Next Gen Payment Channels Security- A Deep Dive
October 2019
Table of contents1. Setting the Context
2. Next Generation Banking Channel Attacks
3. ATM Security
4. Payment Systems Security
5. API Security
3© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Setting the Context
4© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Banking 4.0 – The Evolution
4.0
Utility and Trust
- API’s
- Core Utilizing of Bank via Mobile Channel
- No Branches , No Humans in sale of Banking Products or Utilization of Services
3.0
Bank Anywhere and Anytime
- Internet (24/7)
- Bank as Building Diminished
- Core Utilizing of Bank via Mobile Channel
- Trust changed from the Bank to Banking
Technologies
2.0
ERMA and Mainframes
- Unique Account Numbers
- Self Service Banking(ATM)
1.0
No Bank Account Numbers
- Physical Card with Name and Address
- No movement from Branch to Branch for
Nearly 30 Years
1. Isolated Technologies – Block Chain or Smartphone : Data Solution or a New Age Channel for the Bank.
2. Taking a Step Back from the technologies and look at the world of Banking.
3. World is Digitizing – Low Friction and Immediate Responses / Stronger Commerce Connections/ Scale up and Capacity.
4. Banking and financial Services cannot stay the same tomorrow, what it is today.
Next Generation : Utility based banking, not on products but on Trust Ratings
(First Principles Design Thinking in Banking) – iPhone (No Iteration but Utility)
5© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Banking Landscape - TodayThe current landscape of the banking environment has evolved from traditional mechanisms such as cheques, demand drafts and other convertible
instruments to more digital forms of payment such as mobile banking, evolved ATMs which are used for value added services and mobile applications using
APIs which connect to multiple financial institutions and core banking services.
Bank
Mobile
Applications
ATMs
Online Wallets
APIs
APIs
APIs HTTP Request
Core Banking
System
International
Bank
APIs
Partner Bank
/ Wallet
ATM / Value
added
services
6© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
New Face of Financial Crime – Cyber Crime
7© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Current Banking Landscape in Nepal
Over the last five years the number of cyber crimes targeting the Nepal banking industry have increased amounting to losses in several million USD
In 2016, there were approximately 9.6 ATMs per hundred thousand adults in Nepal.
1 https://www.statista.com/statistics/673235/automated-teller-machines-nepal/
2 https://www.nrb.org.np/bfr/statistics/cms_pdf/Asar_2076%20(Mid%20Jul%202019).pdf
3 https://ictframe.com/nepal-in-high-risk-of-cyber-attacks/
• At present, there are a total of 28 Commercial Banks in Nepal.
• So far, a total of 3585 branches of commercial banks have been established across the nation.
Categories of banks in Nepal
• The Central Bank of Nepal: Nepal Rastra Bank
• Commercial Banks (Class ‘A’ Banks)
• Development Banks (Class ‘B’ Banks)
• Finance Companies (Class ‘C’ Banks)
• Micro Credits Development Banks (Class ‘D’ Banks)
• 23 Finance Companies in Nepal with 205 branches
• 90 Micro Credit Development Banks in Nepal. with 4644 branches
According to the Central Research Bureau of Nepal Police, within seven years 44 social network abuse cases have been registered in the court and 62 internet frauds have been arrested.
Meanwhile, 52 foreign citizens have been arrested for bypassing call and hacking ATMs.
