A TECHNOLOGY whistleblower who developed vital software used by Bank of Ireland (BoI) has claimed the lender’s mobile banking platforms are exposed to ‘devastating attacks’ from hackers.
The allegations were made by Colin Larkin, a telecoms expert whose patented technology has been used by BoI to secure mobile banking, in papers lodged in the Circuit Court this summer.
They are also contained in protected disclosures made by Mr Larkin to the Data Protection Office and various regulatory bodies.
Details of the allegations emerged just weeks after BoI suffered the latest in a string of high-profile IT failures.
Last month, an IT glitch disabled the bank’s online platforms, allowing some customers to withdraw cash they did not have from ATMs.
In the legal papers, which were first filed in May, Mr Larkin claims his technology inventions were stolen from him and are being illegally ‘laundered’ by BoI and others.
He also told the court he moved to protect his intellectual property by deliberately withholding elements of the technology from his patents to prevent others from copying and stealing it.
He claims this has left BoI and anyone else now using the relevant technology ‘exposed to devastating attacks that are trivial to execute’.
In June, just weeks after the claims were lodged in court, many of BoI’s online operations crashed for nearly a day.
At the time the bank launched a ‘full and thorough investigation’ but has not disclosed the cause of the problem.
Mr Larkin’s court allegations stem from the demise of his Dublin tech firm, MoQom Ltd, which went into receivership in 2016.
According to his affidavit, this receivership was ‘fraudulent’ and designed to steal his patents. He claims MoQom developed successful technology that delivered ‘highly specialised mobile networkbased fraud prevention and online digital identity technology’ to combat mobile phone fraud.
The affidavit described this challenge as ‘arguably one of the biggest, most challenging, most difficult, and most complex problems of the internet’.
The court papers further claim this issue remains ‘a significant barrier that prevents banks across the globe from maximising their potential to do business online without significant fraud exposure or without imposing an unfriendly and painful user experience on their customers’.
In recent years, Mr Larkin has made various disclosures and complaints about the alleged fraudulent destruction of his firm to parties such as the Central Bank, the Director for Corporate Enforcement, the Commission for Communications Regulation and others. He has also repeatedly warned the authorities of the risks associated with vulnerabilities in mobile banking.
In May, these matters were brought before the Circuit Court when BoI moved to seize Mr Larkin’s home from his landlord.
In his court papers, Mr Larkin claims the timing of this move is linked to the fact that he has notified the bank of his intention to sue.
According to the court papers, BoI was one of MoQom’s early customers, paying a discounted rate of €1m a year for these services.
The document outlines in detail how Mr Larkin’s technology specifically benefited the bank. It describes how one of Mr Larkin’s patented technologies – known as SIM Take Over Protection – allegedly eliminated SIM swap fraud at BoI when the lender began to use it in 2014.
SIM swap fraud involves scammers tricking a mobile provider into activating a new SIM card for a customer’s phone number. This then allows criminals to access bank accounts when twofactor authentication codes are sent to the new SIM on a phone controlled by the scammers.
The affidavit reads: ‘In the space of one single evening my invention permanently halted 100% of that fraud type, instantly ending a fraud that was placing the plaintiff’s digital online banking strategy at high risk due to the extent of its ‘SIM swap’ fraud exposure.’
The court document also describes how another patent of Mr Larkin’s, designed to combat card fraud, was introduced at BoI in 2012.
According to the affidavit, this tech ‘revolutionised’ BoI’s ability to prevent credit-card fraud.
But Mr Larkin claims his firm was destroyed corruptly and that his patents were ‘laundered’ to another company. He states in the affidavit: ‘My start-up was destroyed? in an alleged fraudulent receivership for the alleged purpose of stealing and laundering my valuable technology and intellectual property.
‘From that point on I allege the plaintiff continued to use my alleged stolen technology and intellectual property.’
