
banks lose annually. In the U.S., it's about $60 million U.S. In the U.K., it's about 50 million
pounds a year, which is about $70 million U.S. a year. Australia is-- it fluctuates, but it's around
$20 million a year. Europe also gets impacted. Now, the value you can't actually publicly find out,
but it is fairly significant there. So looking at this, you're going, "Well, there's probably about $200-

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 5 of 10

Module 3: Finance Industry Cyber Attacks

250 million worth "of revenue to anyone that can defraud banks by this mechanism." That by
anybody's margin is a pretty large sum of money, and this incentivizes a lot of criminals to take on
this road to attack banks, all right? And this kind of like the Zeus footprint, historical markets of
Europe, U.S., and Australia.
What we've seen, particularly in the last 12 months or so, is that SpyEye's really made an
insurgence into the market, and we're starting to see it diversify. Specifically, what's happened is,
a lot of the Tier 1 banks have upped their control levels, input a lot of mechanisms to prevent
Zeus from being successful. What that means is that SpyEye's come in, used a bit of the Zeus
code, really putting some extra credibility particularly around regular expression matching, and
those targets, Tier 2 banks in those markets, but also heading into Asia, heading into the Middle
East, all right? So they're really diversifying, you know, away from the historical markets.
There's a lot of theories around why they historically only targeted, you know, U.K. and U.S. and
Australia. Around--you know, those markets generally had straight-through processing for
overseas payments, which makes getting money out of the country and into a Latvian bank that
much easier, all right. You know, a lot of banks in, you know, these emerging markets had
historically done manual payments of FX payments, which meant that they were more likely to
pick up fraudulent activity.
I guess the other piece is around money mules. So money mules are people that generally
answer online ads where they can work from home, right, only have the Internet, shipping
manager, marketing consultants, these sorts of ads, and the job basically is that, if they get the
job, they hand over their bank account number to the criminals, the criminals use or configure
their malware to transfer local exploits or local hacks of the value of those transactions into their
account locally. They then take that money and go to Western Union and transfer it off to
criminals. So either they're pretty stupid or they're just lucky with the money.
The treatment of money mules actually varies by geography, and, you know, in Australia they're
criminally prosecuted. I think, you know, in most of Asia they haven't-- they don't understand how
to treat them yet. So watch out; don't answer any online ads, all right? Anyway, so this actually
looks pretty bad, all right? It looks like there's a lot of money leaking out. So how bad actually is
it? So this is a graph showing from 2005 to 2010 the online losses to banks in the U.S. and the
U.K. You can see it's a fairly steady increase, all right? So it looks pretty disturbing. This graph in
the green I've added together the online frauds from banks in the U.S. and U.K. markets, and I'm
comparing it to the online fraud from a total market perspective in the U.S. alone.
You see that massive jump in 2009, all right? Something like $600 million was defrauded online,
all right? Not just some banks; from everybody. So the market for online fraud is pretty deep, all
right? There's a lot--you might think about that and go, "Well, actually banks are either doing
pretty well "in terms of controlling it, "or there's a lot of room for growth for online fraud, I guess."
But we talked a bit about credit card and ATM card fraud, right? So this is a graph of U.K. ATM
card and credit card fraud in the U.K., all right? Actually we've done quite well recently, but if you
look at 2008, you know, 800 million pounds. That's all--that's a lot of money, all right? So, you
know, credit card fraud and ATM fraud is a very big problem. But it's not actually the biggest
problem we have.
Still see the green on the graph, yeah? All right, that's online fraud from U.S. and U.K. The red
are one of trading frauds. All right? So this is where--I don't know if you know what trading is; it's
the dealing of foreign exchange, securities, commodities, trading-- My bank's a very big trading
bank, which makes a lot of money trading with those sorts of things on the exchanges. These
issues are one-off issues and generally associated with the failure of a thing called segregation of
duty. That means that the person who's actually trading isn't the person who counts the money at
the end of the day. These banks generally fail to do that properly, particularly on the accounting
part, and this is the result.