Most Targeted Banking Channels
• ATM Jackpotting
• SWIFT or Payment systems attacks
• Social Media Frauds
8© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
The Five Pillars – Enhanced SecurityOperation Risk
Cyber Maturity Assessment API Security
ATM Security Payment System
Review
Five
Pillars
- Organization Security
- Holistic view of the security posture
of the bank
- Security current implementations
review and security roadmap
- Third Party Channel Security
- Authentication and
Authorization
- ATM, Payment, Accounts, Forex
API Security
- Bank to Bank Channel Security
- SWIFT Security Implementations
- POS Terminal Security Systems
and Implementations
- Payment gateway and digital
transaction security
- Customer Channel Security
- Physical security
- Logical security (Net and App)
- Logging and monitoring
Technology Risk Fraud Risk
9© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Next Generation Banking Channel Attacks
10© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Next Generation Banking Channel Attacks – Channel #1
Bank
Mobile
Applications
Core Banking System
and Payment Systems
1. Malicious Backdoor installed on the phone
2. Vulnerable Application1
2
• The attacker leverages the mobile
application-level vulnerabilities to execute
targeted exploits on the server
a) OTP Bypass: Using mobile spyware
applications such as Zeus malware
b) Unauthorized Transactions: Attacker
manipulates the backend API requests from
the mobile application in order to perform
unauthorized transactions
c) Malware infection: Attacker utilizes the
application server as a channel to deliver
customized payloads to the core-banking
systems and compromise them
APIs
a) The core-banking solution approves the
transaction since there is no way to identify
the legitimacy
b) The core-banking solution approves the
transaction since there is no way to identify
the legitimacy
c) Furthermore, if the CBS system is
compromised the attacker may perform
malicious actions on the solution
Banking Application
Server
3
11© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Next Generation Banking Channel Attacks – Channel #2
BankCore Banking
System and
Payment Systems
1An attacker executes a spear phishing campaign
against the bank with a malware as the
attachment
2The attacker executes the
backdoor and uses the credentials
harvested and gains access to the
administrator systems
3The attacker remotely logs into the
admin / operator PC and monitors the
admin behavior. The attacker then
logs into the core banking through the
admin system
4
The attacker exploits vulnerability in
the core banking application and
payment systems to perform
malicious transactions
The attacker manipulates the
XFS API connecting to the ATM
and programs it to dispense the
cash at periodic intervals
The attacker may also utilize additional
routes such as electronic transfers,
digital wallets to transfer funds to other
destinations.
12© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Next Generation Banking Channel Attacks – Channel #3
Bank
1An attacker targets the victim’s card with
contactless payments capabilities such
as NFC
2
The attacker reads the card data such
as card number, expiry date, card
provider and card holder name
3
• Using the data that has been
obtained from the card, the
attacker performs a social
engineering attack such as
phishing and vishing attack
portraying a potential
compromise of the card.
4
• After a successful execution
of the social engineering
attack, the attacker may
perform unauthorized
transactions through the
victim’s card account
13© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
ATM Security
14© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Our Understanding of an ATM EcosystemKPMG would be adopting a phased approach to conducting the ATM security assessment.
Sample ATM Machines
Physical Checks
Logical Checks
Configuration Review
• ATM Motion
Detection
• Lock picking
• Back Panel
• Network Port
• CPU Access
• Skimming
• USB Boot
• Data Exfiltration
• Network Port
Access
• ATM Switch
Access
• ATM Network
Access
• Operating
System
Configuration
Review
• Network Device
Configuration
Review
3.
1.
2.
End Point Site / External Network
Aggre
gate
d N
odes
ATM Switch
Secure Architecture
Review
• ATM
Architecture and
Design Review
Perim
ete
r of B
ank
Bank 1
Bank 2
Bank 3
Bank Internal Network
Configuration Review5.
6. Configuration Review
• Operating
System
Configuration
Review
• Network Device
Configuration
Review
• Firewall
Configuration
Review
• Firewall Rule
base Review
VAPT of Network
Infrastructure
• ATM Nodes VAPT
• Base-24 Switch VAPT
• Network VAPT
• Firewall Network VAPT
• ATM Interface and Application VAPT
7.
4.
15© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Next Generation Banking Security - ATMs
• Presence of physical guards
• Review of CCTV cameras
• Presence of PIN shield
• Presence of vault locks and
cash trapping
Physical Security Logical Security
• Network access review
• Hardening review of routers,
switches, OS
• Compliance to regulatory /
central bank guidelines
Compliance Application Security
• Review of validation at ATM
systems including incorrect
PIN, card blocking
Enhanced ATM Security Reviews
• Lock picking of ATM locks
• Review of presence of shock sensors
• Motion detection of movement of ATM machines
• Bypass physical security at ATM’s (CCTV and physical)
• Card skimming prevention
• Network port protection
• Fraud Prevention
• Network and infrastructure penetration testing of ATMs
• Laterally move using ATM network to laterally move into bank network
• Alternate Boot ATM Systems
• ATM Architecture Review
• Malware protection and file integrity checks
• Framework based assessment for alignment to leading practices such as:
a) NIST SP800-57
b) ATM Security Guidance from mature regulators
c) ATM Industry Association Best Practices
d) PCI PTS ATM Security Guidelines
• ATM Application Security Testing
• API Security Testing of ATM APIs connecting to Core Banking Applications
• ATM Application Design Review
• Thick Client Application Review
• Communication and Data Tampering Review
16© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Key Security Tests# ATM Security Test Cases
1 ATM Network Scanning and Penetration Testing
2 ATM Network Architecture Security Review
3 Vault Passcode Bruteforce
4 Lock Picking to Access ATM Cash Vault
5 Lock Picking to Access ATM CPU
6 Access to Vault and CPU Panel using Master Key
7 Physical Security Bypass
8 Wireless HID Bypass
9 Data Exfiltration through Alternate Boot
10 Data Exfiltration through Network Sniffing
11 Access to Supervisor Mode through Default Credentials
12 Access to the Operating System through Default Credentials
13 Remote Access through HID Attacks
14 Clear text Storage of Sensitive Data
15 Clear text Communication of Sensitive Data by ATM Software
16 ATM Card Cloning
17 Malware Injection and Reverse Shell Access
18 Review of ATM Network Monitoring Process
19 Review of Anti-Malware Solutions
20 Review of Security Solutions and Integration
17© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Payments System Security
18© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Payment Systems Security Testing – Key Activities
Payment Process Controls
SWIFT CSP Review, AML and Transaction Business Controls
Payment Application and Interface Security
Payment Infrastructure Security
■ Active Directory Review
■ Domain Isolation and trust review
■ Configuration Review for source systems
o Servers – AIX, Linux, Solaris, Windows
o Database – Oracle (GT Exchange)
■ Review of Inward & outward fund transfer
processes through Payment Systems
■ Review of payment processes within the bank
■ Review of the transactions screening process
■ Assessed the retention period for each records
■ Anti-Money Laundering Controls
■ Review of reconciliation systems
■ SWIFT Daily Validation Reports
■ RMA relationships
Track 4
Track 5
Track 1
Track 2
Track 3
Pa
ym
en
t S
ys
tem
Re
vie
w
Track 5
■ Payment application user access management
review and toxic combinations
■ Review of the Non repudiation of messages
■ Payment application routing rules review
■ Review the password management, user
management
■ Review of the message routing rules
■ Review of the application interfaces
Payment Security Incident Management
■ Logging and monitoring review
■ Review of incident management
framework
■ Review of incident severity classification
VAPT and Social Engineering
■ Vulnerability Assessment of Payment servers
■ Penetration Testing of Payment servers
■ Targeted social engineering of Payment related
users
■ End point security review
■ Printer security review
19© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Cyber Kill Chain – Payment Systems Security – TTPs (Not Just CSP)
Tactics
Leverage vulnerabilities in the
network architecture and
SWIFT related payment
systems.
Exploit these vulnerabilities
to modify SWIFT messages in
transit
Gain access to banking
transactions and gaining access
to vulnerable endpoints
Techniques
—Powershell
—Vba/CIM
—WMI
—Cryptographic
—Obfuscated/encrypted files
—Zipped Files
—Remote admin Protocols
—Keyloggers
—Admin/Accessible Shares
—Cleanup scripts
Procedures
—Reconnaissance
—Exploitation
—Lateral Movement
—Privilege Escalation
—Exfiltration
—Denial of Service
—Message Tampering
20© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Security – Illustrative Threat Modelling and Test Scenarios Spoofing
• An attacker spoofs the IP address of an operator to gain access to the Payment System applications
• An operator clicks on a malicious link in an e-mail, unknowingly downloading malware which compromises the local PCS
Tampering• An advanced attacker modifies the executable of the messaging interface and is not detected because software integrity checking has not been implemented
• A lack of database integrity checking allows targeted malware to delete database records while performing unauthorised transactions.
• A malicious version of a software update is installed due to not verifying the checksum at time of download
T
Repudiation• An attacker positioned between the back office and messaging interface injects unauthenticated transactions.
