Breach
Page 9
That was a relief. It meant that whoever was stealing from his account would not be able to use the card any more. Getting back the money that had been debited—stolen, to be precise—would prove trickier, though.
He called the bank again the next morning. It was a leading private sector bank and Gupta was a premium customer. There was nothing in his transaction history that would point to any foul play from his side. The bank readily agreed to transfer the money that had been debited back into his account within forty-eight hours as the first step towards resolution of his complaint. The catch was that it would not be available to him immediately. He would have access to the money only once the bank had investigated his claim and found that he was in the right. The bank said they would need sixty days to conclude the investigation.
Gupta also had to go to the police and get a first information report (FIR) filed. That proved to be a difficult experience. The cops asked him questions like ‘why did you share your PIN number with other people?’, and ‘if you didn’t share the PIN, how did people steal the money from your account?’ They tried to make it difficult for him by listing out technicalities—the complaint had to be filed in the police station under whose jurisdiction the money was taken out rather than in Gurgaon where he was staying, and he first had to make a complaint at the bank, and so on. This conversation with the cops, he says, went on for a while, but he finally convinced them to accept his complaint and took the copy of the FIR to his bank.
Gupta got his money back from the bank after they had completed their internal investigation. It wasn’t that difficult to know what had gone wrong. Indeed, he wasn’t alone at the receiving end of a banking fraud. The news was soon going to be all over the media. Gupta was the victim of one of the largest breaches ever in India’s financial services and banking sector—a breach that the media at the time claimed had resulted in 3.2 million debit card numbers being potentially compromised across multiple banks. It was a breach that stunned India’s financial services and banking industry, which prides itself on operating at the cutting edge of security.
What makes the instance surreal and somewhat ironical is that Gupta is no stranger to breaches. He makes a living investigating breaches and protecting companies. He is partner at the consulting firm KPMG and the leader of their cybersecurity practice. He has, over the years, advised multiple companies and led investigations into breaches of all sorts, including in the financial services industry.
* * *
No one, absolutely no one is safe from being a victim of theft of banking and financial data breaches in the digital age. Gupta is one of the most informed professionals in the country when it comes to using his debit card securely. But for no fault of his he had to go through the harrowing experience of feeling helpless even as somebody sitting in some corner of the world took money away from his account, one transaction at a time.
This is the reality of banking today. Anyone can lose money and fall victim to a breach in the security perimeter built around their money by their bank, even when they, in their individual capacity, follow the best practices. The banks and other financial institutions are trying hard, but they are pummelled by cyberattacks eyeing data and vulnerabilities that will lead the attackers to hard currency. To give credit to the banks and their sizeable investments in cybersecurity, they have built systems that are repelling the vast majority of these attacks. But it takes only that one attack that sneaks through to bust the trust that banks have nurtured among their customers over many years. This was one such attack.
It is not unlike the situation in the past when thieves would steal money through bank heists. But the crucial difference is that in the digital age the thieves could be sitting anywhere in the world, and there is little that can be done to catch them. Dye packs—radio-controlled devices that mark notes that have been stolen with permanent ink—are used by banks in the West to foil thieves. But they are of little use in a world where money is evolving into a digital idea.
News of heists weren’t that common back in the day, but today the financial services industry, security researchers nod in agreement, endures hostile attacks every single day.
A KPMG report1 points out that ‘the attacks have accentuated with significant drive on adoption of digital payment channels over the last six months with phishing, Distributed Denial of Service (DDoS) and spam being most widely used attack vector.’ DDoS attacks take down servers by overwhelming them with Internet traffic, while phishing attacks try and extract information, often by installing malware in computers.
Indian banks and financial regulators have been repelling attacks in large numbers. Many in the financial services industry say that India’s financial sector has been one of the most proactive when it comes to fighting off such attacks. It is a sector in the country that prides itself as being ahead of the curve, compared with the counterparts in other nations, when it comes to data security preparedness. Most banks in India, especially private banks, take cybersecurity very seriously. They invest crores in it every year, and although an exact number is hard to come by, officials say that this number is growing fast.
A security researcher who works with almost all the private banks says that government banks are exceptions, which give cybersecurity contracts to the lowest bidder. ‘It is difficult for them to come out of that ambit. They are also doing the best they can within their power. The question is, how much security is enough? Who decides how much is enough?’
His company has grown from making Rs 3 crore a year in revenue in 2012 to Rs 41 crore in 2016, also growing from a staff of thirty to 300. He started with penetration testing for banks and has since expanded into a multitude of services around cybersecurity. ‘When I started the business, banks used to ask if I have anti-virus, or why do they need more security on their website.’ That situation has changed, and banks now understand security, perhaps better than most sectors. That doesn’t mean the systems they have put in place are 100 per cent secure. There is, of course, no such thing as perfect security. Breaches can and still happen.
