What are the risks of allowing people to use their smartphone at the bank?
From time to time, our readers raise questions or issues related to topics that concern, or simply interest them. One such issue was brought up recently by a Twitter user, who asked us: “Do you have any posts discussing the risk to banks when people use their cell phone inside them, ignoring the security guards?”
We think this is a very interesting question and one that can apply to practically any corporate environment, not only banks, so we are going to try to answer it in this article.
Corporate WiFi networks
If we look at the specific scenario suggested to us by the user, we can think of one interesting attack vector which an attacker could use to access the internal network at the bank.
If we put ourselves in the shoes of this attacker (who could quite easily be someone like Elliot, the lead character of the TV series Mr. Robot), the first thing we'd try would be to see if we could connect to any of the WiFi networks that the bank in all likelihood has.
It wouldn't be unusual to find a number of networks within range, and it's quite likely that at least one of them would be identified as belonging to the bank or as exclusively for staff.
What you'd be less likely to see these days would be if those networks did not require a password or if they were using an obsolete encryption system like WEP. It's not 2010 anymore and so it is highly likely that most of the WiFi networks we would have in range would use WPA2 encryption or better.
In these circumstances, the chances of being able to access this corporate network from our cell phone are considerably reduced, although there is still the possibility of the attacker succeeding if the bank in question has a guest network that is not configured correctly. Guest networks are precisely that: networks that provide connectivity to people visiting the place temporarily.
Depending on how the guest network was set up and whether it was segmented correctly or not, the attacker may succeed, or they may have to seek out alternatives.
If the network was not isolated as it should be, they will be able to switch to the company's critical systems and see whether they have robust security measures, or whether they are at the mercy of the attacker, who may be able to connect to them in order to carry out malicious activity.
So, the possibility to launch an attack from a cell phone connected to a bank's WiFi network will depend largely on what security measures the bank in question has implemented.
From personal experience, at least based on the banks I've checked from time to time which had WiFi access points, this security tends to be robust. However, as we will see below, there are other methods of attack using cell phones and other devices.
Gathering information about the environment
Once the attacker has established that there is nothing they can do through the WiFi network, they will probably use their smartphone for other purposes. One of the simplest ways, but which is very useful for gathering information, consists in using the cell phone's camera to take photos and videos of anything that might be of interest to the attacker.
Capturing images showing which software is used by the employees, which ports are accessible on the PCs used when serving customers, any network outlets that might be accessible, identification plates, or even filming when and how the security guards change shift—all these actions can be very useful for someone planning a future attack.
Furthermore, if the device has NFC capabilities, the attacker can try their luck and see if they can capture the data from any staff ID card which might give them access to restricted areas used only by employees. This would be risky when it comes to actually entering the area, but it wouldn't be the first time somebody tried it.
Moving on to more specialized types of devices, one kind available is known as a “WiFi Pineapple”, which the attacker can use to create a fake access point and see if any employees try to connect to it, monitoring their connections, and trying to capture passwords for accessing the bank's internal systems.
Otherwise, they could try to pass themselves off as a customer and approach an employee with some kind of query, in order to then take advantage of a moment of carelessness when, if the employee's computer has a USB port free, they can plug in a “Rubber Ducky” device, which then executes the commands necessary to steal as much information as possible.
They could also try to get the computer to download some malicious code from an online archive pre-configured by the attacker, using for such purposes either a ready-made payload or one they created themselves.
All of the above involve one major hurdle for the attacker, and that is that they would have to go in person to the actual branch of the bank they want to attack. The security cameras could be used against them if the video recordings are analyzed after discovering the attack, and for that reason, attacks that manage to infiltrate banks' and other companies' corporate networks tend to be executed remotely.
Let's take as an example some of the cases discovered over the last few months. The attacks on Russian banks began with an email being sent—one that was very well prepared and aimed at bank employees. The apparently innocent Word document actually contained a malicious macro which performed a connection to an external server controlled by the attackers, from where additional modules were downloaded which were used to control and spy on the infected systems and enter the corporate network.
Another, more elaborate case was one that affected more than 20 Polish banks. On that occasion, the attackers managed to compromise the official website of the Polish financial regulatory agency, which is visited frequently by employees of various Polish banks, who were unwittingly infecting their work computers with malware.
The short answer for the user who asked us about the risk to banks that allow customers to use smartphones while inside their premises is that this risk depends largely on the corporate security policies implemented, especially those related to network security and segmentation.
On the question of whether we are going to see attacks of this style using cell phones as the main tool in the attack, we would not rule it out, but cybercriminals know they can get much greater benefits without needing to expose themselves so much by attacking banks remotely, and we don't think that trend is likely to change any time soon.