Incident: Cyber Attack Bypasses Latest PIN Security Devices in Banking

Published Date: 2012-02-06

Postmortem Analysis
Timeline 1. The software failure incident of the new banking cyber attack that penetrated accounts protected with the latest PIN security devices happened around February 2012. [Article 10439]
System The systems/components that failed in the software failure incident described in the article are: 1. PIN security devices like PINSentry from Barclays and SecureKey from HSBC [10439] 2. PC security software, including packages such as Norton 360 [10439]
Responsible Organization 1. Cyber-criminals were responsible for causing the software failure incident described in the article [10439].
Impacted Organization 1. Users of PIN security devices such as PINSentry from Barclays and SecureKey from HSBC were impacted by the software failure incident as their accounts were vulnerable to the cyber attack [Article 10439].
Software Causes 1. The failure incident was caused by a new generation of cyber attack known as the 'man in the browser' attack, which bypassed security systems including PIN devices and security software [10439].
Non-software Causes 1. Lack of user awareness and vigilance: The incident involved cybercriminals tricking users into clicking on malicious links, highlighting the importance of online vigilance and basic security measures [10439]. 2. Deceptive tactics by cybercriminals: The attackers used social engineering tactics to divert users to fake banking websites, exploiting trust and familiarity with online banking interfaces [10439].
Impacts 1. The software failure incident resulted in cyber criminals being able to access real bank accounts by diverting users to fake banking websites, thus stealing money without the victims noticing [10439]. 2. Users who had PIN security devices like PINSentry from Barclays and SecureKey from HSBC were vulnerable to the attack unless they were using the latest browsers and security software set to maximum [10439]. 3. The incident demonstrated the vulnerability of users to 'Man in the Browser' attacks, where malware sits between the user and their bank account, diverting them to fake websites [10439]. 4. Security software packages like Norton 360 could protect against the attacks, but only on their maximum security settings, highlighting the importance of maintaining high security levels [10439].
Preventions 1. Using security packages such as Norton 360 on maximum security settings could have helped prevent the software failure incident [10439]. 2. Ensuring that users are using the latest browsers and security software set to maximum could have also prevented the incident [10439]. 3. Online vigilance and basic security measures, as mentioned by Simon Ellson from Norton, could have shored up defenses against the attack [10439].
Fixes 1. Implementing security upgrades and patches to address vulnerabilities exploited by the cyber attack [10439]. 2. Ensuring users are using the latest browsers and security software set to maximum security settings to mitigate the risk of falling victim to such attacks [10439]. 3. Educating users on online vigilance and basic security measures to prevent falling for phishing attempts or clicking on malicious links [10439].
References 1. Security experts such as Daniel Brett of security experts 21sec [10439] 2. Online Security Expert at Norton, Simon Ellson [10439]