It may have been easier for chief security officers of banks to breathe if transactions were happening in a self-contained world that they had themselves created. Unfortunately for them, digital transactions don’t exactly happen in a self-contained ecosystem.
Transactions happen when multiple software systems, built, operated and maintained by different entities, talk to each other. Data moves from one system to another, with each of these systems run by software and hardware built by different vendors. There are multiple players involved in the transaction chain, and it was the weakness in one such link in the chain that had Gupta and others like him scrambling to protect their accounts.
The attack that affected Gupta had its origins in malware that was injected into the code running Hitachi Payment Services systems.2 Banks, along with retailers, merchant aggregators and financial ecosystem providers, use the company, which is a subsidiary of the Japanese conglomerate Hitachi, to enable financial transaction processing services. The malware had remained hidden, creating very little noise in Hitachi’s systems, while quietly siphoning off card information. It stayed that way for a few weeks before the criminals started stealing money by using the stolen debit card information.
Hitachi Payment Services was ordered by the authorities to conduct a security audit into the incident. An assessment report3 that was authored by the Bengaluru-based payments and information security audit firm SISA Information Security concluded that ‘the malware, being sophisticated in its design, had been able to work undetected and had concealed its tracks during the compromise period. While the behaviour of the malware and the penetration into the network has been deciphered, the amount of data exfiltrated during the above compromise period is unascertainable due to secure deletion by the malware’. What that means is that the malware was clever enough to conceal its tracks, making it difficult for the investigators to confirm the amount of data that was stolen.
This made i
t difficult to ascertain the extent of the breach. The National Payments Corporation of India (NPCI) concurred with the assessment4 that the number of people who complained about losing money was much smaller than 3.2 million. They issued a statement on 22 October clarifying that there were only 641 bank customers who had reported fraudulent activity to the eighteen banks in question. ‘The figure of 3.2 million cards,’ it said, ‘was a proactively identified base of customers who have transacted in the set of suspected ATMs in the recent past. However, this does not mean that all these cards have been used for any fraudulent activity. The banks have proactively intimated the aforesaid 3.2 million cardholders as a matter of precaution to either change their PIN or replace the cards so that they are not misused in the future.’
It is believed that the compromise of card data through the malware happened when customers changed their ATM PIN using the network of Yes Bank, which is a client of Hitachi Payment Services.5 With the regulator enabling operation of cards across ATMs operated by any bank, any vulnerability in one led to compromises across the industry. Thus, the banks whose cards were compromised included SBI, ICICI, HDFC, Standard Chartered and Yes Bank.6 These banks issued new cards to all the customers whose debit card data was compromised. SBI alone is reported to have reissued as many as 6,00,000 cards following the incident.7 Alternatively, some banks asked customers who could have been affected to change their PIN as a precautionary measure.
Theft of card data, in various ways, is quite common, and often the information extracted finds its way into dark web marketplaces. To understand how widespread the theft of card numbers is, all you have to do is to visit dark web marketplaces where, right adjacent to drugs of all varieties and malware, credit and debit cards number documents are listed, available on payment in cryptocurrency. Particularly highlighted in these listings are the card databases available with CVV numbers. While not all these numbers may work and many of the cards may be blocked, those who buy them on these marketplaces can use the active ones as they please.
The question is, if the modus operandi behind the breach in Hitachi’s systems is clear, can those behind this attack be brought to justice?
* * *
One of the biggest obstacles that investigators face when it comes to data theft—or any aspect of cybercrime—in the modern era is that these crimes are enabled in what is essentially a borderless virtual world. It is difficult to pinpoint and extract the perpetrators who may have been behind this attack, or to say which geography they may have come from, from a technical point of view and from logistical and legal ones too.
Following a trail online is a complicated act in the era of proxies. It is easy for an infiltrator to mask where he is operating from. Proxies bounce the data from their computers through a maze of other computers in different geographies until it becomes next to impossible to track back to the origins with certainty. Such proxies can often be of great use—they are used by Chinese dissidents to communicate with the rest of the world, circumventing the Great Firewall, the term used by the global media for the censorship system put in place by the Chinese government to monitor Internet and mass media in a bid to control the flow of information in that country.
While proxies and browsing tools like TOR, the Onion Router—a web browser which anonymizes traffic—have their uses in multiple contexts, they also make it hard for law enforcement to shadow suspects and bring criminal behaviour to justice. The Internet was designed to be open, and that is how most of the world—except a few countries like China with its Great Firewall—has taken to it. This openness makes a lot of sense when it comes to sharing of knowledge and countless other aspects of life, but it also makes for a safe haven for criminals beyond the borders of the countries where they have committed their crimes.
Then there is the reality of jurisdiction. The crime in most of these cases is committed across the border. This especially applies to financial crime where physical presence is no longer required. A criminal could be thousands of miles from where the crime was committed, but the investigation team is limited by its geography. The investigating agencies of one country cannot go after a culprit with ease if he/she is beyond their jurisdiction.