• An attacker creates a man-in-the-middle attack to change the beneficiary accounts of valid SWIFT transactions.
• An attacker with network access to the secure zone compromises the integrity of the transactions in transit between the messaging and communication interface
R
Information Disclosure
• Unencrypted backups of Payment System servers are transmitted over an insecure network connection, resulting in an adversary gaining read-
access to all recent messaging traffic records
• Information disclosure due to poorly configured systems
I
Denial of Service
• Exploit existing vulnerabilities on Payment System servers to perform a denial of service attack
• Physically shut down SWIFT servers to execute denial of service
• Create multiple messages to overwhelm the Payment System server and perform denial of service
D
Elevation of Privilege• Attackers gain administrative access to an operator's PC, allowing the attacker to compromise the local account database and reuse the stored hashes to
access other systems
• An attacker is able to perform surveillance on an unencrypted operator session, and steals credentials to create a fraudulent SWIFT transaction
• An operator with excess administrative privileges deletes logs and other forensic evidence to hide unauthorized actions
E
21© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
API Security
22© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
API’s in Banking System and Review AreasReview Areas
• Confidentiality
• Transport Confidentiality
• Message Confidentiality
• Authentication
• Server Authentication
• User Authentication
• Message Integrity
• Authorization
• Validation
• Schema Validation
• Content Validation
• Availability
• Message Throughput
• XML Denial of Service Protection
Accourt Access APIs
• Information
• Balance
• Transaction
• Beneficiaries
• Standing Orders
• Direct Debits
• Products
Payments APIs
• Fund transfer
• Immediate Payment Transfer
• Push payment service
• Retail loans from third parties
ATM APIs
• Service Access Point APIs
Read only APIs for ATM locator
and branch locator
• Static APIs for postal address,
locations etc.
Bank Product APIs
• These APIs are used to access
details about various products
offered by the bank. It is an Open
Data API
23© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
API Security Testing ApproachAPI Workflow
APIRequest (SOAP, REST format)
Response
Response
Database
Common Web Service Threats:
1. SQL Injection
2. XPATH Injection
3. External Entity Attacks
4. MITM attacks
5. DoS
6. Improper error handling
7. Broken Access Control, etc.
►Finding general vulnerabilities manually using client provided WSDL file - Securing input to the
application and output of the application
►Perform automated pentest activities using tools like SoapUI, Postman, SOAtest, etc.
►Identify all the vulnerabilities obtained in the manual and automated testing process
►Prepare detailed consolidated report with detailed observation, severity levels, recommendations
consisting of all the vulnerabilities uncovered
►Present all findings to respective stake holders
►Analyse the business process- Assets, users, entry points, scope of the testing
►Understanding web service and its purpose
►Define security threats –CIA, general Web Service threats
Analysis
Penetration
Testing
Reporting
Approach :
Token
Authentication key
24© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
API Security Testing – Illustrative Scenario – Sensitive Data ExtractionObjective Extract sensitive user details such as credit score from the application
Status ■ Successful
1
Attacker discovers the
banking mobile
application
communicates with the
server over API calls
2
The test team access the mobile
application that communicates with the
banking application server through
RESTful API
3
The application allows retrieval of account information for
authorized person who has logged in. The attacker
manipulates the parameters and fetches additional
information stored on the database. Not only for the current
user but of other customers as well.
4
Sensitive user information
Accessed from the Bank DB
Email address
obtained
CIBIL score of the user
obtained
First Name and
Last Name obtained
25© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
API Security Testing – Illustrative Scenario – Logic Bypass
The funds are transferred from
victim’s bank account to attacker
account since the application does
not perform logic validations
1
2
Application server
checks for the
beneficiary account
number
3
The transaction is
forwarded to the bank
server for validation
The attacker initiates
a fund transfer
request through a
compromised
netbakning account
The attacker manipulates
the HTTP request to fetch
the funds from the victim
bank account
5
4
Objective Make a successful fund transfer through an unauthorized user account
Status ■ Successful
26© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Your Concerns.
27© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
© 2019 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be
no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough
examination of the particular situation.
The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Thank you