One of the many sessions I attended at the RSA Conference Europe this week was entitled 'How to rob an online bank and get away with it'.
This session was presented by Mitja Kolsek from Acros Security. He began by looking at cases of bank robbers and asking why they do it – obviously because that is where the money is. However traditional bank robbers such as Willie Sutton have now been replaced by hackers and digital money accessed by vulnerabilities.
Kolsek said: “Around 90 per cent of a bank's money is in digital form and a back-end server makes the services. We see attacks migrating to corporate accounts over time and in the future, the attacks against online banking servers will be on the back-end.”
He said that while attacks on individual users are common, they often do not give a high return, as banks have added security and users don't have huge amounts of money, so an attacker would have to attack a lot of individuals, however corporate accounts have a lot of money and it is easier to take money without arousing suspicion.
“If you want to attack a specific company simply go to the certificate directory and find the person who is doing banking for that company,” he said.
Kolsek said: “It is not the attackers' goal to steal the identity of the user to empty their account, so the attacker has to find vulnerabilities to exploit. They do not have to do social engineering, so it is better for the attacker. First, they have to find a vulnerability that helps generate money, so the advantages are obvious.
“As there is no social engineering, there are no suspicious users, only the administrator looking at logs. What is also even more interesting to the attacker is that they can get into the bank and print additional money.”
The process of stealing money, Kolsek said, is about the capability of stealing any amount. “If you can demonstrate with one cent, then you can steal any amount – but it is easier for the bank to fix that,” he said.
Perhaps to legally cover himself, he said that it is possible to get rich without breaking any laws, although he recommended not trying it, as "you may get into problems with your bank".
One way he demonstrated was to convert money from one currency to another that gives you more money and the code to repeatedly convert currencies, so turning $100 into €136,40.
“As long as admin knows what we are doing, we found vulnerabilities where you can earn as much as €70,000 as long as no one knows what is going on. With a large bank, you can do more transactions per second so if you do it over the weekend when no one is watching, by the end of week it is legally yours,” he said
Naturally, a nervous Kolsek said "don't do it or if you do, don't tell them I told you!" There were other more technical demonstrations on how to steal money and aside from being above my capabilities, I probably shouldn't promote them on a security news website.
Kolsek concluded by offering some solutions to banks and application writers to help them defend against attacks on their cash. He recommended the OWASP AppSensor that can make an application be aware of attacks and vulnerability finding tests, and improve reaction times, as well as immediately terminate a user session, slowing a browser down and frustrating the attacker.
He also recommended removing your vulnerabilities and using a penetration tester, as '"automated tools don't find them". Regarding the process of converting currencies, he also said that some banks charge a fee for every transaction, so by charging a fee or setting a minimum amount can also protect a bank from attack.
Far from enabling a modern bank robber, what Kolsek was detailing was the capabilities that can be achieved by knowing the alternative way and loopholes to achieve your aims. Should this have been permitted at a major security conference? Should I have written this up at all? That is for you to decide, but knowing the flaws can make you more secure, and I believe that is what Kolsek was doing.