A security consulting company demonstrated that many banks' branch managers would hand over $25,000 to a scammer who presented little more than a counterfeit check drawn on a reputable bank, a photocopy of a fake driver's license and a bogus email from a senior bank executive authorizing the payment.
Bancsec Inc. tested five banks and 10 branches between December and April. The hackers' success rate was 100% and they walked away with $200,000 in all from the banks that agreed to have their security procedures tested.
Bancsec, of Research Triangle Park, N.C., calls its test a blended threat, which combines social engineering with basic knowledge of bank systems.
Though it seems low-tech, Bancsec's test highlights flaws in banks' defenses against scammers. The results also underscore the importance of security training for branch employees, strong authorization procedures and letting employees know that sometimes it's OK to question their bosses.
"In today's world, we are so used to getting emails and memos of this nature and we don't take the time to look at [an email's validity], even when it tells us to do something out of the norm," said a bank executive, who requested that he and his company, a 30-branch South Florida bank with assets of $4 billion, not be named in this story because "we don't want to make it public that Bancsec walked out with $50,000."
In a span of eight hours in March, hackers from Bancsec took large sums of money from the bank simply by identifying the proper managers at two separate branches, buying a domain name that resembled the address of the bank's website, and imitating bank execs (including the unnamed director) in bogus emails to the managers authorizing Bancsec's transactions.
In one instance a branch manager picked up the phone to try to verify with the director of operations that the transaction was legitimate. But, finding that the executive was not in, the branch manager approved the payment, accepting as identification a photocopy of a driver's license.
Bancsec said one reason this scam worked was its ability to determine the work schedules of the people it impersonated.
"The weakest link in security tends to be people," said George Tubin, a senior research director with TowerGroup.
Security experts said that for all its simplicity, social engineering is still one of the most effective methods hackers use to attempt to compromise bank security — and, they say, it is likely a major part of some of the prominent compromises in recent months, including that of EMC Corp.'s RSA Security, as well as the email marketer Epsilon, a unit of Alliance Data Systems Corp. of Plano, Texas.
"The education focus has to be with [banks'] own employees and call centers," said Julie Conroy McNelley, a senior risk and fraud analyst at Aite Group LLC. She said her research indicates that social engineering is among the top five hacker threats against financial institutions.
Avivah Litan, vice president and distinguished analyst at Gartner Inc. in Stamford, Conn., said banks could add basic procedures to guard against the type of attack Bancsec constructed. First would be a fraud detection system that includes account profiling to look for irregularities in check amounts, as well as in the people seeking to cash checks. Another would be human controls that require two levels of authorization, especially when any kind of override is requested.
Tubin added that branch managers and others could use knowledge-based authentication databases, such as Experian PLC's Knowledge IQ, which would require impostors to answer personal questions about the people they purport to be.
For its part, the South Florida bank has increased training of front-line employees, coaching them to scrutinize email addresses on all communications that ask them to do anything out of the ordinary.
"And in executive management, we now expect to have our orders questioned, especially when something seems outside the norm [in the] verification process," the bank executive said.
The test has also led the bank to speed up implementation of an internal intrusion detection system, which the bank is installing at cost of about $50,000. The system will look for any unusual activity in the network, such as searches for user names and passwords, and it will scrutinize external traffic trying to enter the network.
"The biggest takeaway," the banker said, "is that as experienced as you think your bankers are, they are still wrapped up in the day-to-day process of serving customers, and many times, when the unexpected comes along, they don't stop and think things through."