Next Gen Payment Channels Security - A Deep Dive … · Cyber Maturity Assessment API Security ATM Security Payment System Review Five Pillars-Organization Security - Holistic view

Next Gen Payment Channels Security- A Deep Dive

October 2019

Table of contents1. Setting the Context

2. Next Generation Banking Channel Attacks

3. ATM Security

4. Payment Systems Security

5. API Security

3© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Document Classification: KPMG Confidential

Setting the Context



Banking 4.0 – The Evolution

4.0

Utility and Trust

- API’s

- Core Utilizing of Bank via Mobile Channel

- No Branches , No Humans in sale of Banking Products or Utilization of Services

3.0

Bank Anywhere and Anytime

- Internet (24/7)

- Bank as Building Diminished

- Core Utilizing of Bank via Mobile Channel

- Trust changed from the Bank to Banking

Technologies

2.0

ERMA and Mainframes

- Unique Account Numbers

- Self Service Banking(ATM)

1.0

No Bank Account Numbers

- Physical Card with Name and Address

- No movement from Branch to Branch for

Nearly 30 Years

1. Isolated Technologies – Block Chain or Smartphone : Data Solution or a New Age Channel for the Bank.

2. Taking a Step Back from the technologies and look at the world of Banking.

3. World is Digitizing – Low Friction and Immediate Responses / Stronger Commerce Connections/ Scale up and Capacity.

4. Banking and financial Services cannot stay the same tomorrow, what it is today.

Next Generation : Utility based banking, not on products but on Trust Ratings

(First Principles Design Thinking in Banking) – iPhone (No Iteration but Utility)



Banking Landscape - TodayThe current landscape of the banking environment has evolved from traditional mechanisms such as cheques, demand drafts and other convertible

instruments to more digital forms of payment such as mobile banking, evolved ATMs which are used for value added services and mobile applications using

APIs which connect to multiple financial institutions and core banking services.

Bank

Mobile

Applications

ATMs

Online Wallets

APIs

APIs

APIs HTTP Request

Core Banking

System

International

Bank

APIs

Partner Bank

/ Wallet

ATM / Value

added

services



New Face of Financial Crime – Cyber Crime



Current Banking Landscape in Nepal

Over the last five years the number of cyber crimes targeting the Nepal banking industry have increased amounting to losses in several million USD

In 2016, there were approximately 9.6 ATMs per hundred thousand adults in Nepal.

1 https://www.statista.com/statistics/673235/automated-teller-machines-nepal/

2 https://www.nrb.org.np/bfr/statistics/cms_pdf/Asar_2076%20(Mid%20Jul%202019).pdf

3 https://ictframe.com/nepal-in-high-risk-of-cyber-attacks/

• At present, there are a total of 28 Commercial Banks in Nepal.

• So far, a total of 3585 branches of commercial banks have been established across the nation.

Categories of banks in Nepal

• The Central Bank of Nepal: Nepal Rastra Bank

• Commercial Banks (Class ‘A’ Banks)

• Development Banks (Class ‘B’ Banks)

• Finance Companies (Class ‘C’ Banks)

• Micro Credits Development Banks (Class ‘D’ Banks)

• 23 Finance Companies in Nepal with 205 branches

• 90 Micro Credit Development Banks in Nepal. with 4644 branches

According to the Central Research Bureau of Nepal Police, within seven years 44 social network abuse cases have been registered in the court and 62 internet frauds have been arrested.

Meanwhile, 52 foreign citizens have been arrested for bypassing call and hacking ATMs.

Most Targeted Banking Channels

• ATM Jackpotting

• SWIFT or Payment systems attacks

• Social Media Frauds



The Five Pillars – Enhanced SecurityOperation Risk

Cyber Maturity Assessment API Security

ATM Security Payment System

Review

Five

Pillars

- Organization Security

- Holistic view of the security posture

of the bank

- Security current implementations

review and security roadmap

- Third Party Channel Security

- Authentication and

Authorization

- ATM, Payment, Accounts, Forex

API Security

- Bank to Bank Channel Security

- SWIFT Security Implementations

- POS Terminal Security Systems

and Implementations

- Payment gateway and digital

transaction security

- Customer Channel Security

- Physical security

- Logical security (Net and App)

