The FBI is investigating a June computer intrusion into a web banking
company that may have compromised customer accounts at hundreds of U.S.
financial institutions, SecurityFocus has learned.
The attack against S1 Corporation's Community and Regional eFinance
Solutions Group, renamed from Q UP after an acquisition last year, gave
the hacker access to an internal network at the company's Atlanta-based
'Data Center', which handles the web banking needs of approximately 300
small banks and federal credit unions across the country.
The hacker is believed to have cracked the network on June 19th. The
company's information security staff discovered the intrusion the next
day, and monitored the hacker until June 23rd, when they locked him out.
FBI agents began investigating at S1's Austin, Texas office -- where the
network is managed -- on Monday, sources said.
An FBI spokesperson could not be reached after business hours Thursday. S1
spokesperson Paul Citarella would neither confirm nor deny the intrusion,
citing customer confidentiality. "We, like all organizations, get hacked
all the time, or have attempted hacks all the time," said Citarella.
But several sources familiar with the investigation, all speaking on
condition of anonymity, said the company is taking the attack seriously,
and has already begun notifying client banks that customer account
information may have been compromised.
One source said the hacker accessed files in a particular subdirectory on
the company's Windows NT network called 'webdata,' which is dedicated to
housing web banking customers' login names, paired with an encrypted
version of their passwords.
If the hacker reverse engineered the software responsible for logging
customers in and out of the system, he could easily crack the encryption
algorithm and read the passwords. Armed with that information, the
attacker could access customer accounts over the web, potentially
obtaining private information, or even plundering bank accounts.
'Drop in the bucket'
The intrusion underscores the vulnerability of Internet banking
applications, which can suffer the same security holes as web sites and
online storefronts, but seldom receive the same public scrutiny -- in part
because of a culture of strict secrecy among financial institutions, and
tight nondisclosure agreements that keep would-be whistle-blowers silent.
"When you write your story, make sure people understand that this is a
drop in the bucket," said one consultant -- a specialist in evaluating the
security of online banking software. "I've broken into every single web
banking application I've tried. Sometimes I can just jump from account to
account, and I wouldn't be able to target a person. With others I can get
your social security number and any other information about you."
The biggest risk, said the consultant, is in electronic bill payment
functions, which provide a conduit for a cyber thief to siphon cash out of
a victim's account. "Once I get access to their accounts, the first thing
I do is set up bill pay to send out money to a mail drop."
The consultant said new FDIC banking regulations are needed to enforce
high security standards on Internet banking systems.
Loyal Moses, formerly an information security analyst with S1, and now a
critic of the company's security practices, said web-based banking can be
made safe, but agreed that regulation was desperately needed.
"As it is now, anybody could write an Internet banking application, take
it down to the local bank, and if they like it, great, you're in
business," said Moses, currently a security auditor at Grant Thornton,
LLP. "It's just like when junk bonds were introduced, there was no
regulation. Now you need to file certain papers to sell junk bonds. The
same thing needs to happen with financial institutions."
In addition to its Data Center, S1 Corporation's Community and Regional
eFinance Solutions Group provides web banking software to small financial
institutions for use in-house. Those institutions were not affected by the
Data Center hack. By Kevin Poulsen