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 6 of 10

Module 3: Finance Industry Cyber Attacks

So SocGen, in the U.S., it's about $7.1 billion U.S. from one incident, all right? Credit Suisse,
around 3 billion. The UBS again, you would have remembered the UBS incident from last year.
So when you actually stop to think about how banks plan their security controls, this is the sort of
analysis that we do. All right? And this is how you can see that someone from network security
background can get quickly dragged into a lot of different problems, a lot of bigger problems, and
a lot of different technologies, all right? And so broadly speaking, you know, trading fraud is
something that we control through identify and access management and specifically identify
compliance. So I'm not sure if you guys knew that, but it's basically where you make sure that
people have the right system accesses to various systems to make sure that this sort of thing
doesn't go on.
So I'm just gonna take you through some of the capabilities, and it's actually an evolution of
capabilities that we see that Zeus and SpyEye sort of can actually undertake. And to do that, first
I'm gonna show you-- I'm gonna take you through a hypothesis or a general view of how banking
generally works, online banking generally works. So you basically have a user. And we're gonna
talk about SMS OTP in this context, so they have a browser and phone and they want to transact
with a bank. So obviously they log in. It goes back to the bank. The bank gives them what we call
an SMS OTP-- one-time password. They enter the one-time password, into the bank, and they
are let in so this was actually quite successful for a period of time, because they had a lot of
problems with phishing. People were giving away their passwords. You know, generally we
regard the password that you use for online banking as already subverted; we don't trust it. All
right? So we're heavily reliant on the magic number that you get through your SMS.
So what's different in a malware scenario? Well, in a malware scenario, there's literally a piece of
malware that exists in the browser. So the https:// and all that sort of stuff, it looks fine. You can't
tell, all right? And what will generally happen is, and this is actually-- what generally happens is
that it's controlled as part of a malware web or a botnet, all right? And there are literally
thousands of these endpoints, where we count these things, you know, in hundreds of thousands.
There are hundreds of thousands, it not millions, of people that have these actively in their
browser now. This is mapped-- is a view of the Zeus command and control servers around the
globe. It was actually taken last week. It's from a site where people actually internationally track
this, all right?
So a number of people like us and a number of other banks, a number of security professionals
actively track the command and the control servers of the Zeus network and they map it out, and
this is actually, you know-- they can actually pull up you know, who owns the server and they can
take it down, they shut it down. This changes on a daily basis, as you can imagine, right? But to
give you a view of just how active it is, that's how many active command and control servers
there were on that specific day, all right? Security professionals say this, you know, particularly
banks. They absolutely try and get these commands really stuck in a way, 'cause generally those
services are hosted on the hosts that don't know. They've been exploited as well.
Similarly, this is the command and control network at SpyEye. All right? Two different capabilities;
two command and control networks. And they use this for obfuscating where the actual person
orchestrating these attacks, they're controlling these attacks, actually resides. All right? They
route their controls through this mesh, and somewhere probably near as it gets done, there's a
guy sitting there making quite a lot of money.

Compromised browser (32:32)

So... the issue for us and the issue for our customers is because SpyEye and Zeus exist in the
browser, they can mimic the bank and the customer to each other to almost perfection. Very,
very, very difficult to tell the customer that you've been hacked, and it's very, very difficult as a
bank to know that your customer has been defrauded. All right, 'cause it looks like, from a
technology perspective, it looks like normal behavior to us, and to the customer it looks like the
normal banking screen. So to pick up on this stuff, there's a number of technologies and there's a
number of things you can do.