- Logging and monitoring

Technology Risk Fraud Risk



Next Generation Banking Channel Attacks



Next Generation Banking Channel Attacks – Channel #1

Bank

Mobile

Applications

Core Banking System

and Payment Systems

1. Malicious Backdoor installed on the phone

2. Vulnerable Application1

2

• The attacker leverages the mobile

application-level vulnerabilities to execute

targeted exploits on the server

a) OTP Bypass: Using mobile spyware

applications such as Zeus malware

b) Unauthorized Transactions: Attacker

manipulates the backend API requests from

the mobile application in order to perform

unauthorized transactions

c) Malware infection: Attacker utilizes the

application server as a channel to deliver

customized payloads to the core-banking

systems and compromise them

APIs

a) The core-banking solution approves the

transaction since there is no way to identify

the legitimacy

b) The core-banking solution approves the

transaction since there is no way to identify

the legitimacy

c) Furthermore, if the CBS system is

compromised the attacker may perform

malicious actions on the solution

Banking Application

Server

3




BankCore Banking

System and

Payment Systems

1An attacker executes a spear phishing campaign

against the bank with a malware as the

attachment

2The attacker executes the

backdoor and uses the credentials

harvested and gains access to the

administrator systems

3The attacker remotely logs into the

admin / operator PC and monitors the

admin behavior. The attacker then

logs into the core banking through the

admin system

4

The attacker exploits vulnerability in

the core banking application and

payment systems to perform

malicious transactions

The attacker manipulates the

XFS API connecting to the ATM

and programs it to dispense the

cash at periodic intervals

The attacker may also utilize additional

routes such as electronic transfers,

digital wallets to transfer funds to other

destinations.




Bank

1An attacker targets the victim’s card with

contactless payments capabilities such

as NFC

2

The attacker reads the card data such

as card number, expiry date, card

provider and card holder name

3

• Using the data that has been

obtained from the card, the

attacker performs a social

engineering attack such as

phishing and vishing attack

portraying a potential

compromise of the card.

4

• After a successful execution

of the social engineering

attack, the attacker may

perform unauthorized

transactions through the

victim’s card account



ATM Security



Our Understanding of an ATM EcosystemKPMG would be adopting a phased approach to conducting the ATM security assessment.

Sample ATM Machines

Physical Checks

Logical Checks

Configuration Review

• ATM Motion

Detection

• Lock picking

• Back Panel

• Network Port

• CPU Access

• Skimming

• USB Boot

• Data Exfiltration

• Network Port

Access

• ATM Switch

Access

• ATM Network

Access

• Operating

System

Configuration

Review

• Network Device

Configuration

Review

3.

1.

2.

End Point Site / External Network

Aggre

gate

d N

odes

ATM Switch

Secure Architecture

Review

• ATM

Architecture and

Design Review

Perim

ete

r of B

ank

Bank 1

Bank 2

Bank 3

Bank Internal Network

Configuration Review5.

6. Configuration Review

• Operating

System

Configuration

Review

• Network Device

Configuration

Review

• Firewall

Configuration

Review

• Firewall Rule

base Review

VAPT of Network

Infrastructure

• ATM Nodes VAPT

• Base-24 Switch VAPT

• Network VAPT

• Firewall Network VAPT

• ATM Interface and Application VAPT

7.

4.



Next Generation Banking Security - ATMs

• Presence of physical guards

• Review of CCTV cameras

• Presence of PIN shield

• Presence of vault locks and

cash trapping

Physical Security Logical Security

• Network access review

• Hardening review of routers,

switches, OS

• Compliance to regulatory /

central bank guidelines

Compliance Application Security

• Review of validation at ATM

systems including incorrect

PIN, card blocking

Enhanced ATM Security Reviews

• Lock picking of ATM locks

• Review of presence of shock sensors

• Motion detection of movement of ATM machines

• Bypass physical security at ATM’s (CCTV and physical)

