Hacker attacks on SWIFT payments

hacker at work with graphic user interface around81 million US dollars – criminals have stolen this enormous sum from the central bank of Bangladesh, not in a movie-style heist but very quietly via hacking. The thieves made more than 30 bank transfers from the account of the Bangladesh Bank at the New York Federal Reserve Bank (Fed) to Philippine accounts. This case and others show that inter-bank payments are a lucrative target, and that the security of the SWIFT international financial network is vulnerable. Penetrating this network certainly requires a lot of effort, however the loot that can be expected is even greater. In view of such professional attacks, the security of payments is at the top of the agenda once again. Continue reading

EBICS and TLS 1.2 – somewhat more secure but not without its snags

Safety concept: Closed Padlock on digital backgroundCurd Reinert, Project Manager EBICS-Kernel, PPI AG

Anyone looking at the EBICS specification might be surprised to learn that it still prescribes version 1.0 for the Transport Layer Security (TLS). At one time that was a very wise choice – when the EBICS specification was published, TLS 1.0 was the latest technology. So this was mainly a decision against SSL, which put manufacturers and operators in a nice position e.g. concerning POODLE. EBICS ruled out SSL and so EBICS applications were safe from POODLE. It wouldn’t have had much of a chance with an EBICS client anyway: the attacker makes the client send thousands of requests to the HTTPS server so that, for example, it can access the session cookie. But EBICS doesn’t use session cookies, and the clients aren’t web applications that would execute malicious JavaScript code to send thousands of requests. But try explaining that to the auditors! Continue reading

Subscribe to posts:

Tags: |