A Delivery Chain Breach: A UK bank opened the back door to China

🌈 Abstract

The article discusses a security breach at a UK bank, Metro Bank, where third parties in China were able to remotely access and control customers' online banking accounts. The article provides a timeline of events, explains the nature of the security breach, and contrasts it with a typical supply chain attack. It also highlights the lack of regulatory oversight and the bank's acceptance of the risk.

🙋 Q&A

[01] The Security Breach

1. What happened in the security breach at Metro Bank?

• As customers logged into their online banking, Metro Bank's web pages downloaded and ran software directly from Chinese systems on customer devices.
• This software could access anything on the banking website that the customer could.
• Metro Bank had requested this software from another website to improve their site, but did not put any security protections in place to prevent the software from acting as the customer.
• The website that provided the software changed hands and moved to China, at which point the servers in China could be used to control any Metro Bank online banking session.

2. What are the potential consequences for Metro Bank customers?

• Customers should check if any data was captured from their bank accounts, if their login details were compromised, and if any payments were made incorrectly.
• Customers may want to reset their banking credentials as a precaution.

3. Was this a malicious attack by the third parties in China?

• The article states that there may be no reason to believe the third parties (Funnull or Baishan) acted in any malicious ways.
• The problem is that the bank gave them the capability to access customer accounts, and there is no audit trail to verify what their software did or what data they captured.

[02] Delivery Chain vs. Supply Chain Attacks

1. How is a "delivery chain" attack different from a "supply chain" attack?

• In a supply chain attack, compromised components go through the production process, and there may be a record or chain of custody to trace the source of the issue.
• In this "delivery chain" attack, the only parties who know what was actually delivered are the couriers (Baishan) and the developers (Funnull). Metro Bank just blindly ran the software that was delivered to their web page.

2. Why is a delivery chain attack more difficult to verify and trace?

• The web is designed for each file to be sent uniquely, and the purpose of Funnull's service was to offer different JavaScript for different users, making it unlikely that Metro Bank would have been able to verify the code.
• It may not be possible for a UK entity to verify whether a targeted attack happened, and the bank may have chosen to avoid a public incident that could have impacted their share price or caused a bank run.

[03] Regulatory Oversight

1. How did the regulators respond to the security breach?

• The Financial Conduct Authority and Information Commissioner's Office were notified of the ongoing remote access breach in 2018, but they did not take any action.
• Regulators of financial systems and personal data protection laws have ignored prior warnings of the risks in this domain.

2. What are the implications of the regulators' inaction?

• The lack of regulatory oversight has left users in an extremely vulnerable position, where others can remotely access their systems as them.
• This echoes the Post Office Scandal, and the article hopes the regulators will now wake up to the risks faced by customers.