• Card skimming prevention

• Network port protection

• Fraud Prevention

• Network and infrastructure penetration testing of ATMs

• Laterally move using ATM network to laterally move into bank network

• Alternate Boot ATM Systems

• ATM Architecture Review

• Malware protection and file integrity checks

• Framework based assessment for alignment to leading practices such as:

a) NIST SP800-57

b) ATM Security Guidance from mature regulators

c) ATM Industry Association Best Practices

d) PCI PTS ATM Security Guidelines

• ATM Application Security Testing

• API Security Testing of ATM APIs connecting to Core Banking Applications

• ATM Application Design Review

• Thick Client Application Review

• Communication and Data Tampering Review



Key Security Tests# ATM Security Test Cases

1 ATM Network Scanning and Penetration Testing

2 ATM Network Architecture Security Review

3 Vault Passcode Bruteforce

4 Lock Picking to Access ATM Cash Vault

5 Lock Picking to Access ATM CPU

6 Access to Vault and CPU Panel using Master Key

7 Physical Security Bypass

8 Wireless HID Bypass

9 Data Exfiltration through Alternate Boot

10 Data Exfiltration through Network Sniffing

11 Access to Supervisor Mode through Default Credentials

12 Access to the Operating System through Default Credentials

13 Remote Access through HID Attacks

14 Clear text Storage of Sensitive Data

15 Clear text Communication of Sensitive Data by ATM Software

16 ATM Card Cloning

17 Malware Injection and Reverse Shell Access

18 Review of ATM Network Monitoring Process

19 Review of Anti-Malware Solutions

20 Review of Security Solutions and Integration



Payments System Security



Payment Systems Security Testing – Key Activities

Payment Process Controls

SWIFT CSP Review, AML and Transaction Business Controls

Payment Application and Interface Security

Payment Infrastructure Security

■ Active Directory Review

■ Domain Isolation and trust review

■ Configuration Review for source systems

o Servers – AIX, Linux, Solaris, Windows

o Database – Oracle (GT Exchange)

■ Review of Inward & outward fund transfer

processes through Payment Systems

■ Review of payment processes within the bank

■ Review of the transactions screening process

■ Assessed the retention period for each records

■ Anti-Money Laundering Controls

■ Review of reconciliation systems

■ SWIFT Daily Validation Reports

■ RMA relationships

Track 4

Track 5

Track 1

Track 2

Track 3

Pa

ym

en

t S

ys

tem

Re

vie

w

Track 5

■ Payment application user access management

review and toxic combinations

■ Review of the Non repudiation of messages

■ Payment application routing rules review

■ Review the password management, user

management

■ Review of the message routing rules

■ Review of the application interfaces

Payment Security Incident Management

■ Logging and monitoring review

■ Review of incident management

framework

■ Review of incident severity classification

VAPT and Social Engineering

■ Vulnerability Assessment of Payment servers

■ Penetration Testing of Payment servers

■ Targeted social engineering of Payment related

users

■ End point security review

■ Printer security review



Cyber Kill Chain – Payment Systems Security – TTPs (Not Just CSP)

Tactics

Leverage vulnerabilities in the

network architecture and

SWIFT related payment

systems.

Exploit these vulnerabilities

to modify SWIFT messages in

transit

Gain access to banking

transactions and gaining access

to vulnerable endpoints

Techniques

—Powershell

—Vba/CIM

—WMI

—Cryptographic

—Obfuscated/encrypted files

—Zipped Files

—Remote admin Protocols

—Keyloggers

—Admin/Accessible Shares

—Cleanup scripts

Procedures

—Reconnaissance

—Exploitation

—Lateral Movement

—Privilege Escalation

—Exfiltration

—Denial of Service

—Message Tampering



Security – Illustrative Threat Modelling and Test Scenarios Spoofing

• An attacker spoofs the IP address of an operator to gain access to the Payment System applications

• An operator clicks on a malicious link in an e-mail, unknowingly downloading malware which compromises the local PCS

Tampering• An advanced attacker modifies the executable of the messaging interface and is not detected because software integrity checking has not been implemented

• A lack of database integrity checking allows targeted malware to delete database records while performing unauthorised transactions.

• A malicious version of a software update is installed due to not verifying the checksum at time of download

T

Repudiation• An attacker positioned between the back office and messaging interface injects unauthenticated transactions.

• An attacker creates a man-in-the-middle attack to change the beneficiary accounts of valid SWIFT transactions.

