The Risk of Weak Online Banking Passwords

Krebs on Security

Brian Krebs

The Risk of Weak Online Banking Passwords

If you bank online and choose weak or re-used passwords, there’s a decent chance your account could be pilfered by cyberthieves — even if your bank offers multi-factor authentication as part of its login process. This story is about how crooks increasingly are abusing third-party financial aggregation services like MintPlaidYodleeYNAB and others to surveil and drain consumer accounts online.

Crooks are constantly probing bank Web sites for customer accounts protected by weak or recycled passwords. Most often, the attacker will use lists of email addresses and passwords stolen en masse from hacked sites and then try those same credentials to see if they permit online access to accounts at a range of banks.

A screenshot of a password-checking tool being used to target Chase Bank customers who re-use passwords from other sites. Image: Hold Security.

From there, thieves can take the list of successful logins and feed them into apps that rely on application programming interfaces (API)s from one of several personal financial data aggregators which help users track their balances, budgets and spending across multiple banks.

A number of banks that do offer customers multi-factor authentication — such as a one-time code sent via text message or an app — have chosen to allow these aggregators the ability to view balances and recent transactions without requiring that the aggregator service supply that second factor. That’s according to Brian Costello, vice president of data strategy at Yodlee, one of the largest financial aggregator platforms.

Costello said while some banks have implemented processes which pass through multi-factor authentication (MFA) prompts when consumers wish to link aggregation services, many have not.

“Because we have become something of a known quantity with the banks, we’ve set up turning off MFA with many of them,” Costello said.  “Many of them are substituting coming from a Yodlee IP or agent as a factor because banks have historically been relying on our security posture to help them out.”

Such reconnaissance helps lay the groundwork for further attacks: If the thieves are able to access a bank account via an aggregator service or API, they can view the customer’s balance(s) and decide which customers are worthy of further targeting.

This targeting can occur in at least one of two ways. The first involves spear phishing attacks to gain access to that second authentication factor, which can be made much more convincing once the attackers have access to specific details about the customer’s account — such as recent transactions or account numbers (even partial account numbers).

The second is through an unauthorized SIM swap, a form of fraud in which scammers bribe or trick employees at mobile phone stores into seizing control of the target’s phone number and diverting all texts and phone calls to the attacker’s mobile device.

But beyond targeting customers for outright account takeovers, the data available via financial aggregators enables a far more insidious type of fraud: The ability to link the target’s bank account(s) to other accounts that the attackers control.

That’s because PayPalZelle, and a number of other pure-play online financial institutions allow customers to link accounts by verifying the value of microdeposits. For example, if you wish to be able to transfer funds between PayPal and a bank account, the company will first send a couple of tiny deposits  — a few cents, usually — to the account you wish to link. Only after verifying those exact amounts will the account-linking request be granted.

Alex Holden is founder and chief technology officer of Hold Security, a Milwaukee-based security consultancy. Holden and his team closely monitor the cybercrime forums, and he said the company has seen a number of cybercriminals discussing how the financial aggregators are useful for targeting potential victims.

Holden said it’s not uncommon for thieves in these communities to resell access to bank account balance and transaction information to other crooks who specialize in cashing out such information.

“The price for these details is often very cheap, just a fraction of the monetary value in the account, because they’re not selling ‘final’ access to the account,” Holden said. “If the account is active, hackers then can go to the next stage for 2FA phishing or social engineering, or linking the accounts with another.”

Currently, the major aggregators and/or applications that use those platforms store bank logins and interactively log in to consumer accounts to periodically sync transaction data. But most of the financial aggregator platforms are slowly shifting toward using the OAuth standard for logins, which can give banks a greater ability to enforce their own fraud detection and transaction scoring systems when aggregator systems and apps are initially linked to a bank account.

That’s according to Don Cardinal, managing director of the Financial Data Exchange (FDX), which is seeking to unite the financial industry around a common, interoperable, and royalty-free standard for secure consumer and business access to their financial data.

“This is where we’re going,” Cardinal said. “The way it works today, you the aggregator or app stores the credentials encrypted and presents them to the bank. What we’re moving to is [an account linking process] that interactively loads the bank’s Web site, you login there, and the site gives the aggregator an OAuth token. In that token granting process, all the bank’s fraud controls are then direct to the consumer.”

Alissa Knight, a senior analyst with the Aite Group, a financial and technology analyst firm, said such attacks highlight the need to get rid of passwords altogether. But until such time, she said, more consumers should take full advantage of the strongest multi-factor authentication option offered by their bank(s), and consider using a password manager, which helps users pick and remember strong and unique passwords for each Web site.

“This is just more empirical data around the fact that passwords just need to go away,” Knight said. “For now, all the standard precautions we’ve been giving consumers for years still stand: Pick strong passwords, avoid re-using passwords, and get a password manager.”

Some of the most popular password managers include 1PasswordDashlaneLastPass and recently published a worthwhile writeup which breaks down each of these based on price, features and usability.