One of these three patents relates to Strong Customer Authentication (SCA) processes used to confirm the identity of mobile and online banking customers. According to Mr Larkin’s affidavit, this patent lapsed during the collapse of MoQom because fees went unpaid.
But Mr Larkin claims the SCA technology was of particular interest to Bank of Ireland and the subject of meetings between Mr
Larkin and the bank. And he claims the banks, and others, have taken the expired patent and attempted to recreate it.
He said: ‘In early 2021 I was horrified to see the plaintiff try to launch what I allege is an attempt to recreate my SCA inventions.’
In the court documents, Mr Larkin alleges the technology had a hidden back door that he deliberately left in place.
But he added: ‘Neither the investors nor the plaintiff knew I had protected my decades of SCA intellectual property research from alleged fraudulent theft by withholding critical parts of my inventions, meaning any bank trying to copy my technology is exposed to devastating attacks that are trivial to execute.’
The affidavit then alleges BoI suffered sustained attacks once it tried to launch the SCA system.
‘Within weeks of launching what I allege the plaintiff believed was a genuine copy of my full SCA invention, the plaintiff came under a sustained cyberattack that continues today with fraudsters exploiting what I allege are trivial mobile network vulnerabilities that fully defeat the plaintiff’s insecure SCA mobile banking app.’
This deliberately withheld weakness is why BoI and some other financial institutions continue to suffer ‘historic levels of unrelenting online banking and card payment fraud’, Mr Larkin alleges.
‘It is also why I allege over 90% of Irish mobile users continue to be targeted by fraudulent smishing texts and phishing phone calls,’ the affidavit reads.
The affidavit then details how the bank allegedly contacted Mr Larkin in an attempt to fix the technology.
‘In the face of historic uncontrollable levels of fraud, and after a year where the plaintiff struggled to learn how hackers were defeating their alleged copy of my incomplete SCA invention? I was contacted by a telecoms consultant working with the plaintiff’s development team who asked to meet me on December 11, 2021,’
the affidavit reads. ‘As this telecoms consultant was keen to understand the mobile network vulnerabilities I had left in my alleged stolen SCA inventions to protect my intellectual property, I described some easy ways to fully defeat an insecure copy of my alleged stolen SCA invention using basic smishing and mobile network signalling hacking techniques,’ the document continues.
Mr Larkin claims that the details provided by the bank’s consultant led him to believe that ‘the plaintiff was indeed allegedly laundering my alleged stolen SCA technology and intellectual property as described’.
Asked to respond to Mr Larkin’s comments, a spokesman for Bank of Ireland said: ‘These allegations and claims are baseless and without foundation.
‘In the event there are legal proceedings issued, the bank’s position will be robustly defended,’ the spokesman added.
The company that now holds the patents declined to comment when contacted by the MoS.
CENTRAL BANK TRIES TO ESTABLISH WHAT WENT WRONG AFTER BOI BLIP
TECHNOLOGY problems with mobile and internet services are something Bank of Ireland (BoI) is used to.
The most recent example of that – and perhaps the most widely publicised – came last month when the bank’s customers were able to withdraw money they did not have from ATMs. That incident also disabled many online and mobile services and prompted Finance Minister Michael McGrath to warn there have been ‘too many instances’ of IT glitches at banks.
One such incident occurred earlier in the summer, when many of the bank’s online operations crashed for nearly a day in June. On that occasion, customers couldn’t access their accounts. As a result, bill payments, salaries and other transactions were all affected.
The bank launched a ‘full and thorough investigation’ at the time, but offered no explanation other than the fact that the problem was not a cyberattack.
However, regulators such as the Central Bank and the Data Protection Commission have pinpointed exactly what happened in previous cases.
Their conclusion in those instances was that BoI has been lax with its security standards to the point of breaking the law.
In March, this year, the Data Protection Commission (DPC) ruled the bank had infringed its legal obligation to ensure appropriate technical and organisational measures were in place to protect the data of online customers. The ruling – and a €750,000 fine – related to 10 data breaches in which individuals gained ‘unauthorised access to other people’s accounts via the BOI365 banking app.
