Financial Times, September 20, 1995, p. 12. Banks' Security Chains Failed The Citibank case has highlighted weaknesses in corporate security measures. By John Mason Could it happen to us? Banks have been soul-searching about their security systems in response to the alleged computer hacking fraud on Citibank, in which $10m (6.49m pounds) is said to have been removed from client accounts by a young Russian based in St Petersburg. In public, banks express confidence in their computer security. "It's a shame what happened at Citibank, but it couldn't happen here," is a typical response. However, some industry insiders are concerned that many banks and other commercial organisations are still leaving themselves dangerously open to attack by hackers. Rumours of some banks not admitting to similar breaches only increase doubts. The full technical picture of what allegedly happened at Citibank is unclear. The largest US bank, unsurprisingly, is reluctant to reveal precisely how Mr Vladimir Levin -- apparently without inside help -- allegedly breached its Wall Street security system from his personal computer in St Petersburg. A UK court will today decide whether to extradite Mr Levin to the US to face trial. It seems that Citibank was caught out by its technology, which could not match recent developments available to hackers. Citibank's main weakness is known to have been its use of "fixed passwords" to guard its computerised cash management system. This system, dubbed Citicorp Cash Manager, handles transactions totalling $5OObn every day. Cash management systems which provide customers with access to their accounts so that they can make transfers, are inherently vulnerable to hackers because by definition they allow third-party access. In the case of Citibank, access to the cash management system could be made via telephone lines from anywhere in the world using a computer. Until the incident, Citibank's system used fixed or permanent passwords where the customer has only to enter a name and regular password to gain entry to the system. However, security experts now agree that this technology has been rendered ineffective at guarding high-risk systems by the proliferation of modem communications devices attached to powerful PCs providing access to the Internet. Hackers now have ready access to sophisticated software including "sniffers" -- programs used by network managers which allow them to look at and capture information on networks. These give hackers access to huge quantities of information -- including directories of passwords. The hackers can then take their pick of which password to use. With bank cash management systems, this virtually amounts to giving a hacker the choice of which client account to loot. There are a number of steps banks and other security-conscious computer network operators can take to defend themselves against unauthorised intruders. The main option -- and that introduced by Citibank since the Levin incident -- involves the use of encrypted passwords that can be used only once. A "smart card" issued to each customer contains a sequence of passwords so that a different one is used each time. This password is then encrypted or scrambled into a form that is, its manufacturers claim unreadable to anyone "surfing" the Internet. The main computer then deciphers the signal and, able to recognise the sequence of changing passwords, lets the genuine user into the system. The chances of someone guessing one of Citibanks's passwords are now one in 11m, says Mr Tom Brady of Enigma Logic of Concord, California, which supplies this technology to Citibank. The bank's previous fixed password technology, by contrast, meant breaking the password system was relatively straightforward, he says. Concern centres on how quickly banks and others have reacted to technological change. Although encryption technology has been available for more than 10 years, it is only now being generally introduced, and usually only for systems with external access. Barclays Bank introduced encryption for computer systems with external access before the Citibank incident occured. Barclays now feels "fairly comfortable" about the state of its security, says Mr Philip Severs, deputy director of operational risk. However, it is clear that not every bank has closed the door yet. Mr Severs says the business world is just "on the cusp" of introducing encryption technology. Another security adviser says the measures of one leading US bank, based on both fixed and encrypted passwords, are still considered weak by experts. Another security specialist employed by a leading international bank says that senior management throughout the industry has sometimes been slow to react to change. "Sometimes people think that their security is adequate simply because it has not been breached in the past. At other times, head offices are warned of the dangers, but fail to act because of cost factors." Whatever the state of bank security, their experts agree that their customers' awareness of the problem is lower. "Whenever payments are made or orders placed electronically, then a threat exists. The banks are leading on this. Companies are some way behind," says Mr Severs. But encryption remains only one way of improving security. The alleged hacking incident at Citibank involved more than simply breaching the bank's password system. The US government claims Mr Levin was able to watch corporate clients making numerous transactions before deciding which account to take money from. He also allegedly spotted one security precaution in place and limited each of his withdrawals to under 200,000 pounds ($310,540). Citibank will not comment on its security measures other than to point to its "smart cards". Huwever, the bank agrees that there was only partiai use of another well-established. security system -- "predefined" transfer routes. These allow customers to make transfers only to specific bank accounts making it impossible for a hacker to remove funds for himself. Citibank offers such an option. However, it is only useful to some customers. The average corporate customer might find it suitable because the number of destination accounts they need is limited. However, for financial institutions making transfers to many accounts, such a system is too cumbersome. Perhaps significantly, one of Mr Levin's alleged nctims was an investment company. Citibank investigators say Mr Levin gave himself away by making a number of "amateurish" mistakes, but admit he was a very sophisticated computer operator, allegedly attempting a particularly elegant fraud. The bank concedes that it still does not fully understand all the technical aspects of how Mr Levin allegedly managed to break in. If and when he is extradited to the US and introduced to that country's plea bargaining system, he will be invited to explain further. Banking security experts agree that the Citibank episode shows that effective detection systems to track unusual transactions remain essential. In the Citibank case these worked well, enabling the attempted fraud to be nipped in the bud, monitored and losses kept to $400,000. But they agree that even if new technology is introduced, keeping one step ahead of the hackers all the time is just not possible. One with knowledge of the Citibank case comments: "At the end of the day it cannot be done. Essentially, security is about being reactive, not pro-dctive." Meanwhile, the Citibank episode provides the most public example yet of how hackers can threaten the integrity of the international banking system. And just as the Barings collapse prompted other banks to review their internal management controls, so Mr Levin's case is having a similar effect on computer security. But as one bank security expert says: "It takes an incident like this to prompt people to review their systems. Whether they take action however is a different matter." ----- Financial Times, September 20, 1995, p. 20. Netscape flaw may deal blow to Internet security By Louise Kehoe in San Francisco A security flaw in Netscape Communications' popular Internet software could deal a serious blow to companies planning to transact business on the Internet, the global computer network. The flaw, discovered by two computer science students at the University of California at Berkeley, means that financially sensitive data, such as credit card numbers, sent over the Internet using Netscape software could be vulnerable to computer hackers. "Security is the number one issue" that needs to be resolved if the Internet is to become a medium for largescale electronic commerce, according to Ms Cathy Medich, executive director of CommerceNet, a consortium of companies that is developing standards and protocols for conducting business on the Internet with backing from the US government. The security breach is a setback for Netscape, raising concerns about the company's ability to produce reliable secure software. Netscape's so-called secure browsers are used by an estimated 66 per cent of people accessing the World Wide Web, the segment of the Internet where thousands of companies have set up electronic displays of their products. The software had been seen as a breakthrough for electronic commerce, enabling people to buy and sell goods online without fear of their messages being intercepted. Netscape confirmed that a security loophole has been identified, but said it would offer a free security "patch" by the end of this week on its World Wide Web page (http://home.netscape.com). No losses have been reported as a result of the security breach, Netscape said. This is the second time that Netscape's encryption has been "cracked". Last month, a computer expert in France was able to decode the weaker version of Netscape's cyphers, which the company is allowed to export. The security flaw found by the Berkeley students affects all current versions of Netscape soMware, including its browsers and server software, the company said. However, next week the company will begin trials of a new version of its browser, which will contain the security patch. -----