SWIFT Network Attacks: 3 Lessons in Cyber Security

It sounds like the plot of a James Bond movie: A band of international bank robbers have made off with nearly $100 million, and bank executives are biting their nails as the thieves remain at large. But these heists happened in real life, and the thieves never actually set foot inside a bank. They used the banks’ access to the SWIFT network – a messaging technology that is little known outside the banking world – to remotely send fraudulent money transfer requests. The high-profile hacks rocked the banking world and threw into question the security of what was once thought to be an impenetrable network.

The SWIFT Network Attacks: 3 Lessons in Cyber Security

What is the SWIFT Network?

The Society for Worldwide Interbank Financial Telecommunications, or SWIFT, is not a money transfer system. It is a secure messaging network that financial institutions use to transmit information and instructions to each other. It was created in 1974 as a faster and more secure alternative to Telex messages. SWIFT network member banks use a standardized system of codes to allow banks in different countries to easily communicate.

In February, hackers stole the Central Bank of Bangladesh’s SWIFT network login credentials and used them to make nearly $1 billion in money transfer requests from the bank’s account at the Federal Reserve in New York to accounts in the Philippines and Sri Lanka. Most of the requests were intercepted and flagged for review by U.S. officials, but five went through, for a total of $81 million. Then, in June, officials in Ukraine reported that a bank in that country had lost $10 million to a similar hack.

Ukrainian officials stated that a number of other banks in Russia and Ukraine have been hacked but do not wish to be identified. Additionally, after the Bangladesh SWIFT network hack, a number of banks, most located in Southeast Asia, reported attacks that may have involved the SWIFT network. Since the alleged attacks targeted banks in different countries, each with its own reporting rules, the problem may be far worse than anyone realizes.

Notably, the hackers behind the SWIFT attacks did not actually hack into the SWIFT network. Instead, they used malware to compromise member banks’ systems and remotely access their SWIFT terminals, which they used to send the money transfer requests. However, SWIFT’s reputation has not emerged unscathed. Its CEO has been on a public relations campaign to restore faith in the SWIFT network, promising to implement stronger security procedures on its own end and possibly barring banks with inadequate security procedures from using SWIFT. While there are no competitors that can realistically emerge in the short term, the long-term impact on the future of the SWIFT network is unknown, especially if more banks are hacked and if Western banks begin to fall prey.

Lessons from the SWIFT Network Attacks

Organizations in all industries can learn three primary lessons from the SWIFT attacks:

  • “Security through obscurity” can no longer be banked on. Few people outside of the banking industry have ever heard of SWIFT. In the pre-internet era, proprietary niche networks such as SWIFT enjoyed “security through obscurity”: Almost no one knew they existed, and little information was available about them. Thanks to the internet, this is no longer the case. Plus, hackers have been known to target obscure niche systems because they know they tend to be lax on security.
  • An organization is only as secure as its people. The SWIFT network hackers used login credentials that they stole using keystroke-logging malware, possibly installed through spear-phishing or other human hacking techniques. This highlights the importance of organizations having robust cyber security plans that include continuous employee training on information security awareness and best practices.
  • Appropriate security controls must be established for both people and transactions. In the aftermath of the SWIFT network attacks, JPMorgan Chase and Bank of England announced they would limit the number of employees with access to SWIFT terminals. Giving employees access only to the systems they need to perform their jobs is a sound practice, and these access levels should be reviewed periodically. Further, different security levels should be established for different types of transactions. A user name and password may be sufficient for a customer to log in to their account, but multi-factor authentication and external verification should be required for high-level, sensitive transactions such as large money transfers.

Many organizations do not have the resources to handle all of their information security needs in-house, which is why they should partner with a professional cyber security firm such as Lazarus Alliance. The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches.

We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, spear phishing attacks, and other cyber threats. Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization.

 

POS Data Security an Issue for Fast-Food Kiosks

POS Data Security?

The next time you buy a burger at McDonald’s or Wendy’s, a computer may be the one asking, “Would you like fries with that?” After decades of depending on human workers to take orders – and payments – American fast food chains are finally moving into the computer age, driven by rising minimum wages, a tightening labor market, a push for efficiency, and a growing number of internet-savvy consumers who prefer to interact with computers than human clerks.

Rise of the Machines: POS Data Security will still be a problem.Discussion of this “Rise of the Machines” in the media has largely centered around the minimum wage and the displacement of low-skilled labor. Missing from the conversation has been any mention of point-of-sale (or POS) system security in these automated ordering systems – even though Wendy’s, which recently announced it will be rolling out ordering kiosks en masse, suffered a POS data security breach earlier this year. The breach compromised approximately 300 locations, went on for several months, and has resulted in a class-action lawsuit accusing the fast-food chain of inadequate data security procedures.

