Docomo Hack Reveals Vulnerabilities in Banking System

Phishing Scams Now Commonplace

In a recent series of cyber-attacks, NTT Docomo’s remittance service Docomo Kōza was used to steal funds from personal bank accounts without the account holders’ knowledge. The hackers exploited a vulnerability in banking systems that assumed transactions were safe if they were conducted via reputable service providers. We asked cybersecurity expert Masamoto Kenzō, director of Macnica Networks, about the attacks.

INTERVIEWER  The perpetrators of the Docomo attacks stole the account numbers and PINs of bank account holders and then remitted funds into fake Docomo Kōza accounts by using that information to impersonate the victims. How could the hackers have obtained this information?

MASAMOTO KENZŌ  There are three possibilities. The first is phishing—i.e. the criminals stole the information by sending the victims emails containing links to fake bank websites and tricked them into entering their names and passwords. The second is that the attackers emailed the victims files that infected their smartphones or PCs with a virus, so that when these users used their PCs to make an online transaction, the virus stole their usernames and passwords. The third involves a kind of fraud that is accomplished by impersonating a police officer and asking elderly victims to disclose their bank card numbers and PINs.

These types of crimes are nothing new. According to figures from the Japanese Bankers Association, there were 863 cases of online hacking in the fourth quarter of 2019 alone, in which a total of ¥1.1 billion was stolen.

INTERVIEWER  I hear some thieves are resorting to new strategies.

MASAMOTO  It has been suggested that a technique called “reverse brute force,” or RBF, was used in the Docomo hackings, but we don’t know this for sure. If you attempt to try every possible password combination to hack a given user ID, you will be locked out after a few attempts. However, if you try logging into every possible user ID with the same password, you will not be locked out. Some people have simple passwords like “1234,” and if you combine one of these with many different IDs, you might get lucky. That is how RBF works.

INTERVIEWER  Who do you envisage the attacker to be?

MASAMOTO  We still don’t know who did this. However, the world is full of hackers attempting to steal money. There are criminal groups in Eastern Europe, Russia, and China, and there may be such groups in Japan as well.

New Type of Crime Exploits Weak Points in Bank Alliances

INTERVIEWER  Bank account hackings are said to be a daily occurrence. What was different about the latest attacks?

MASAMOTO  The Docomo attacks were like any other in that they involved withdrawals made using online banking. They were different in that rather than accessing the victims’ accounts directly, the thieves put an extra layer between themselves and the victims’ accounts, in the form of the Docomo Kōza accounts. The attacker exploited vulnerabilities in the alliance between the two financial institutions.

INTERVIEWER  What do you mean?

MASAMOTO  Put simply, while online banking systems will flag logins from places like Russia or Iran as suspicious, when an account is accessed via the highly reputable Docomo Kōza platform, suspicions are not aroused. And yet, according to media reports, it is possible for anyone to open a Docomo Kōza account without verifying their identity. I imagine that was why the attacker chose Docomo Kōza. The partner banks entered into arrangements with Docomo without adequately checking the security arrangements at the Docomo end.

The fact that the Docomo Kōza platform’s lack of identity verification made it vulnerable to cyber-attacks would not usually be common knowledge—the hackers must make a habit of thoroughly researching these kinds of details. They may have hit upon the vulnerability in the partnership between financial institutions because of the fact that it has become extremely difficult to hack bank websites directly.

INTERVIEWER  Who is responsible for this failing?

MASAMOTO  I believe both Docomo and the regional banks are at fault. Docomo was clearly negligent in failing to verify its users’ identities. But I also believe the laxness of the banks’ due diligence, as evidenced by their agreement to partner with Docomo, was also a cause.

According to media reports, similar attacks were made some years ago involving Resona Bank accounts linked to Docomo Kōza accounts, but never made public. Docomo should have beefed up security after those attacks.

Defending Against Attacks

INTERVIEWER  How can we prevent similar attacks in future?

MASAMOTO  This latest attack was characterized by negligence on the part of both Docomo and the regional banks. However, the problem of account holders getting sucked in by phishing scams is something banks have no control over. The public needs to become more IT literate. If we switch to a digital legal tender in future, we will no longer be able to rely completely on service providers to keep us secure. In future, users will have to be even more IT literate, as service providers are unable to tackle these problems on their own. The need for service providers to be cautious is of course a given. However, users of services should also assume that hackers may guess or learn their PIN numbers.

(Originally published in Japanese. Banner photo: NTT Docomo executives apologize at a press conference on September 10, 2020. © Jiji.)