Banks, traditionally the main target for cybercriminal groups, are now being attacked not only by new online hacking techniques but also by a growing range of physical hacking tools and techniques. While financial institutions have high levels of cybersecurity and strong physical security, they currently face a growing threat from combined physical and digital assaults.
“Physical security and cybersecurity convergence in the business environment. A favorite weapon in the hacker arsenal is the Flipper Zero, an inexpensive pocketable device that enables you to hack into nearby smartphones and IT systems,” says Tim Grieveson, Senior Vice President of Global Cyber Risk, BitSight.
Billed as the Flipper Zero Multi-tool Device for Geeks, Flipper Zero is a portable multi-tool designed “for pen testers and geeks in a toy-like body.” It is freely available online for £171 (US$217).
“It [The Flipper Zero” loves hacking digital stuff like radio protocols, access control systems, hardware, and more. It’s fully open-source and customizable, so you can extend it in whatever way you like,” claim its makers.
Other physical hacking devices include the “Pineapple,” which is priced online at US $140. These small portable devices enable threat actors to sit in a location such as the lobby of a business hotel or coffee shop and execute “man-in-the-middle” attacks by hijacking users’ Wi-Fi connections. This poses a particular threat to banking staff who are traveling or working remotely.
Another device, the “Bash Bunny,” widely available online at around US$100, is a USB stick that emulates combinations of trusted USB devices such as gigabit Ethernet, flash storage, and keyboards to fool computers into divulging data, exfiltrating documents, installing backdoors and other exploits. A single Bash Bunny inserted into an unguarded PC or laptop can provide access to the bank’s entire systems. A physical intrusion into the bank’s premises by a threat actor becomes all the more dangerous if he or she is equipped with such a device.
Grieveson adds: “Another type of digital attack combined with a physical one would be for a threat actor to set off fire alarms in an office building, as people are generally instructed to leave their PCs and laptops on their desks and head straight for the exits, which are generally clearly displayed on the wall for the benefit of the threat actor.”
Remote SIM swaps can take over your smartphone
According to Elijah Jackson, Blockchain Industry Commentator at MyChargeBack: “The finance industry is never totally secure. Opening up your internet is never 100 percent safe…A lot of people don’t like two-factor authentication. But even with your phone, you are not 100 percent safe. SIM swaps can take over your phone if your number is out there anywhere and you are targeted by social engineering.”
The combination of online fraud and a respectable physical presence can also be used simultaneously to evade authority while maintaining a credible façade.
According to Jackson: “A couple of years ago, the respected Spanish newspaper El Pais reported that Spain had become one of the world’s main centers of Forex scams. By then, police in Catalonia had identified 407 fake Forex sites that were targeting investors. Forget about geeks operating from their bedrooms. One suspected Forex scam actually sponsored a Spanish football team for three seasons.”
Online criminality assists in kidnapping, murder and gun-running
The convergence of physical and cyber threats is also evident in regions where digital criminality is used to assist and fund a whole range of traditional physical crimes.
“The Golden Triangle in northeastern Myanmar, northwestern Thailand, and northern Laos were identified 50 years ago by INTERPOL as an international crime center that attracted every type of actor that you can imagine. Today, it is a cybercrime capital, and the UN has published credible reports that the crypto scams based there also engage in kidnapping, murder, and drug running,” adds Jackson.
As well as constantly updating their cybersecurity, banks now need to keep equally ahead of increasingly sophisticated threat actors using physical points of entry such as smartphones and laptops to hack into their systems.
