Many banks with less than $50 billion in assets have a problem that payment systems like Apple Pay will make even more attractive to exploit, a team of security researchers says.
By altering electronic-transfer files before they are uploaded to the national transaction clearinghouse, criminals can redirect funds to accounts they control and make off with millions of dollars at a clip, according to researchers at TrustCC, a consultancy specializing in financial institution IT security.
They presented their findings at (ISC)² Security Congress 2014.
The problem is that many banks and credit unions place these sensitive files on their corporate LANs before uploading them to the Automated Clearing House (ACH), a commercial network that processes a variety of financial transactions. That leaves them vulnerable to hackers who have successfully infiltrated the LAN.
While the attack isn't common yet, it could become moreso as consumers shift from traditional magnetic-strip credit cards to more secure chip-and-pin credit cards and alternative payment systems such as Apple Pay. These more secure method will mean more work for professional hackers, say TrustCC researchers Andy Robbins and Brandon Henry.
When that happens, criminals may seek to steal directly from banks because they will present easier targets with larger potential payoffs per compromise, they say. "Then banks are a pretty juicy target," he says.
Victims of the attack the researchers describe would be among the roughly 4,000 banks and credit unions in the U.S. that have less than $50 billion in assets considered small banks. Larger banks that actually control the vast majority of funds involved in ACH transfers use an architecture that doesn't expose the same vulnerability, Henry says.
But in smaller banks, batch files in ACH format are generally created in secure core networks. At the end of the day these files are shifted to shares on the corporate LAN to be reviewed by persons on the institutions' accounting teams. Once approved, these files are sent to ACH.
The flaw in the system is that ACH files are often left as shares for some period of time. If hackers can access them before the person in accounting, they can alter them, Henry says.
The accountants verify what is known as the 10-digit file control record, the sum of the routing numbers in the folder. So the hacker code would alter the relevant numbers to divert the transfer to thieves' accounts and recalculate the folder's control record so it corresponds to contents of the altered folder. If automated, the process takes about a tenth of a second using 35 lines of Python code. "It's so painfully simple any competent programmer could put this together in a day," he says.
Sign up for CIO Asia eNewsletters.