Technology

Web Bank Attack


The FBI is investigating a June computer intrusion into a web banking

company that may have compromised customer accounts at hundreds of U.S.

financial institutions, SecurityFocus has learned.

The attack against S1 Corporation's Community and Regional eFinance

Solutions Group, renamed from Q UP after an acquisition last year, gave

the hacker access to an internal network at the company's Atlanta-based

'Data Center', which handles the web banking needs of approximately 300

small banks and federal credit unions across the country.

The hacker is believed to have cracked the network on June 19th. The

company's information security staff discovered the intrusion the next

day, and monitored the hacker until June 23rd, when they locked him out.

FBI agents began investigating at S1's Austin, Texas office -- where the

network is managed -- on Monday, sources said.

An FBI spokesperson could not be reached after business hours Thursday. S1

spokesperson Paul Citarella would neither confirm nor deny the intrusion,

citing customer confidentiality. "We, like all organizations, get hacked

all the time, or have attempted hacks all the time," said Citarella.

But several sources familiar with the investigation, all speaking on

condition of anonymity, said the company is taking the attack seriously,

and has already begun notifying client banks that customer account

information may have been compromised.

One source said the hacker accessed files in a particular subdirectory on

the company's Windows NT network called 'webdata,' which is dedicated to

housing web banking customers' login names, paired with an encrypted

version of their passwords.

If the hacker reverse engineered the software responsible for logging

customers in and out of the system, he could easily crack the encryption

algorithm and read the passwords. Armed with that information, the

attacker could access customer accounts over the web, potentially

obtaining private information, or even plundering bank accounts.

'Drop in the bucket'

The intrusion underscores the vulnerability of Internet banking

applications, which can suffer the same security holes as web sites and

online storefronts, but seldom receive the same public scrutiny -- in part

because of a culture of strict secrecy among financial institutions, and

tight nondisclosure agreements that keep would-be whistle-blowers silent.

"When you write your story, make sure people understand that this is a

drop in the bucket," said one consultant -- a specialist in evaluating the

security of online banking software. "I've broken into every single web

banking application I've tried. Sometimes I can just jump from account to

account, and I wouldn't be able to target a person. With others I can get

your social security number and any other information about you."

The biggest risk, said the consultant, is in electronic bill payment

functions, which provide a conduit for a cyber thief to siphon cash out of

a victim's account. "Once I get access to their accounts, the first thing

I do is set up bill pay to send out money to a mail drop."

The consultant said new FDIC banking regulations are needed to enforce

high security standards on Internet banking systems.

Loyal Moses, formerly an information security analyst with S1, and now a

critic of the company's security practices, said web-based banking can be

made safe, but agreed that regulation was desperately needed.

"As it is now, anybody could write an Internet banking application, take

it down to the local bank, and if they like it, great, you're in

business," said Moses, currently a security auditor at Grant Thornton,

LLP. "It's just like when junk bonds were introduced, there was no

regulation. Now you need to file certain papers to sell junk bonds. The

same thing needs to happen with financial institutions."

In addition to its Data Center, S1 Corporation's Community and Regional

eFinance Solutions Group provides web banking software to small financial

institutions for use in-house. Those institutions were not affected by the

Data Center hack. By Kevin Poulsen


The Good Business Issue
LIMITED-TIME OFFER SUBSCRIBE NOW

Sponsored Links

Buy a link now!

 
blog comments powered by Disqus