Sunday, May 15, 2016

How the Swift bank messaging heist will affect Canadian banks

If you've been paying attention to the news lately, you'll know that a large sum of money just got removed in a heist on the Bangladesh central bank using the SWIFT system.

First, a bit of background to explain what the mainstream media doesn't explain clearly...

The SWIFT messaging system doesn't actually move money itself and it keeps no account numbers or ledgers for the banks it goes between, or the money being instructed to move.  All it does is says "Bank A needs to settle this transaction with you" to Bank B.  It's then down to Banks A & B to sort that out between themselves.  You can replace SWIFT messages with a carrier pigeon note, or a note tied to a brick and though these are less secure than SWIFT messages and slower moving, it wouldn't actually make a blind bit of difference to the banks as far as money moving goes because this is down to the banks to achieve.

So, now you're up to speed, let's ask see what happened?

In plain English (and simplifying things immensely), what happened is this:  Robbers targeted the SWIFT (Society for Worldwide Interbank Financial Telecommunication) messaging system.  They simply added a few bogus SWIFT messages into the pipeline instructing the Bank A (Federal Reserve Bank of New York) to send money from the Bangladesh central bank account to a bunch of other banks in other countries.  Of course, the banks just blindly did what they were told.  Five messages went through and were settled to the tune of $81million, and then someone noticed a mistake in the sixth message and questioned things and this is when the messages were all discovered to be bogus.  The backlog of 30 messages not yet processed were totalling $850million.

How does this affect the Canadian banks?

The SWIFT heist wasn't an isolated incident.  The people that pulled this off knew that the banks considered themselves to be secure, but that security could be bypassed.  In Canada, we also have the SWIFT system, so the same risks apply to Canadian banks if they're not secure.  We also have a similar system for consumers in the form of Interac.

Just like SWIFT, Canada's Interac system doesn't move money either.  It sends messages to move money, and the banks figure out how they'll do that at the end of the day.

In plain English, it looks like this:

Bank A deducts $50 from Mr Jones who wants to send to Mr Smith. 
Bank A:  I've got $50 from my customer Mr Jones, for your customer Mr Smith.
Bank B:  OK - I'll add $50 to Mr Smith's account.

Mr Smith can now spend that money immediately.  At the end of the day, when the banks settle, this happens:

Bank A to Bank B:  I owe you $50.
Bank B to Bank A:  Well, I owe you $60 from an earlier transaction, so here's $10 and we can call it quits.

There's a lot of parallels to the SWIFT system in that it's purely based on trust.  This is the first problem.  For Canada's banks, they need to now harden up security on two systems that are kinda flakey if you don't do things correctly (SWIFT has strict procedures on how Banks should do things).  This trust issue is key to the whole security problem in Canada.  You have banks trusting each other - and trusting Interac - and customers trusting Interac and trusting the banks.

This is where the wheels fall off this wagon...  I reported to CIBC in January that Interac's servers were not secured properly from an SSL standpoint.  They fixed that in April, but there's two bigger underlying issues and I'll touch on one right now.

Let's imagine you are writing an iOS app in Canada and need to take debit cards.  You call Interac and they're like "Go away - we don't deal with the public -  go talk to one of our authorized integration partners".  So you deal with the integration partners who then have no sway over Interac to fix things when the situation goes sideways.

I've actually gone through this, where an iPhone had a 320 pixel wide screen, and some tool at Interac had hardcoded their CSS to 640 pixels wide, thinking that no computer would ever access their system on a screen less than 640 pixels.  So, I phone the integration partner and they phoned Interac. After a few days, the official word was Interac weren't going to change this.

How did I fix this?  Well, I did what everyone else did back then; you take Interac's broken CSS, fix it and store it in your app as a bundled resource.  Next, you make your normal calls to Interac's computers to initiate the transaction, get the HTML and CSS response, and you simply switch out their busted CSS and replace it with your own fixed CSS.  It's not like Interac ever designed anything to detect this kind of meddling.

If you're technically minded, you probably just realised this is the equivalent as a man-in-the-middle (MITM) attack.  Yes, it's common in Canada, that when Interac doesn't want to help a situation, you just code around them.

Of course, if you can switch the CSS (which determines how things are laid out) you sure as hell can change the HTML (the message the customer sees).  That's scary.  So, Interac is going to have to finally get it's act together and tighten up security...  As it stands, Interac can be compromised in two ways that I know of.

What about the banks themselves?

They are likely being told the same as everyone else - which is harden up.  This is a problem, though:  If you look (in Toronto, at least) at the banks and their current hiring process, you can see predictability - if it's a bank, it will think like a bank and it will act like a bank and it will hire the same type of security people that it did before.  That predictability combined with a sense of trust that the banks know what they are doing is where the danger is in Canada.

Here's a current security post from CIBC as an example:

If you're not quite sure of what you're looking at, let's break this down:
  • Right now, they want more of the same type of people that they hired to guard about 50 servers and all their technology infrastructure in 1998.  You're certified for the bank, fit the bank's culture and think and act like you belong in a bank...
  • It's not 1998, and smartphones came out in 2007, social engineering took off, the two gender tick boxes for customers are not enough to define people, and now customers are attacked outside the bank because they're mostly fighting the wrong war. 
When faced with an attack surface of some ten million devices and computers in Canada, that a technically curious average 15 year old can circumvent in two days, it's apparent that some Canadian banks are not in the same security arms race as their customers.  This means it's technically more feasible to compromise a bank through compromising it's customers.  That job above didn't even mention mobile, despite that being a massive vector for attacks caused by most bank's own ineptitude.

I will leave you with one last screenshot I pulled off Twitter two days ago.  Note the "1/4" response and how confident the bank is that they are secure and the insinuation that any failure that might happen will be the fault of the customer.  This is scary considering how broken the security is.

This is what I lose sleep over.