Learnings from Cosmos Bank ATM and SWIFT cyber theft

The news of the cyber-attack on Cosmos Bank servers, resulting in syphoning of Rs. 94 crore to foreign bank accounts broke open on August 14, 2018. Within minutes, this turned out to be a major headline for the day on news media.
Post-attack Analysis

The analysis shows that hackers installed a proxy server in the bank network, which approved all Visa/Rupay card transactions, bypassing the actual approval mechanism. Truly, a creative approach to stealing by sophisticated programmers, having a detailed understanding of the communication protocol between the credit card and bank network.

During earlier security audits, vulnerabilities in the systems were already highlighted, and the institution was in the process of making a plan to overcome them. More often, businesses do not have the resources and the budget to invest in issues that show no apparent profit on the balance sheet.

While the blame game between the concerned agencies has already begun, we need to sit back and ponder over what really happens in a real-world environment.

It all Starts with an Idea

In the constant fight to gain market share, and retaining customers, every business is constantly on the lookout for introducing new services, improve existing services, and lower the costs. Each of these objectives is fair and extremely necessary in this competitive environment.

The first mover for a new idea is looked upon as the industry leader. The others are forced to come up with similar products lest they get left behind in the race. Ideas win approvals in the boardrooms, and a stringent timeline for its introduction to the market is set.

Race Against Time

The business heads get down to discussions with the IT teams and start cracking the puzzle on the integration, implementation and security. After a few rounds of internal negotiations, a project plan gets approval and the race against time begins.

The Launch

Sooner or later, the idea is converted into an IT-enabled product or service. With great fanfare and a series of outreach campaigns, the service enhancement reaches the targeted users. The early days of the product involve close monitoring across all levels. Once the initial frenzy is over, the product enters a maintenance phase, while the teams move on to the next big idea.

This business development cycle continues over months and years.

Maintenance Phase

Products which are no longer in the limelight may not be as not important any more for the business, but still must be continued. The pace of innovation and updates to dated products start decreasing.

The Beginning of the End

One thing which does not figure in the priority of the business is the time and resources required to maintain and update not just the application, but also the entire environment under which it resides.

Nobody wants to disturb a working system. Trivial tasks like the weekly OS updates also get held up, as the engineers are not sure if things will break. Test environments are available at larger companies, but it still is a lot of “unprofitable” work to do especially if the target application is no longer a priority for the business. The next stumbling block is if compatibility issues are found with updates. This involves going back into development mode.

Senior developers do not have the bandwidth to look into these issues, as they are busy chasing the next big idea deadline. Finally, the list of such unpatched security assets keeps rising week after week.

Security is only as Strong as its Weakest Link

In the connected world, there are dozens of ways in which a malicious software can gain access into an internal environment, and cause costly damages. With the sophistication in malware, and its ability to stay hidden for long periods, coupled with the gullibility of the majority of the non-IT workforce engaged in a business, the risks have only risen multi-fold.

Will Systems Security get its Due?

Security remains a buzzword, which is used when convenient. In the boardrooms, the marketing, business and finance heads play a dominant role in shaping the organisation’s future, while the technology heads are usually looked upon as executors, and cost centres.

Will businesses ever make this change in mindset and understand these gaps.

Will systems security ever appear among one of their prime objectives, and be assigned resources needed to maintain it?

Will the need for security audits move away from a mere compliance objective?

About InterPole

InterPole was established in 1996 and has been engaged in web hosting, email, and management of IT infrastructure. InterPole pioneered with Virtual Private Servers in 2004 and Cloud Hosting in 2008. Over the years, InterPole has worked with over 6200 mid-sized businesses and startups, and have assisted them in their journey towards the adoption of modern technologies through the Internet. InterPole is a Standard Consulting Partner of Amazon AWS and Microsoft Azure. With this partnership, provides Managed AWS service and maintains a team of engineers who are trained and certified for the specific cloud platforms. These benefits companies in defining their cloud strategy and making a well-planned journey, reliably and cost-effectively.