Bringing international consensus on a framework for cybercrime is difficult because what constitutes a crime is a function of cultural factors too. Free speech could land you in trouble in certain parts of the world, watching pornography is illegal in others, and buying weed is not a crime in some parts of the world. Ideally, when it comes to financial fraud and theft of someone else’s money, geography and culture shouldn’t matter as much. It should theoretically be easier for countries to work together to evolve effective deterrents as well as active enforcement mechanisms to fight financial crimes. That has not happened yet.
Today, even if details of crimes and criminals are shared by one country with the relevant national authorities of another, it must be remembered that countries are under no obligation to take any action unless they have signed agreements with other countries specifically for this purpose. Extradition treaties, if they do exist, could be of help. But their coverage is an issue. India is currently signatory to only thirty-seven extradition treaties, according to the data provided by the Central Bureau of Investigation.8 There are another eight countries with whom India has so called ‘extradition arrangements’. That brings the total number of countries where India can pursue the accused in crimes committed in its territory to forty-five. There are more than seventy countries with whom the Indian government has signed agreements to exchange cybersecurity-related information, but these include many MoUs that are non-binding.9
For perspective, the United Nations has 193 member states. The mismatch in numbers is clearly indicative of the problem at hand. In an ideal would, you would want every country in the world to have an extradition treaty with every other country, and unless that happens there is little that can be done to truly fight cybercrime on a global scale. Criminals, as matters exist today, will continue to have nooks and corners they can withdraw into and live in no fear of being apprehended.
Multilateral organizations like Interpol, the international police network with 190 member countries, could be of help. As Interpol’s website says, ‘Most cybercrimes are transnational in nature, therefore INTERPOL is the natural partner for any law enforcement agency looking to investigate these crimes on a cooperative level. By working with private industry, INTERPOL is able to provide local law enforcement with focused cyber intelligence, derived from combining inputs on a global scale.’
But the reality is significantly different. The Interpol is woefully underfunded, as a story in the Atlantic pointed out in 2014,10 the centenary year of the global policing network. The report said Interpol’s resources (the organization had an operating budget of €70 million [$90 million] in 2012, the bulk of it provided by member countries based on their ability to pay) ‘are very minimal’ compared to those of many local police forces. For comparison’s sake, the New York City Police Department had a budget of nearly $4.9 billion in fiscal year 2012, and it has about 34,500 uniformed officers. The entire staff at Interpol, mostly international civil servants and police on loan from national police forces, numbers roughly 650.
Simply put, they don’t have the money to investigate the barrage of cases that come their way. According to Interpol’s website, between 2011 and 2015, the amount of money they classified as regular budget—funding from member countries—has remained static from 2011, at $55.6 million, to 2015, at $56.3 million. While the contribution from trust funds and other such sources have shot up from $4.9 million to $23.5 million in the same four years, one has to keep in mind that this money is used to investigate every single type of crime, from paedophilia to cybercrime to data theft to financial fraud.
The number of cases Interpol can handle is obviously limited when compared with the sheer explosion in technology-related crime the world has seen over the last few decades. What that means, unfortunately, is that few cross-border
criminals are ever brought to justice in an era where criminality is increasingly technology-led and geography-agnostic.
Marc Goodman, in his book Future Crimes,11 calls for the creation of what he calls a ‘Cyber World Health Organisation’. He says:
. . . given the many parallels between communicable human diseases and those affecting the world’s technologies, there is much we can learn from the public health model, an adaptable system capable of responding to an ever-morphing array of pathogens around the world. A trusted international cyber World Health Organisation could foster cooperation and collaboration across companies, countries, and government agencies—crucial steps required to improve the overall public health of the networks driving the critical infrastructures in both our online and offline worlds.
It is a smart idea. Countries around the world have succeeded in controlling many diseases, and the fight against cybercriminals could draw inspiration from it.
The closest effort in this direction has been the Budapest Convention. Formally called Convention on Cybercrime of the Council of Europe, it was one of the early efforts to harmonize laws and investigation in different countries to counter the borderless criminal. But, fifteen years after it was initially instituted, its adoption is still not universal. Far from it. Just about sixty-nine states are parties to it or have signed it or have been invited to join it. India is not yet a signatory, and among the reasons keeping the country from signing it is that it wasn’t involved in the original negotiations to frame the Convention back in 2001.
With the increase in cross-border cybercrime, India cannot possibly afford to sit on the sidelines for much longer. It needs to be part of and indeed lead multilateral efforts, sooner than later. This is even more important as the sheer scale of the networked community in India—second only to China’s—increases further. The success of the Digital India campaign of the Government of India will only intensify the lure of India as a market with potential for mischief makers beyond borders—whether state sponsored or the proverbial black hat hacker sitting in a basement in eastern Europe.