The third-party service provider where Nedbank recently detected a security breach appears to have had glaring holes in its defences, a security researcher told MyBroadband.
Nedbank recently disclosed to clients that it discovered a security breach at a third-party service provider called Computer Facilities.
Computer Facilities sends SMS and email marketing on behalf of Nedbank.
Personal information including the names, ID numbers, telephone numbers, physical addresses, and email addresses of Nedbank clients were compromised in this breach.
The bank stated that 1.7 million clients were affected by the breach, of which 1.1 million are active clients.
Nedbank CEO Mike Brown said in an interview that the bank has done everything in its power to contain the incident.
“We have been on the premises of the supplier. You will see that we have agreed with them that they have shut themselves off from the Internet. We deleted all the Nedbank data off their servers,” he said.
Brown said that Nedbank sent data to Computer Facilities for campaigns in an encrypted format. It then looks like the data was decrypted and stored in plain text.
He emphasised that none of Nedbank’s systems were compromised. The accounts of people whose data was compromised are being monitored for fraud.
More people’s data may be compromised
Brown said that not only Nedbank data was compromised in the attack on Computer Facilities’ systems.
“Obviously they have other data as well,” he said.
No details about the other data that was compromised has been revealed.
Brown also noted that they don’t yet know if any of the data compromised in the security breach will be leaked onto the public Internet.
In the interim, Nedbank will assume that all the data sent to Computer Facilities has been completely compromised.
The danger of data leaks
While no bank account numbers, PINs, or passwords were compromised in this breach, the personally identifying information alone is a useful tool for criminals.
Brown said that in other scenarios where this kind of data has been exposed, criminals have used it to launch social engineering attacks against banking clients.
In these targeted attacks, criminals try to get other data from banking clients like their bank account number, PIN, or password by calling them and pretending to be from Nedbank.
Information security firm SensePost has also demonstrated how this data can be used to launch social engineering attacks against the institutions themselves.
Bank call centres often ask clients to confirm their ID numbers, contact information, and address as part of their security check. The data at Computer Facilities that was compromised contained this information.
Lax security procedures
A security researcher who spoke to MyBroadband on condition of anonymity provided information suggesting that security at Computer Facilities was lax.
Email addresses belonging to Computer Facilities staff come up in data leaks of usernames and passwords, and the passwords are extremely weak. Some are simple dictionary words and others are words followed by a short series of digits.
These weak passwords don’t have any bearing on the password policies in place at Computer Facilities on the systems that were breached.
However, the researcher said it is an indicator of staff that are poorly educated in proper security practices – not unlike many other corporate users in South Africa.
In addition to weak passwords, the researcher also found several old security vulnerabilities on Computer Facilities’ web servers.
The vulnerabilities were: CVE–2010–1256, CVE–2010–1899, CVE–2010–2730, CVE–2010–3972, CVE–2012–2531, and CVE–2012–2532.
These vulnerabilities could allow an attacker to crash the web server and gain information about the workings of Computer Facilities’ systems.
One particular vulnerability, CVE–2010–1256, could allow an attacker to gain administrator access under certain conditions.
The researcher explained that the Nedbank attack is an excellent example of how criminals think.
There is no need to attack the bank’s systems to obtain information about its clients if you can attack a supplier whose security is weak.
For example: attackers who stole movies and upcoming episodes from TV shows to hold for ransom didn’t go after the film studios directly, they hit the smaller post-production companies to which work was outsourced.
MyBroadband asked Computer Facilities for comment on the information received from the security researcher.
The company’s managing director said it was not fair to label their security as lax or ask them to comment on the allegations of our anonymous source until they had an incident report.
Computer Facilities said they were waiting for a full security report from Group IB that covers all aspects of the breach, including remediation steps required.
The report was due in the last week of February. MyBroadband followed up with Computer Facilities for an update regarding the incident report, but received no further response from the company.
Nedbank – Incident Response Report
Nedbank provided MyBroadband with the following statement following the conclusion of the incident response report it commissioned.
The Incident Response Report concluded that adversaries gained access to a server at Computer Facilities which held client data. Access was gained via remote services and insufficient server hardening.
The adversaries discovered, collected and disseminated the data from the compromised host. No lateral movement to other hosts in the infrastructure was discovered.
The incident has been contained on the network and forensic analysis confirmed that only the one host was compromised during the course of the incident.