brhfl.com

Recently, a financial account of mine was compromised. As a person who, while entirely fallible, is pretty well-versed in infosec, I have a lot of thoughts on the matter. Honestly the whole thing has been more fascinating to me than anything. Maybe it’s because my bank has been very accommodating so far, maybe it’s because (relatively speaking) trivial amounts of money have been sucked from my accounts, or maybe it’s because I’m petty and vengeful and when you make a direct bank transfer your name, the recipient’s name, it is revealed to the sender¹.

I’m curious about the vector of attack. My assumption is that primarily my card was physically compromised, but I’m not sure. The timeline began with the reception of notifications that my online banking password had been reset. I assumed, or, hoped for a glitch and reset it. Then it reset again. And again. Then a transfer account was added. Then, while I was dialing in to the bank, $100 had been transferred out. This is when it gets a little panicky, but having that information, having a number of controls in front of me to mitigate the situation, and having quick response from the bank’s customer service all led to a fairly painless resolution.

The means of ingress was not the internet, it was not ‘hacking’. When you start telling people about an attack like this, the overwhelmingly rudimentary understanding of security lends itself to responses like ‘ah, well you have this account and now that account was hacked! The hackers hacked it!’ The term ‘hacking’ evokes some real man-vs.-machine WarGames type shit, but the sort of attacks that tend to affect most of us are far less sexy. Things like malware and card skimmers meticulously mining data to then be sold off in batches to lesser criminals.

So that was the first breach, and then several days later it was followed by fraudulent card purchases. I was able to temporarily mitigate this by disabling the card, before ultimately contacting the issuer and having the card entirely deactivated and a new one issued. In between these two things happening, I received a call from ‘my bank’ enquiring about card fraud (which had not yet occurred). The incoming number (which is trivially spoofed) did appear to resolve to the bank’s fraud department, but the callback number was unknown to the internet. I assume this was an attempt by attackers to phish more information while I was at my most vulnerable.

When I mention that the vector of attack likely began with the card, this is because there are some safeguards in place for doing the password reset over the phone. Some, like driver’s license numbers in many states, are completely trivial to reproduce, and financial institutions really need to stop relying on faux secret information. The card number is another potential identifier, and I think these two things with a dash of good old-fashioned social engineering thrown in probably led to multiple over-the-phone password resets being granted in a fifteen-minute window. Just the handful of dealings I had with the bank gave a lot of insight into how one could pull off such an attack, which itself is a little concerning.

Takeaways:

• Two-factor everything important. Seriously. Any accounts that would be painful to have compromised should be protected with 2FA. If the service does not offer 2FA, contact support, file feature requests, make it known that it is important to you as a customer. I had 2FA enabled on this bank account for the longest time, and I disabled it for some unknown-to-me reason. I’m willing to eat the blame on that chunk of this, but I think the reason was due to a change in how the bank’s 2FA system worked – I don’t think I re-enrolled in the new system, essentially.
  • If what I just surmised is true, a takeaway for providers of important services is to absolutely force users to take actions related to changes in security policies before accessing accounts. I know I defer that stuff for no good reason.
• Notification overload can be a burden, but in this case being notified of password resets and transfers enabled me to quickly start shutting things down to mitigate the attack. While I would have noticed my password no longer functioning, I may or may not have thought anything of it. I can pretty much guarantee I would not have noticed the missing money from the initial transaction.
• I don’t know for a fact that the call I received was fake, but I’m about 97% sure that it was. Fortunately I kept my wits about me. I would imagine it’s all too common to have one’s trust all thrown off in a situation like this, and thus be an easy phishing target. The scammers, of course, knew what bank I was using, and presumably knew that I had caught it by then. The paranoid in me wonders if the monetary theft was all incidental, and the real scam was to be an attempt for more information.
  • I don’t know if people, generally, realize how completely trivial it is to spoof a phone number. I also don’t know if people, generally, realize how completely trivial it is to spoof a ‘from’ address in an email. I assume more people realize the latter over the former. But these things should be hammered into each and every head.
• It’s probably a good idea to periodically review security settings available to you for important accounts. I never dealt with my bank over the phone before, so had never considered that I might wish to lock that communication down further with a verbal password. I’m sure social engineering can still rear its ugly head here, but this should mitigate part of the next issue…
• …which is that we really need to stop leaning on identifiers that were never intended to be secret and secure as though they were built with that in mind. This includes stupid security questions as well – we tell people not to use their dog’s middle name as their password and then immediately say ‘in case we need to reset your password for you, please tell us your dog’s middle name’. This did not play into my attack, but it’s in that same vein of pseudo-secret, pseudo-secure identification. And none of that is good.