Web Bank Attack
The FBI is investigating a June computer intrusion into a web banking company that may have compromised customer accounts at hundreds of U.S. financial institutions, SecurityFocus has learned.
The attack against S1 Corporation's Community and Regional eFinance Solutions Group, renamed from Q UP after an acquisition last year, gave the hacker access to an internal network at the company's Atlanta-based 'Data Center', which handles the web banking needs of approximately 300 small banks and federal credit unions across the country.
The hacker is believed to have cracked the network on June 19th. The company's information security staff discovered the intrusion the next day, and monitored the hacker until June 23rd, when they locked him out. FBI agents began investigating at S1's Austin, Texas office -- where the network is managed -- on Monday, sources said.
An FBI spokesperson could not be reached after business hours Thursday. S1 spokesperson Paul Citarella would neither confirm nor deny the intrusion, citing customer confidentiality. "We, like all organizations, get hacked all the time, or have attempted hacks all the time," said Citarella.
But several sources familiar with the investigation, all speaking on condition of anonymity, said the company is taking the attack seriously, and has already begun notifying client banks that customer account information may have been compromised.
One source said the hacker accessed files in a particular subdirectory on the company's Windows NT network called 'webdata,' which is dedicated to housing web banking customers' login names, paired with an encrypted version of their passwords.
If the hacker reverse engineered the software responsible for logging customers in and out of the system, he could easily crack the encryption algorithm and read the passwords. Armed with that information, the attacker could access customer accounts over the web, potentially obtaining private information, or even plundering bank accounts.
The intrusion underscores the vulnerability of Internet banking applications, which can suffer the same security holes as web sites and online storefronts, but seldom receive the same public scrutiny -- in part because of a culture of strict secrecy among financial institutions, and tight nondisclosure agreements that keep would-be whistle-blowers silent.
"When you write your story, make sure people understand that this is a drop in the bucket," said one consultant -- a specialist in evaluating the security of online banking software. "I've broken into every single web banking application I've tried. Sometimes I can just jump from account to account, and I wouldn't be able to target a person. With others I can get your social security number and any other information about you."
The biggest risk, said the consultant, is in electronic bill payment functions, which provide a conduit for a cyber thief to siphon cash out of a victim's account. "Once I get access to their accounts, the first thing I do is set up bill pay to send out money to a mail drop."
The consultant said new FDIC banking regulations are needed to enforce high security standards on Internet banking systems.
Loyal Moses, formerly an information security analyst with S1, and now a critic of the company's security practices, said web-based banking can be made safe, but agreed that regulation was desperately needed.
"As it is now, anybody could write an Internet banking application, take it down to the local bank, and if they like it, great, you're in business," said Moses, currently a security auditor at Grant Thornton, LLP. "It's just like when junk bonds were introduced, there was no regulation. Now you need to file certain papers to sell junk bonds. The same thing needs to happen with financial institutions."
In addition to its Data Center, S1 Corporation's Community and Regional eFinance Solutions Group provides web banking software to small financial institutions for use in-house. Those institutions were not affected by the Data Center hack.
By Kevin Poulsen