How Small Banks Fend Off Hackers

Recently, hackers have stolen a mind-boggling amount of money from banks, hitting targets in Bangladesh, the Philippines, Ecuador, and Vietnam. These digital heists relied on vulnerabilities in SWIFT, the network used by big banks for international transactions.

Although smaller banks don't necessarily use SWIFT, they still have to face many of the same attacks as their larger counterparts, and with teams as small as two people, they may have their work cut out. After all, attackers don't discriminate, and don't care if the target is a huge, international organization or a smaller, local one: If there's money to be made, hackers will come.

"We do have the threats and the same vulnerabilities that we have to face and remediate," Kirk Crespin, information technology and security officer at Community State Bank in Lamar, Colorado, told Motherboard in a phone call. The bank's sole branch serves about 5,000 customers, with an asset size of $85 million.

Crespin works with just one other person, and he takes around 80 percent of the workload. Although his bank doesn't use SWIFT, the recent attacks were an opportunity to go back over the bank's security in much greater detail.

Tim Doty, information security officer at Ephrata National Bank in Lancaster, Pennsylvania—which serves many members of the local Amish and Mennonite communities—also runs a tiny team of two.

"In my position, I'm both a lead engineer for the security products in place as well as policymaker, and a manager of people and projects," he said. "Everyone wears multiple hats here."

Just like a larger institution, these smaller teams have to deal with online banking, apps, and internal systems, and worry about different avenues of attack.

One common threat is malvertising, which can automatically direct website visitors to an exploit kit, and take over their computer.

Doty said the ad network of a local news site was once compromised, which led to a machine getting infected. In response, the bank now blocks all adverts, and if a computer is hit with malware, they wipe it.

"If we detect a virus on a machine, we replace it. We reimage the machine, even if the malicious code was successfully removed," Doty said.

"If anti-virus removed a piece of code that it knew was malicious, it doesn't mean that, in today's world of attack packages, it didn't miss 40 other pieces of malicious code that it didn't know about," he added.

Both of these banks use products from cybersecurity company AlienVault for detecting vulnerabilities.

Smaller banks might have some advantage over larger ones, though. Hackers may scan the banks' web presence for vulnerabilities, but because the organizations are so tiny, there might not be all that much for an attacker to take advantage of.

"We don't have a big external presence; our website and all that is hosted by a third party," Doty said. "So the only thing we have that is directly connected to the internet is email. It makes all those scanning attacks pretty ineffective against someone like us."

But that email system is home to the banks' main weakness: phishing emails to bank employees. "The human weak link is probably our biggest threat that we have to watch," Crespin said.

Phishing emails make up the bulk of attacks, according to both Crespin and Doty. An example could be an email claiming to contain an invoice, when in reality it's a malware-laden file. Recently, Doty has seen ransomware being sent to his bank, but there hasn't been a successful infection yet. And in the past three weeks, hackers have been sending more calculated, spear phishing emails to the Colorado bank.

For his part, Doty has trained his staff to pick up on dodgy emails and links.

"When I sent out our first test phishing email, I got about 25 percent of our users to give me their credentials," he said. "Now that we have a training program in place, my level of attack sophistication has gone up, and I haven't gotten any user's credentials in over 6 months."

When it comes to normal, community-focused banks, perhaps it's training that helps the most, rather than any sort of high tech protection system.

"It's never going to be 100 percent effective, so you still need your gadgets, you still need layers of security to protect yourself, but training is such an effective, economic way of defending yourself, and I think it's often overlooked," Doty said.