A Delivery Chain Breach: A UK bank opened the back door to China

Timeline #

1. 2018: Financial Conduct Authority and Information Commissioner's Office notified of an ongoing remote access breach in RBS. RBS acknowledge their online banking pages can be altered for malicious purposes or in negligent ways by third parties. Regulators do nothing.
2. 11th September 2023: The National Cyber Security Centre notified of security breaches in UK banks, including Metro Bank (not aware any involve Chinese systems)
3. 18th September 2023: The security breach is reported to Metro Bank that various (unlikely Chinese) third parties have remote access to online banking accounts
4. 1st December 2023: Complaint escalated to the ICO
5. 9th February 2024: Metro bank respond (by post) that the risk is acceptable
6. 24th February 2024: Funnull acquire one of the back doors to Metro Bank, hosting their remote code in Baishan Cloud CDN
7. 29th February 2024: Cloudflare warns of acquisition
8. 25th March 2024: Complaint raised to the Financial Conduct Authority, Bank of England and Financial Ombudsman Service
9. Between 11th and 17th April 2024: Metro bank remove remote access to Funnull. Remote access by further third parties persists.

The security breach #

As customers logged in to online banking, Metro Bank's web pages downloaded and ran software direct from Chinese systems on customer devices.

Software that could access anything in the banking website that the customer could.

The bank requested this software from another website to improve their site; but put no security protections in place to stop the software acting as the customer.

The other website changed hands and moved to China: at this point the servers in China could be used to control Metro Bank online banking sessions of any customer online.

If you are a Metro Bank customer then you should be asking how much data Funnull, Baishan or others captured from your bank account, who has your login bank details and checking whether payments have been correctly made. You may want to reset your banking credentials.

There may be no reason to believe Funnull or Baishan acted in any malicious ways.

The problem is the bank gave them the capability to and there is no audit trail in UK systems to verify what their software did or what data they captured.

Not a supply chain attack #

Firstly what is a supply chain #

There are many famed software supply chain attacks, search Stuxnet or Solarwinds.

A supply chain suggests a production line approach to software:

1. Source commonly used components (encryption, document templating, web servers, etc)
2. Develop an app with these and quality assure it.
3. Release it

No production line is perfect, but development and quality assurance processes offer an opportunity to spot compromised components before it is too late.

So what is a delivery chain #

Imagine that instead of a company supplying a product to you directly to your hands, they send it to be delivered to your address.

Search about problems brands have faced selling on Amazon with scams and counterfeit products. It offers a flavour of the nature of risks companies face when another delivers their product.

This is the domain of this breach.

At least in a supply chain attack, if a compromised component goes through the production process there might be a record, a chain of custody to work out where it came from and how much risk there is.

Because this was delivery side, the only parties who have any idea of what was actually delivered are the couriers (Baishan) and the developers (Funnull). Metro Bank just put an order in for the software to be delivered into their web page to blindly run it.

Although we hope every delivery was the same (therefore Metro Bank would likely have seen the code to verify) the web is designed for each file to be sent uniquely and to make matters worse, the purpose of Funnull's service was to offer different JavaScript for different users (depending on their browser capabilities) and it seems unlikely it would have taken much effort to create a version of this to target banking customers.

I'm not sure it is possible for a UK entity to verify whether a targetted attack happened; we must just hope it hasn't.

During the period, had Funnull just provided a compromised asset to all, perhaps that stole login details or attempted random payments, I cannot imagine a front page news story "Metro Bank hacked, customers' online banking in disarray" would have been good for Metro Bank's share price or be a good headline if they wish to avoid a bank run.

The even weirder part #

Before Metro Bank gave access to China, the previous owner of the website ran the website as a personal project.

Thus, Metro Bank gave remote access to all their customers accounts to one guy on the internet.

That was what Metro Bank signed off as being an acceptable risk.

Regulators asleep at the wheel #

Laws overseeing both financial systems and personal data protection demand companies to have appropriate security controls.

Regulators of these laws have in both instances ignored prior warnings of the risks in this domain.

Given the Post Office Scandal, we can only hope they awake to the extremely vulnerable position users are in when others can remotely access systems as them.

• Previous: Who doesn't have remote access to your bank account?