According to the ruling, BoI ‘infringed its obligations’ under GDPR laws as its systems ‘were not sufficient to ensure the security of the personal data processed on the BOI365 app.’ Along with the fine, the DPC ordered BOI to bring its systems up to scratch.
But security lapses such as this are not new at BoI. The evidence for that can be seen in a November 2021 investigation report by the Central Bank.
The report reprimanded BoI and fined it €24.5m for ‘failures to have a robust framework in place to ensure continuity of serviceÂ… in the event of a significant IT disruption.’
According to the Central Bank, these IT deficiencies were ‘repeatedly identified from 2008 onwards but due to internal control failings only started to be appropriately recognised and addressed in 2015.’ The Central Bank report points out that: ‘The extent and duration of these breaches were particularly serious given the “always on” nature of the services BoI provides and how pivotal IT is to the entirety of its business operations.’
The Central Bank investigation also found that: ‘IT service continuity deficiencies were not addressed, despite being repeatedly identified in third party reports, between 2008 and 2015.’ According to the Central Bank’s report: ‘This demonstrates a recurring failure that is indicative of poor internal controls.’
BoI said these poor practices were corrected by 2019 and were brought to the attention of regulators after an internal bank audit uncovered the problem. However, in the wake of last month’s events, BoI is now once again the focus of Central Bank questions as the regulator seeks to establish what went wrong this summer.
BREACHES ARE THE RULE, NOT THE EXCEPTION
YOUR bank would have you believe your finances and data are completely secure on your smartphone. But those responsible for running those phone networks know otherwise.
In 2022, a survey run by Nokia asked 50 leading communications service providers (CSPs) around the globe about the current and future 5G security landscape.
The results were frightening.
‘Breaches are the rule, not the exception,’ the survey concluded. ‘Based on the responses, CSPs are in a constant struggle as cyber threats evolve.’ (See full report at base)
This means criminals, spies, hackers – and anyone with a few thousand euro and some expertise – can acquire the tools needed to track mobile calls, intercept communications and access banking apps. So far, they haven’t done so on a scale large enough to cripple financial systems. But they could.
This is not a sensationalised claim. It is the view of the EU’s cybersecurity watchdog – the European Network and Information Security Agency (ENISA).
‘What was once a safe interconnecting environment, due to the small number of providers with no real need for access control, has now become a “Wild West” running on legacy infrastructure,’ a 2018 ENISA assessment warned. (See full report at base)
The problem with mobile phone networks is that they are built on a protocol developed in 1975 – called SS7 – that was not designed for things like mobile banking.
‘Nobody at that time envisioned the scale that mobile networks could reach in the future, so trust and security were not issues,’ the ENISA assessment reads. ‘Nonetheless at the moment we are still using this legacy set of protocols to assure the interconnection between providers.’
The result is that SS7 vulnerabilities can be easily exploited. There are countless examples of hackers, journalists and others demonstrating how easy it is to eavesdrop on and track phones in this way.
According to ENISA, all that’s needed to launch an attack on a device is access to SS7 on a network – which can be bought for a few thousand euro in some jurisdictions. In other instances this access is opened up to the many partners and service providers involved in mobile services on every network.
‘Protocols designed decades ago, with no security or access control in mind, cannot cope with today’s challenges,’ the ENISA assessment reads.
‘In order to benefit from all business opportunities today, operators need to open their networks for different types of partners, either operators or other types of service providers. This allowing of uncontrolled access to multiple partners is the main reason for increasing the security risks in signalling, but since it is a business enabler, it is highly improbable that operators will stop doing it.’
The stop-gap solutions deployed by banks and networks to counter these vulnerabilities involve seeking to confirm the identity of customers and educating the public about fraud.
Often enough to keep the system functional, this works. But it’s always a battle, and not nearly as fail-safe as your bank would have you believe.