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 7 of 10

Module 3: Finance Industry Cyber Attacks

From a technology perspective, you can look at referrer headers; you can look at changes in the
timing between specific transactions, right? If someone logs in, immediately they're trying to add
a beneficiary or immediately turn into third party payment, the second they log in, that's not
normal behavior, because to get to that screen, you have to click through a couple of, all right,
other screens, like account balance. You know, it's not--so we do this sort of behavioral analysis
as well, which, you know, we keep registers of the browsers people use, the phones that they
use, all right, to make sure that we can pick up any of these changes.
So just in terms of the attacks, right, so it all started as an adjunct, right, and this was started as
an adjunct to phishing-- a better way of phishing where you didn't have to trick people. And what
they would do is, when a customer logged in, they would literally copy the password off into their
network for later use, and then later on, log in, transfer the money, all right? So the banks at that
stage, you know, they've done a lot of education to customers, saying, you know, "Never put your
password in an email. Always check out the site. "Make sure it's us, right? We never ask for it
over the phone," that sort of thing. And so they eventually did get around it. So we, all right?
Either tokenize or SMS OTP to stop them from being successful at this so we look smarter.
So what they decided to do was post login and during transactions, and this they generally wait-they don't have to, but they wait until after you've logged in, and they either flash up a screen that
says, "We're checking security settings," or they actually wait till you're doing transactions, and on
the fly they use regular expressions to actually change the destination account; they actually
route that money out through a different account. And what happens is, we send back the SMS
OTPs. There's--"Here's your magic number. Follow transactional authorization." You type in the
magic number, and off the money goes. This actually is a screen that SpyEye uses, all right? The
post-login screen.
So what happens in this scenario, you log in, you see this screen. In the background, SpyEye
actually enters either "adding you a beneficiary" or just doing a straight third-party payment, and
that generates an OTP. And after you seen this screen, a special screen says, "Please enter your
OTP to progress. Weve validated your security. Enter the OTP," and your money's gone. So if
you see the screen, I can guarantee you you have been hacked, all right? Incidentally, this is from
a devious site. They use style sheets, all right, so this text is always saying they use style sheets
to actually tone it the right color, to use the right font.
It's very, very, very hard to tell that this is actually a fraudulent injection into the website, all right?
Even the developers of the website look at this and go, "It looks just like our content," all right?
They are very, very good at this, all right? This is actually quite hard to detect, right? So the other
one is post transaction, and this is one that we've started to see in Europe, particularly in the U.K.
and in Germany, actually.

Post transaction (36:36)

And they got trickier, so in this scenario, you log in and do something like get your account
balance. The request goes back to the bank, all right, so this is generally after you've been
defrauded, and what they do is, they send you a masked account balance. They keep a record of
your old account balance for you while defrauding you so you don't know that you've been
hacked and your money's been stolen. This actually--this is generally so that they can either do
one of two things.
One, so they can get the money out of the country successfully; two, to lengthen the amount of
time before, you know, it's notified, because there's something in other customers; or three, to
keep on hacking you and keep on stealing your money. There's one specific person who was
fooled for months, whole months, and they went, "Oh, where's my pay? Funny me." Called the
bank and there was no money in the account.

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 8 of 10

Module 3: Finance Industry Cyber Attacks

Next generation: MitMo (37:42)

Anyway, all right. 'Cause the old account balance was being presented. Quite clever, right? So...
The attacks so far are actually quite easily controllable, using technologies that we have, all right?
Specifically, SMS OTP can be used to control this. The way that we use to control this is when we
send the OTP; we tell you what the OTP's for, all right? So if you are transferring money, we say,
"This OTP to send money to your mom, "this is her account. This is how much the value is." So
anybody injecting anything or modifying that will get called out, because you'll see something,
going, "I don't want to send, you know, a $1000 to this person because I don't know who they
are," all right? Especially if you thought you were validating, you know, the security.
But other, you know-- criminals aren't really giving up. There's a lot of money, and they want to
stay here. So they decided to develop MitMo. MitMo is basically a branch of SpyEye and Zeus
that's constructed for mobile devices. It was first seen in Spain at the end of 2010, where it
attacked ING, and it was seen again in Holland at the start of 2011. And it's made some fairly
steady progress.
So this is the timeline of MitMo developments, and it's fairly recent, right? Android's just come out,
so be quite wary of that. I think one of the good things on this front for us is the diversity of
operating systems that are out there for handsets. But as you can see, defending, you know,
Windows, BlackBerry, Android, most of the majors are covered other than iPhone. So this is an
area where we're gonna see absolute development. This is where they're focusing their time, and
this obviously causes a number of issues for SMS OTP. 'Cause if you've Trojaned the phone,
SMS OTP is worthless. Does not work, all right? So if you don't move, you know, you're gonna
lose a lot of money and a lot of customers.

