Hackers gunning for banks' Web servers, sites

The increased number of codes resulting from more complex services and features being introduced on banking Web sites, is also increasing the attack surface area for hackers to exploit. At the same time, cybercriminals recognize the need to understand more codes and this increases the sophistication of their attacks.

According to Don Jackson, senior security researcher at Dell SecureWorks, external threats from cybercrooks are focused on Web servers and sites of banks and payment processing institutions because of the growing complexity of services introduced to customers online. Such services include loan applications, fund transfers and investment portfolio management, which previously required people to be physically present at bank outlets to authorize transactions, Jackson said in a phone interview Friday.

With these services now available online, the "axiom of more bugs being introduced as more lines of codes are written" applies, said Jackson. This is particularly so when custom codes are written as these increase the surface area of attack for hackers, said the security researcher, who was the first person to discover the Zeus banking Trojan in 2007. He was also director of threat intelligence at SecureWorks before it was bought by Dell in January this year.

Consequently, as more codes are written and secure code libraries created to store these lines, hackers have had to raise their game and understand these complex codes in order to exploit them, Jackson said. As their know-how expands, so will the sophistication of their attacks, he added.

Besides targeting vulnerabilities in banks' networks and sites, cybercriminals are also probing into customers' online behavior. For example, he noted that thin-client attacks through Web browsers that are vulnerable inherently or because of software downloaded onto it such as Adobe Acrobat Reader and Java, are common occurrences. Social engineering, he added, is also another favorite tactic employed by black hats to infect users' PCs.

According to a study released earlier this year by WhiteHat Security, the top banking Web site vulnerability in 2010 was information leakage. The term was used as a catch-all description of a vulnerability in which a Web site reveals sensitive data such as technical details of the Web application, environment or user-specific data.

WhiteHat revealed that common causes of this vulnerability were site operators' failure to "scrub out" HTML or script comments containing sensitive information, such as database passwords and improper application or server configurations.

Banks not doing enough yet
Quizzed if banks were doing enough to protect themselves and their customer data from data theft and exploits, Jackson said no.

"They have not been terribly successful in preventing large-scale attacks in recent time," he said, citing as an example Citibank's data breach last month which saw about 1 percent of its U.S. customer data stolen.

That said, he added that banks were doing "everything they can" to strengthen their defenses. However, he acknowledged: "The most determined offense will always get around the best defense."

A better approach to mitigate growing online threats banks face today would be to improve cooperation and intelligence sharing among the various financial institutions, he advocated. Banks are already sharing some information among themselves but Jackson said more needs to be done.

He pointed out there is a high level of information sharing among security professionals but they "don't know how to get their information" to the banks. Additionally, he urged financial organizations to let IT security professionals know what they need and what information works for them.

"Even if the information that was shared, either after a breach occurred or when a threat was averted, does not lead to predictive capabilities, this sharing acts as a 'one-time inoculation' for the entire industry to deter similar attacks in the future," said Jackson.

Whitehat's founder and CTO, Jeremiah Grossman, told ZDNet Asia in an earlier phone interview that financial institutions should put a value to all their Web sites. For big organizations, they would have multiple sites and would not be able to secure all of them. By prioritizing their security resources into a select group of sites, this would be a better defensive strategy, Grossman suggested.

In an earlier report, industry watchers ZDNet Asia spoke to called on banks to adopt a more holistic security approach. Alvin Ow, Asia-Pacific and Japan technology consultant director of EMC's security division RSA, suggested banks implement security tools that address various data channels. This measure could include the combination of anti-Trojan and anti-phishing tools to monitor outside the channel, risk-based authentication for activities at the channel and transaction-monitoring within the channel.