Automated ordering systems are not new. Regional convenience stores Wawa (headquartered near Philadelphia) and Sheetz (a Pittsburgh-area chain), both of which have extensive custom deli and hot foods menus, installed ordering touch screens over a decade ago. However, these systems, unlike the ones Wendy’s and other fast-food restaurants intend to install, only take food orders and do not process customer payments; customers get printed order slips to take to a cashier for payment. And, of course, gas stations, supermarkets, and some retailers have had self-checkout lanes for years.

The surprising thing is that large fast-food chains have taken so long to automate customer ordering and payments – and this is where the concern over POS data security lies.

In some ways, automation in the fast-food industry is similar to automation in the healthcare industry. As mentioned in previous blogs, among the reasons why the healthcare industry is so prone to cyber attacks is that it clung to paper records for years, and when it finally did automate, it did so practically overnight, without any employee training. Similarly, the majority of fast-food companies continued to use human workers long past the time they needed to. The push to automate fast-food ordering is fairly new but very strong; at least one major chain has expressed that it is in a hurry to implement automation in the wake of minimum wage increases on city and state levels.

Since the fast-food industry is known for razor-thin profit margins and aggressive cost-cutting, and making burgers – not POS data security – is its core competency, whether fast-food chains will take cyber security seriously or repeat the mistakes of the healthcare industry remains to be seen.

However, as the ransomware attacks and data breaches that have plagued the healthcare industry have proven, no industry can afford to take a laissez faire attitude toward cyber security, especially when installing completely new systems. The fast-food industry needs to be proactive as it makes the leap from human clerks to self-serve kiosks. Among the measures restaurants can take are:

  1. Do a review of your security policies and procedures to ensure PCI DSS compliance. Compliance with the PCI DSS is mandatory for any company that accepts payment cards, and procedures should always be reviewed when a new system is installed to ensure PCI DSS compliance is maintained. Here is a helpful primer on PCI DSS compliance basics.
  2. Be sure to purchase your new system from a reputable dealer. Since fast-food ordering kiosks are an industry that is about to explode, inevitably, shady dealers will pop up offering what appear to be fantastic deals on new systems – that turn out to have multiple security vulnerabilities. Make sure you’re buying your equipment from a known, reputable company.
  3. Make sure your new POS system can handle EMV technology, or “chip-enabled” cards. One of the ways hackers attack POS systems is by installing card skimmers that steal data off of the magnetic stripe old-style payment cards use. Chip-enabled cards eliminate this problem. However, not all payment cards are chip-enabled at this time, so it’s important not to leave self-serve kiosks completely unattended. Have at least some on-site staff available who are trained to spot card skimmers.
  4. If you offer free WiFi to your customers, do not set your POS terminals to access it. Otherwise, a hacker can come into your store and use the WiFi to get into your system.
  5. Monitor your POS terminals for suspicious activity. Are your terminals being accessed by or communicating with unknown external sources? Just like any other network, POS systems should be monitored for suspicious activity; had Wendy’s monitored its systems, the breach the company suffered may not have gone on for so long undetected.
  6. Have a comprehensive cyber security plan in place, to include training on POS data security for any employees who access the restaurant’s computers. Protecting your customers’ payment card data is as important as adhering to food safety and sanitary practices.

POS Data Security Doesn’t Have to Be a Stomachache!

Because the fast-food industry has depended on manual ordering processes for so long, the transition to automation may seem confusing or even overwhelming for restaurant owners. That’s why it’s a good idea for restaurants to enlist the services of a professional cyber security firm such as Lazarus Alliance. The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your POS system from security breaches.

We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, spear phishing attacks, and other cyber threats, as well as help them get and remain PCI DSS compliant. Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your restaurant protect its POS data and ensure compliance with PCI DSS.

Ransomware Attacks Show that Healthcare Must Take Cybersecurity Seriously

In a previous blog, we provided a primer on HIPAA compliance and discussed the importance of complying with this complex federal law, which is geared toward protecting patients’ private health information (PHI). While healthcare providers and healthcare industry vendors cannot afford to ignore HIPAA, a new threat has emerged and is poised to become much bigger: ransomware attacks on hospitals and healthcare providers that are not seeking to breach patient information but instead render it inaccessible until the organization pays a hefty ransom.

Ransomware Attacks Show that Healthcare Must Take Cybersecurity Seriously

 

In just the past few weeks, the following major ransomware attacks on healthcare facilities have occurred:

  • In February 2016, hackers used a piece of ransomware called Locky to attack Hollywood Presbyterian Medical Center in Los Angeles, rendering the organization’s computers inoperable. After a week, the hospital gave in to the hackers’ demands and paid a $17,000.00 Bitcoin ransom for the key to unlock their computers.
  • In early March 2016, Methodist Hospital in Henderson, Kentucky, was also attacked using Locky ransomware. Instead of paying the ransom, the organization restored the data from backups. However, the hospital was forced to declare a “state of emergency” that lasted for approximately three days.
  • In late March, MedStar Health, which operates 10 hospitals and over 250 outpatient clinics in the Maryland/DC area, fell victim to a ransomware attack. The organization immediately shut down its network to prevent the attack from spreading and began to gradually restore data from backups. Although MedStar’s hospitals and clinics remained open, employees were unable to access email or electronic health records, and patients were unable to make appointments online; everything had to go back to paper.