• An attacker with network access to the secure zone compromises the integrity of the transactions in transit between the messaging and communication interface

R

Information Disclosure

• Unencrypted backups of Payment System servers are transmitted over an insecure network connection, resulting in an adversary gaining read-

access to all recent messaging traffic records

• Information disclosure due to poorly configured systems

I

Denial of Service

• Exploit existing vulnerabilities on Payment System servers to perform a denial of service attack

• Physically shut down SWIFT servers to execute denial of service

• Create multiple messages to overwhelm the Payment System server and perform denial of service

D

Elevation of Privilege• Attackers gain administrative access to an operator's PC, allowing the attacker to compromise the local account database and reuse the stored hashes to

access other systems

• An attacker is able to perform surveillance on an unencrypted operator session, and steals credentials to create a fraudulent SWIFT transaction

• An operator with excess administrative privileges deletes logs and other forensic evidence to hide unauthorized actions

E



API Security



API’s in Banking System and Review AreasReview Areas

• Confidentiality

• Transport Confidentiality

• Message Confidentiality

• Authentication

• Server Authentication

• User Authentication

• Message Integrity

• Authorization

• Validation

• Schema Validation

• Content Validation

• Availability

• Message Throughput

• XML Denial of Service Protection

Accourt Access APIs

• Information

• Balance

• Transaction

• Beneficiaries

• Standing Orders

• Direct Debits

• Products

Payments APIs

• Fund transfer

• Immediate Payment Transfer

• Push payment service

• Retail loans from third parties

ATM APIs

• Service Access Point APIs

Read only APIs for ATM locator

and branch locator

• Static APIs for postal address,

locations etc.

Bank Product APIs

• These APIs are used to access

details about various products

offered by the bank. It is an Open

Data API



API Security Testing ApproachAPI Workflow

APIRequest (SOAP, REST format)

Response

Response

Database

Common Web Service Threats:

1. SQL Injection

2. XPATH Injection

3. External Entity Attacks

4. MITM attacks

5. DoS

6. Improper error handling

7. Broken Access Control, etc.

►Finding general vulnerabilities manually using client provided WSDL file - Securing input to the

application and output of the application

►Perform automated pentest activities using tools like SoapUI, Postman, SOAtest, etc.

►Identify all the vulnerabilities obtained in the manual and automated testing process

►Prepare detailed consolidated report with detailed observation, severity levels, recommendations

consisting of all the vulnerabilities uncovered

►Present all findings to respective stake holders

►Analyse the business process- Assets, users, entry points, scope of the testing

►Understanding web service and its purpose

►Define security threats –CIA, general Web Service threats

Analysis

Penetration

Testing

Reporting

Approach :

Token

Authentication key



API Security Testing – Illustrative Scenario – Sensitive Data ExtractionObjective Extract sensitive user details such as credit score from the application

Status ■ Successful

1

Attacker discovers the

banking mobile

application

communicates with the

server over API calls

2

The test team access the mobile

application that communicates with the

banking application server through

RESTful API

3

The application allows retrieval of account information for

authorized person who has logged in. The attacker

manipulates the parameters and fetches additional

information stored on the database. Not only for the current

user but of other customers as well.

4

Sensitive user information

Accessed from the Bank DB

Email address

obtained

CIBIL score of the user

obtained

First Name and

Last Name obtained



API Security Testing – Illustrative Scenario – Logic Bypass

The funds are transferred from

victim’s bank account to attacker

account since the application does

not perform logic validations

1

2

Application server

checks for the

beneficiary account

number

3

The transaction is

forwarded to the bank

server for validation

The attacker initiates

a fund transfer

request through a

compromised

netbakning account

The attacker manipulates

the HTTP request to fetch

the funds from the victim

bank account

5

4

Objective Make a successful fund transfer through an unauthorized user account

Status ■ Successful



Your Concerns.



© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be

no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough

examination of the particular situation.

The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Thank you

https://www.facebook.com/KPMG-Kuwait-551547054901737/

https://twitter.com/kpmg_kuwait

https://www.instagram.com/kpmg_kuwait/?hl=en

https://www.linkedin.com/company/3322283/

Documents

Next Gen Payment Channels Security - A Deep Dive … · Cyber Maturity Assessment API Security ATM Security Payment System Review Five Pillars-Organization Security - Holistic view