Security News > 2022 > April > Bank had no firewall license, intrusion or phishing protection – guess the rest
An Indian bank that did not have a valid firewall license, had not employed phishing protection, lacked an intrusion detection system and eschewed use of any intrusion prevention system has, shockingly, been compromised by criminals who made off with millions of rupees.
It certainly thinks small about security - at least according to Hyderabad City Police, which last week detailed an attack on the Bank that started with over 200 phishing emails being sent across three days in November 2021.
Another technology the bank had chosen not to adopt was virtual LANs, so once the RAT went to work the attackers gained entry to the Bank's systems and were able to roam widely - even in its core banking application.
Hyderabad Police's analysis of the attack found that Mahesh Bank had carelessly allowed its population of super-users to reach ten - some with identical passwords.
Over $1 million of such stolen funds were shifted to hundreds of other accounts at Mahesh Bank and other financial institutions.
The force's report of the incident is not kind to Mahesh Bank, noting that it had "No proper network infrastructure", took no precautions to isolate head office applications from its branches, lacked many basic security tools, did not train its staff for the eminently foreseeable eventuality of a phishing attack, and did not have a valid license for its firewall at the time of the attacks.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/04/05/mahesh_bank_no_firewall_attack/