Likely, this is only the beginning. A recent study by the Health Information Trust Alliance found that 52% of U.S. hospitals’ systems were infected by malicious software.

What is ransomware?

Ransomware is malware that renders a system inoperable (in essence, holding it hostage) until a ransom fee (usually demanded in Bitcoin) is paid to the hacker, who then provides a key to unlock the system. As opposed to many other forms of cyber attacks, which usually seek to access the data on a system (such as credit card information and Social Security numbers), ransomware simply locks the data down.

Hackers usually employ social engineering techniques – such as phishing emails and free software downloads – to get ransomware onto a system. Only one workstation needs to be infected for ransomware to work; once the ransomware has infected a single workstation, it traverses the targeted organization’s network, encrypting files on both mapped and unmapped network drives. Given enough time, it may even reach an organization’s backup files – making it impossible to restore the system using backups, as Methodist Hospital and MedStar did.

Once the files are encrypted, the ransomware displays a pop-up or a webpage explaining that the files have been locked and giving instructions on how to pay to unlock them (some MedStar employees reported having seen such a pop-up before the system was shut down). The ransom is nearly always demanded in the form of Bitcoin (abbreviated as BTC), an untraceable “cryptocurrency.” Once the ransom is paid, the hacker promises, a decryption key will be provided to unlock the files.

Unfortunately, because ransomware perpetrators are criminals – and thus, untrustworthy to begin with – paying the ransom is not guaranteed to work. An organization may pay hundreds, even thousands of dollars and receive no response, or receive a key that does not work, or that does not fully work. For these reasons, as well as to deter future attacks, the FBI recommends that ransomware victims not cave in and pay. However, some organizations may panic and be unable to exercise such restraint.

Because of this, ransomware attacks can be much more lucrative for hackers than actually stealing data. Once a set of data is stolen, the hacker must procure a buyer and negotiate a price, but in a ransomware attack, the hacker already has a “buyer”: the owner of the information, who is not in a position to negotiate on price.

Why is the healthcare industry being targeted in ransomware attacks?

There are several reasons why the healthcare industry has become a prime target for ransomware attacks. First is the sensitivity and importance of healthcare data. A company that sells, say, candy or pet supplies will take a financial hit if it cannot access its customer data for a few days or a week; orders may be left unfilled or delivered late. However, no customers will be harmed or die if a box of chocolates or a dog bed isn’t delivered on time. The same cannot be said for healthcare; physicians, nurses, and other medical professionals need immediate and continuous access to patient data to prevent injuries, even deaths.

U.S. News & World Report points to another culprit: the fact that healthcare, unlike many other industries, went digital practically overnight instead of gradually and over time. Additionally, many healthcare organizations see their IT departments as a cost to be minimized, and therefore do not allocate enough money or human resources to this function:

According to the statistics by Office of National Coordinator for Health Information Technology, while only 9.4 percent of hospitals used a basic electronic record system in 2008, 96.9 percent of them were using certified electronic record systems in 2014.

This explosive growth rate is alarming and indicates that health care entities could not have the organizational readiness for adopting information technologies over such short period of time. Many of the small- or medium-sized health care organizations do not view IT as an integral part of medical care but rather consider it as a mandate that was forced on them by larger hospitals or the federal government. Precisely due to this reason, health care organizations do not prioritize IT and security technologies in their investments and thus do not allocate required resources to ensure the security of their IT systems which makes them especially vulnerable to privacy breaches.

What can the healthcare industry do about ransomware?

First, the healthcare industry needs a major shift in mindset: Providers must stop seeing information systems and information security as overhead costs to be minimized, realize that IT is a critical part of 21st century healthcare, and allocate the appropriate monetary and human resources to running and securing their information systems.

The good news is, since ransomware almost always enters a system through simple social engineering techniques such as phishing emails, it is fully possible to prevent ransomware attacks by taking such measures as:

  • Instituting a comprehensive organizational cyber security policy
  • Implementing continuous employee training on security awareness
  • Regular penetration tests to identify vulnerabilities

Lazarus Alliance feels that it is much better to prevent a ransomware attack than to attempt to deal with one after it has occurred, especially in a healthcare environment, where lives are at stake should patient data become inaccessible. We offer full-service risk assessment services and Continuum GRC software to protect hospitals and other healthcare organizations. Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help you prevent your facility from becoming the next victim of a ransomware attack.