Why Every Organization Needs an Incident Response Plan

Kacy Zurkus

Kacy Zurkus

Edge Articles

Why Every Organization Needs an Incident Response Plan

OK, perhaps that’s obvious. The question is, how come so many organizations still wait for something to happen to trigger their planning?

It’s human nature to procrastinate, especially when people aren’t quite sure of the right way to approach a task.

But when it comes to an incident response (IR) plan, the time to develop one is before a security breach occurs. Unfortunately, far too often it takes an incident to trigger planning.

And that, all security pros know, is far from ideal.

Why Do I Need an Incident Response Plan?

Having an IR plan in place is a critical part of a successful security program. Its purpose is to establish and test clear measures that an organization could and likely should take to reduce the impact of a breach from external and internal threats.

While not every attack can be prevented, an organization’s IR stance should emphasize anticipation, agility, and adaptation, says Chris Morales, head of security analytics at Vectra.

“With a successful incident response program, damage can be mitigated or avoided altogether,” Morales says. “Enterprise architecture and systems engineering must be based on the assumption that systems or components have either been compromised or contain undiscovered vulnerabilities that could lead to undetected compromises. Additionally, missions and business functions must continue to operate in the presence of compromise.”

The capabilities of an IR program are often measured on the level of an organization’s maturity, which defines how proactive an organization is. Companies that are able to map policies to the level of risk appropriate to the business are better prepared in the event of a security incident.

By way of example, Morales explains that the goal for a small business should be to reach a level of repeatable process, which includes having a maintained plan, concrete roles and responsibilities, lines of communication, and established response procedures. These are the necessary stepping stones that would allow it to appropriately address the bulk of incidents it would likely see.

“However, for organizations with highly valuable information with a high-risk level, a formal plan is not enough, and they need to be much more intelligence-driven and proactive in threat-hunting capabilities,” Morales says.

Starting from Scratch

Many companies find themselves in the position of having to start writing their IR plans from scratch, as was once the case for Trish Dixon, vice president of IronNet’s Cyber Operations Center (CyOC).

“It was an interesting dynamic to think that you can just jump right in and start writing an incident response plan when you haven’t really taken into account the rest of your company’s policies,” Dixon says.

Without knowing a company’s continuity plan, failovers, or its most critical systems, it’s impossible to write an IR plan that understands the impact an incident will have.

If, for example, the most critical part of the business is its infrastructure, you can’t have an effective IR plan without knowing how long it can be down before it starts costing the company money, Dixon says.

“From doing a business-impact analysis, it’s a lot easier to start mapping out and designing your incident response framework around that,” she says.

While there is no “right way” to design a plan, there are best practices, such as those set forth in the NIST framework, for creating and testing an optimal IR plan that will allow organizations to be more resilient in the event of a cyberattack.

At the very least, every organization should have a framework or concept down to understand the critical steps to take in the event of an incident.

“As you continue to evaluate your policies when you audit them, make sure the IR plan and policy are updated as well,” Dixon advises. Reviewing a policy once annually is absolutely not enough.

Auditing the IR policy quarterly is in line with best practices, but Dixon says organizations have to test it almost on a daily basis.

“You may have an event come in that’s not necessarily categorized as an incident,” she says, “but you should always refer back to your incident response plan to be able to say, ‘Had this event been this type of incident, what would we have done?'”

Measuring IR Success
Testing IR daily creates a necessary and inquisitive mindset that habitually asks “if this had been X” in order to determine whether an incident is escalated and/or who to contact. Companies need to gain as much information as possible so as to act on the presence of attackers.

Being proactive allows organizations to better react with a deeper understanding of the threat actor’s intentions and how the organization’s defenses relate to potential threats. That’s why threat awareness is one of the core metrics used to assess an organization’s maturity and capabilities for IR success, Morales says.

Every detail and every event that happens can help defenders decide what to do in response to an incident so they are better positioned to quickly and sufficiently isolate, adapt, and return to normal business operations should they ever encounter a worst-case scenario.

A lot of organizations begin with an incident response framework, such as NIST’s “Computer Security Incident Handling Guide,” and use that as a guide for developing a unique IR plan specific to the company. But understanding who all of the players are is one of the most critical starting points when developing or updating an IR plan.

Indeed, people can get tunnel vision within their operations centers and forget they may need to involve the business section, sales, and IT, so those people are not written into the plan, Dixon says.

What’s most important for organizations to keep in mind is that the IR plan needs to be applicable to their business.

“A framework is a framework. It’s a recommendation for best practices. It’s not meant to suggest that every situation is applicable to all organizations across the world,” Dixon says. “People need to be comfortable with adjusting the frameworks to apply to their organization.”

Image Source: TeraVector via Adobe Stock


Kacy Zurkus is a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition’s security portfolio. Zurkus is a regular contributor to Security Boulevard and IBM’s Security Intelligence. She has also contributed to several publications, … View Full Bio