Possible solutions (39:55)

So our prediction is that SMS OTP is dead, and what you're gonna see actually is something like
this. So this is actually a card that's... was first manufactured in Australia-- is manufactured in
Australia. It's been around for several years, but Visa have just picked it up. It's a new card, and
it's actually literally a credit card, and it just has a token on the back. Now, tokens are good,
because they're completely offline. You can't get a Trojan into it. The only problem is, customers
hate them, and, you know, when you think about how you use your online banking services now,
you can use them in your mobile, right, particularly if you've got, you know, your iBanking on your
phone and your SMS OTP. If you're very mobile, it's very easy to use. This unfortunately, you
know, is probably a little bit of a step backwards but something that we likely would have to do.
So I'm just gonna recap. So information security in banking, right? People steal money; money
lives in banks. You work in a bank, people are gonna try and hack you. All right? Pretty simple
stuff. People trust banks, all right? If you lose your money from the bank, you're probably not
gonna bank there. If a lot of people lose their money from the bank, no one's going back there, all
right? The banks have to be secure and stable in order to retain customers, and, you know, the
fraud and risk impact of bank profitability actually is literally a business problem, all right? Literally
does affect the bottom line of how profitable we are, all right?
So again, you know, if my security is a business problem with a bank, it's not a technology
problem. So thinking a lot of the other industries, right, information security is viewed as by this
technology thing, you know. I'll patch the servers, good antivirus, you know, make it go away. All
right? Not in banks, very, very different, right? Fundamentally part of the business. So I work very,
very, very closely with the fraud department, right. The frauds aren't technologists. Aren't
technologists in the slightest. There's the kind of-- Compliance. Compliance as well in banks. You
know what? They're not technologists. They need technology to actually stop people from
laundering money, to stop trading fraud from happening and to stop, you know, credit cards and
ATM fraud, to stop online fraud. That's why security is very, very different, all right?
And just a recap again on the predictions. So you're going to see a steady increase in online
fraud, not just targeting banks, right? Broadly speaking. As people transact on the Internet more,

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 9 of 10

Module 3: Finance Industry Cyber Attacks

criminals--you know, it took them awhile to realize there was money on the Internet. Now they
know it's there, they're really not going away. All right? And I think while the graph before you saw
a massive spike in 2009 online fraud in the U.S., and it's started to peter off a bit, and I think
actually it's because people have, you know-- the U.S. economy isn't doing that great; there's not
that much money to steal actually, right? Rather than the criminals giving up, right?
So what's actually happened is, they started to diversify into other markets where there's more
money, all right? The value of the U.S. dollar is going down, so a return on investment to them,
spending the-- hacking someone is less. So they want to go where, you know, the money is. And
you'll see that in-- online fraud banks, you know, there's actually-- there's a lot of growth potential
in there compared to the other frauds that we see, particularly when you talk about credit card
and ATM fraud.
But again, as you lock people out, as you lock criminals out of ATM and credit card fraud, they're
still gonna want money, all right? They're find it other ways to do it, and it's a real arms race, all
right? The pace of change and how rapidly, you know-- banks like my bank have to adapt to this
attack change is ever-increasing, all right? It's, you know-- you wouldn't see one year with a
steady attack vector, right? You have to actually be agile enough to change, and when, you
know, your bank employs 90,000 people in 80 different countries, it's very, very difficult to keep
that pace of change up.
The other prediction of mine, mobile security is gonna get worse. It's just starting to take off. I
think that the security habit that most people with mobile phones don't match that of PCs. So their
expectation of how they manage an Android device, all right, is different, right? They don't think
they have to patch it. They don't think that they have to run antivirus. All right? So the whole
cultural change that needs to happen for people to actually use mobile devices securely yet,
there's a plethora of mobile devices out there, right? You know, we're seeing a mass increase in
the amount of banking services that people use for mobile devices, right? They don't want to sit
down at a PC anymore, right? In fact, they don't have a PC, all right?
If you think about how many people just have an iPad, all right? "I think I want to use online
banking. I just have an iPad." What are you gonna do? You have to deliver online banking to this
device, and you have to make sure it's secure. The other one is, the end of SMS OTP. HSBC last
year started rolling out tokens again. They actually invested in a back-code token. They spent six
months in customer service action surveys to make sure that the token worked the way that the
customers wanted it to. They delivered it out, and everyone hated it. So we know we have to do
something in that space, but finding the right tool that has the right utility and the right security is,
and with that, I might open up this for questions.

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 10 of 10