UK bank ignored critical 2FA flaw months before Carbanak heist

A main UK bank ignored a serious two-factor-authentication (2FA) flaw months before 'Carbanak' criminals exploited a similar loophole to steal £millions from about 100 banks.

UK bank ignored critical 2FA flaw months before Carbanak heist
UK bank ignored critical 2FA flaw months before Carbanak heist

The issue was brought to a head when UK cyber-security consultancy BronzeEye sent a letter to the Financial Conduct Authority (FCA) and the bank, which remains unnamed due to disclosure agreement, warning both that it had identified 47 vulnerabilities at the bank, including 22 that were deemed critical.

One of these was a weakness in the two-step verification process, often used by banks to authenticate the user on a mobile device, which BronzeEye says could give up “unfettered access” to hackers.

According to the FT – which saw the letter – the loophole would allow an attacker to hijack a user's identity and break into an institution by using a “cross site request forgery”. The bank would find this “extremely difficult to identify”, Bronzeye told the FCA.

Attackers could also potentially access user accounts by targeting customers and workers via phishing emails, with attachments to weaponised documents that would deliver the malware to infiltrate the network.

Despite this, both the FCA and the bank itself reportedly refused to act. The firm said that the bank was not happy to have these problems demonstrated, as they were often intrinsically linked with third-party suppliers, and it was also worried that any investigation could disrupt business service. The bank apparently claimed that the bugs did not exist and that would-be hackers couldn't access client account transactional areas, something BronzeEye said was incorrect.

BronzeEye, which was not contactable at the time of writing, says that other leading high-street UK banks using 2FA would likely be vulnerable.

The FCA refused to comment on the specific issue saying instead that it was “focused on ensuring the right outcomes based on our three operational objectives. We expect firms to provide redress for consumers impacted by cyber-crime, consumers should not lose out as a result of cyber-crime. Management and oversight of the systemic cyber-risks lie with the Bank of England and Prudential Regulation Authority supervision.”

Chris Boyd, malware intelligence analyst at Malwarebytes, said in an email to SCMagazineUK.com: “Unfortunately, two-step verification isn't a magic bullet for security and exploits do crop up from time to time. It's worrying that the bank in question refused to work with the security firm which discovered the exploits, and the possibility is there for major financial fallout down the line, with all the associated bad publicity and stress for those affected.” 

Jarad Carleton, principal consultant for information and communication technologies at Frost & Sullivan, told SC that social engineering via mobile devices is just another trick of the trade for hackers looking to escalate privileges – all without jailbreaking or rooting a device.

“With escalated privileges, the cyber-criminal can obtain log on credentials when a person is doing online banking from the phone,” he said. “They can also do things like track where you are, create a detailed dossier on the person with the infected device to make it easier to thwart fraud detection efforts by the banks. If you think about this for a moment, you realise how this is possible - modern smartphones have our entire lives on them.”

Carleton added that 2FA is not always secure, and said that the FCA was caught between a rock and a hard place as it's not a security company.

“This isn't as simple as it might seem because you can't dictate what solution to use or how to improve security. The FCA doesn't have the expertise of the global security community, so if it were to push for higher standards, it would have to be in consultation with security vendors and these are the same vendors the banks are already working with to try and improve their security posture. 

“If  the FCA were going to insist on anything, it would get the biggest bang for its regulatory effort by insisting that all companies in the financial services industry have mandatory security training exercises two to four times a year. This is the only way to get security issues to be familiar and top of mind for every employee every day.”

Luke Beeson, VP of security UK and global banking and financial markets, BT Security, told SC that while banks are better prepared than most sectors, they will always be targeted by stealthy attackers.

“The Carbanak exploit proves that cyber-defences needs to extend beyond traditional security controls. Employee training and awareness is a critical component in an organisations cyber defence arsenal. However, on its own, this is not enough.”

“The risks to organisations are moving too fast for a purely reactive security approach to be successful. Organisations need to have both a response plan in place, and the adequate resources available to defend and mitigate against an attack. To meet the challenges posed by cyber-security, financial services firms need to adopt a more comprehensive evaluation of their infrastructure making sure that all parts of the business and all IT departments understand the importance of the cyber threat.”

Christian Toon, senior cyber-security expert at PwC UK, added: “Banks, like any other business will operate their protection strategies based on risk, firstly on managing their own vulnerabilities and how they should address them. It is quite common place that organisations don't acknowledge their failings with unauthorised third-parties or media outside of a bounty program. That way they don't confirm or deny the allegations and promote further speculation. They may have taken action to address these issues, or even have them on their plan to remediate already. Government is driving to be more open and transparent, as is the private sector, but there is still work to do . 

“The real talking point here is that on the subject of cyber-security, as an industry we are still isolated in our establishments and do not talk about how we can improve our protection strategies or lessons learnt with our peers.”