Software Taxonomy of Faults

Category Option Rationale
Recurring multiple_organization (a) The software failure incident related to the cyber attack targeting banking accounts has not been shown to have happened again at a specific organization [10439]. (b) The article mentions that the 'man in the browser' cyber attacks, including the variant of the 'SpyEye' trojan, are increasingly common and can affect users of various banks and financial institutions. These attacks are not specific to one organization but can target users across different organizations [10439].
Phase (Design/Operation) design (a) The software failure incident described in the articles is related to the design phase. The incident involves a new generation of cyber attacks that have evolved to bypass the latest security measures, including PIN devices and security software like Norton 360. The attack involves diverting users to a fake banking website by presenting a fake security upgrade window, which then allows cyber-criminals to access the real account using login details obtained through this deception [10439]. (b) The software failure incident is not directly related to the operation phase or misuse of the system. Instead, it focuses on the design flaw that allows cyber-criminals to deceive users and gain access to their accounts through sophisticated attacks that bypass security measures [10439].
Boundary (Internal/External) within_system (a) within_system: The software failure incident described in the articles is primarily within the system. The cyber attack, known as the 'man in the browser' attack, targets users' web browsers and diverts them to fake banking websites. The attack leverages malicious software that steps in when a user visits a banking website, presenting a fake security upgrade window that redirects users to a fraudulent banking site. This attack bypasses security systems, including PIN devices and PC security software like Norton 360, demonstrating a vulnerability within the system itself [10439]. (b) outside_system: The software failure incident does not seem to have contributing factors originating from outside the system. The attack is focused on exploiting vulnerabilities within users' browsers and security measures, rather than external factors beyond the control of the system [10439].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in the articles is primarily related to non-human actions. The incident involves a new generation of cyber attacks, specifically the 'man in the browser' attack, which bypasses security systems, including PIN devices and PC security software, to divert users to fake banking websites and access real accounts without the users' knowledge [10439]. (b) Human actions are also involved in the incident as cybercriminals are actively exploiting vulnerabilities in security systems and creating malicious software to deceive users and steal money from their accounts. Additionally, the article mentions that users who do not have security devices provide criminals with the means to access their accounts repeatedly [10439].
Dimension (Hardware/Software) hardware, software (a) The software failure incident occurring due to hardware: - The article mentions that the cyber attack known as the 'man in the browser' attack targets users' web browsers and diverts them to fake banking websites, indicating that the attack is exploiting vulnerabilities in the hardware components of users' systems [10439]. (b) The software failure incident occurring due to software: - The article highlights that the 'man in the browser' attack is a type of cyber attack that infects a user's web browser and diverts them to fake banking websites, showcasing a failure in the security software to detect and prevent such attacks [10439].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident described in the articles is malicious in nature. It involves a cyber attack known as the "man in the browser" attack, which diverts users to fake banking websites with the intent to steal money from their accounts. The attack bypasses security systems, including PIN devices and security software, to deceive users into providing access to their accounts unknowingly. Cybercriminals use malicious software to trick users into believing they are receiving a security upgrade, leading them to a fake banking website where their login details are stolen. The attack hides fraudulent transactions and changes the total balance to prevent victims from realizing their accounts have been compromised [10439].
Intent (Poor/Accidental Decisions) unknown (a) The intent of the software failure incident was not due to poor decisions but rather a sophisticated cyber attack aimed at bypassing security measures and tricking users into divulging their banking information. The attack involved diverting users to fake banking websites through malicious software, exploiting vulnerabilities in security systems including PIN devices and security software like Norton 360. The attackers used tactics like offering fake security upgrades to deceive users and gain access to their accounts without their knowledge [10439].
Capability (Incompetence/Accidental) development_incompetence (a) The software failure incident reported in the articles is related to development incompetence. The incident describes a new banking cyber attack that penetrates accounts protected with the latest PIN security devices. The attack bypasses security systems, including PIN devices, and security software like Norton 360. It diverts users to a fake banking website by offering a fake 'security upgrade' and then accesses the real account using login details obtained through this deception. The attack is sophisticated and specifically focused on banking, indicating a level of professional competence by the cybercriminals behind it [10439]. (b) The software failure incident is not related to accidental factors but rather to a deliberate and targeted cyber attack designed to deceive users and steal money from their accounts [10439].
Duration temporary The software failure incident described in the articles can be categorized as a temporary failure. The incident involves a cyber attack known as the "man in the browser" attack, which diverts users to fake banking websites and allows cyber-criminals to access real accounts using login details obtained through malicious software [10439]. This type of attack is not a permanent failure but rather a temporary disruption caused by specific circumstances, such as the presence of malware and vulnerabilities in security systems.
Behaviour value, other (a) crash: The incident described in the articles does not involve a crash where the system loses state and stops performing its intended functions. Instead, the software failure incident involves a cyber attack that diverts users to fake banking websites without crashing the system [10439]. (b) omission: The software failure incident does not involve the system omitting to perform its intended functions at an instance(s). Instead, the incident involves malicious software diverting users to fake banking websites to steal information without the system omitting any functions [10439]. (c) timing: The software failure incident does not involve the system performing its intended functions too late or too early. The incident is related to cyber attacks that divert users to fake banking websites, manipulating the timing of user interactions but not the system's timing of functions [10439]. (d) value: The software failure incident does involve the system performing its intended functions incorrectly. The incident describes how cyber-criminals access real accounts using log-in details, including the randomly generated code from PIN devices, leading to unauthorized access and theft of funds [10439]. (e) byzantine: The software failure incident does not exhibit the characteristics of a byzantine failure where the system behaves erroneously with inconsistent responses and interactions. The incident primarily involves a targeted cyber attack that diverts users to fake banking websites to carry out fraudulent transactions [10439]. (f) other: The software failure incident involves a sophisticated cyber attack known as the "Man in the Browser" attack, where malicious software sits between a user and their bank account, diverting users to fake websites to steal information and manipulate balances. This behavior is not specifically categorized in the options provided [10439].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident described in the articles resulted in potential harm to people's property, specifically their money in bank accounts. Cybercriminals were able to access real accounts using login details obtained through the malicious software, leading to the potential theft of funds without the victims being aware of the transactions. The attack demonstrated how cybercriminals could exploit security vulnerabilities to access and manipulate individuals' financial assets [Article 10439].
Domain finance The software failure incident reported in the articles is related to the finance industry [Article 10439]. The incident specifically involves a new banking cyber attack that targets users accessing their online banking accounts. The attack bypasses security measures, including PIN devices, to divert users to fake banking websites where cyber-criminals can access real accounts and steal money without the victims' knowledge. This incident highlights the vulnerability of online banking systems and the need for enhanced security measures in the finance sector.

Sources

Back to List