How to hack a database
According to a recent study by penetration specialists, it has been discovered that with the rising level of cyber-attacks prevalent in today’s world, banks are returning to the basic principles of cyber security.
After one cyberattack affected the financial sector, there was a probe into the specifics to understand other cyber threats specific to the banking industry. Andrew Mabbitt, co-founder and director of Fidus Information Security, a UK company specializing in penetration testing, gave an insight into the intricacies of the attack.
How to hack a bank
“It’s important to know how big the bank is before conducting a penetration test.
The following things immediately go out the window. First, in most cases, the external infrastructure, in other words, anything they do publicly, is relatively secure. In addition to this, banks spend a huge amount of money on security, so you immediately know that they have been tested to death, so statistically, you are not likely to find anything too serious there.
The physical security of the banks wouldn’t even cross our minds since they are guarded, have a lot of staff, and have cameras everywhere. What we would do is check if they have any satellite offices? What is the size of their headquarters? The security is usually less since they are not guarding all the money, but what do we want to achieve here?
This is not about breaking into the banks’ safes and bolts but gaining access to their networks. So which part of the network is weakest? Usually, these employees are in large head offices or in satellite offices, where there is much work.
During physical engagements, we can watch bank employees come and go from a local café while standing outside or even sitting in a local park. Typically, they wear the same lanyards, etc., all the time. If the lanyards are generic, like red ones, we can throw one under our jumper and walk into a building, and most people get trusty when they see the lanyard.
Your are reading How to hack a bank
Besides filming and taking pictures, we also clone badges from people working at banks. Therefore, we will take a picture, mock it up in Adobe Photoshop, print the badge, and then walk into a building while the badge won’t scan, asking security to unlock it. After all, everyone wants to help.
We look for targets if we cannot do the break-in, which means we move away from the finance team and move away from the IT team. Then, we begin targeting people in roles people don’t usually associate with being targeted in phishing attacks.
Consequently, media people are less likely to be targeted than finance people so that we would take advantage of this.”
The waiting game – How to hack a bank
According to Mabbitt, a hacker’s duration of undetected behavior completely depends on their intent.
In his opinion, the people who can attack a critical bank in a country usually possess quite sophisticated skills. This would be the same level as organized crime or nation-state bank attacks since they want to get as much data as possible, not just gain access to the money. These are the kinds of hacks that require people to sit on a network for longer than six months.
“Mandatory encryption is one of the things that need to be implemented in data transmission. In the UK, data is classified in several ways. Client confidential information, official data, sensitive information, top secret information, etc. It even comes with stick guidelines for how each one is to be handled.”
How to hack a bank
Because of the critical data financial services firms possess, Mabbitt says that such companies are the most heavily attacked by hackers. However, lack of employee awareness and inadequate security measures in buildings continue to be major security hazards.
People always think physical means being an action character and scaling a fence, but it could also mean the following someone when that person holds the door open for you. Essentially, people desire to be helpful, which is why they are naturally nice. There is nothing scarier than being the person who turns around and asks, ‘hi, who are you?’
“After spending millions on security features and all the gadgets and nice shiny boxes people buy to protect themselves, if someone can walk into your building and connect to it, it’s all for nothing.
We can tailor things easily to suit specific people, such as sending them something that looks like a well-known delivery company and staying away from the more commonly used ones, such as finance and CEOs. Alternatively, HR can be contacted with a fictitious CV.
Fraud attacks involve the banks and employees getting it right every time – not entering their credentials and not opening documents. In contrast, the attacker only needs to get it right once.
Companies have to turn the tables on the bad guys. Now, we have introduced ‘deception technology,’ a bag of tricks for defenders. It includes fake computers, passwords, files, and files scattered throughout the company. Through this, we can provide a better service to our customers—hackers who break in immediately reveal their presence by hacking into replicas. Humans were the weak link in all the hacks above.
It works the same way in reverse with our deception technology. Our deception technology does the same thing in reverse. For the good guys to gain an edge over the hacker, we use decoys that play on the hacker’s psychology and motivations.
Contact CyberSploits today for all fraud recovery and hacking services.