Bank Attacks Put Password Insecurity Back in the Spotlight

Two separate attacks on banks in the United States and Pakistan revealed this week highlight once again the inherent weakness of a security practice that relies on passwords or knowledge-based credentials to protect critical information.

International bank HSBC said it was a victim of a credential-stuffing and became aware of unauthorized access to online accounts between Oct. 4 and Oct. 14, according to a notice filed with the state of California. Credential stuffing attacks use “botnets” of compromised systems to flood websites with lists of usernames and passwords gathered from data breaches to assume an identity, gather information, or steal money and goods.

Attackers were able to access a plethora of customer information, including full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history where available, the company said.

“HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously,” the bank said in a statement. “We have notified those customers whose accounts may have experienced unauthorized access, and are offering them one year of credit monitoring and identify theft protection service.”

Meanwhile in Pakistan, banks were hit with what officials said is the biggest cyberattack in the country’s history, one that also was traced back to activity that began in October, according to Pakistan’s Computer Emergency Response Team, PakCERT.

Analysis by PakCERT found that data from 19,864 cards belonging to customers of 22 Pakistani banks was up for sale on the dark web in late October. Hackers had used the cards to make transactions unauthorized by the actual account owners, suspicious activity that drew the attention of one Pakistani bank, Bank Islami, which temporarily blocked its international payment scheme. Other banks that had customer cards used and/or dumped on the dark web include the largest bank in the country HBL, as well as UBL, Standard Chartered Bank, MCB and Meezan Bank.

Common attack thread

While these were separate attacks, what both have in common is that attackers exploited the all-too-common practice of using passwords or other knowledge-based credentials to protect critical customer information, one security experts highly frown upon because they’re so easy to exploit.

“With over 5 billion credentials already compromised, it’s clear that expecting security based on passwords or knowledge-based credentials that consumers create and manage is doomed to fail,” said Bimal Gandhi, CEO of security firm Uniken.

Indeed, recent research has found that credential-stuffing attacks are on the rise, particularly in the vulnerable financial industry, where nearly half of financial organizations don’t have resources or protocol to prevent these types of attack. This is resulting in a loss of credibility, profit and other negative effects, researchers said.

Though it hasn’t been revealed, Gandhi said he expects that this method also was used in the Pakistan bank attacks, as it’s a common way bad actors get access to customer card information so they can use it or put it up for sale.

The reason using even multi-factor credentials–not just passwords but also “secret” questions that only authorized users would know–to verify customer identity is that passwords can “often be either easily guessed, phished or socially engineered from the user, or purchased on the dark web where they’re available for sale as a result of various data breaches,” Gandhi said.

Other kinds of credentials also are highly susceptible to attack either because of the user or because the infrastructure that the verification method depends on, he said.

Time’s up for passwords?

It’s not a big news flash that passwords and other credentials are a highly insecure way of protecting sensitive customer data if they are all that stand between hackers and that data, with evidence mounting with every new high-profile attack that surfaces.

Last year a brute-force cyber-attack on U.K.’s Parliament went on for 12 hours, forcing temporary shutdown of the government’s e-mail service as attackers repeatedly tried to guess passwords to gain access.

Companies and agencies with access to sensitive information don’t deliberately try to be targets for attackers, but the nature and sophistication of cyber attacks in today’s political and economic climate demand that they step up even the most careful measures, Gandhi said

“Most banks and institutions are incredibly security minded and careful,” he said. “The masses of consumer data unleashed in recent (unrelated) breaches has provided organized cyber-crime syndicates with opportunities to go after these institutions, and they’re of course constantly probing to see who’s vulnerable.”

To avoid scenarios in which hackers exploit customer information for financial gain or other purposes, Gandhi and other researchers recommend that companies abandon their reliance on passwords and credentials and incorporate a defense-in-depth posture, validating customers and transactions with cryptographic certainty that’s tightly integrated with other authentication factors.

“To secure transactions, institutions need to move to something that a user isn’t required to know, manufacture or receive, and then have to manually enter,” Gandhi said. “Such a move eliminates the ability for the data to be guessed, leaked, phished, socially engineered, mimicked, or captured on the device or over the network.”