Attacking a System

Attacking a System

For this assignment, you job is to figure out how best to attack a system. I leave it up to you to figure out which component to attack and what the goals of the attack should be—the goal or goals merely have to be plausible. (Why do I leave it up to you? One of the jobs of a security analyst is figuring out the threat model—the system developers may not have thought about it.)

The (hypothetical) system in question is the banking network. There are a number of parties and interconnections.

Customers can deposit or withdraw money. This can happen in one of several ways:

They can visit a bank branch and talk with a teller; tellers use terminals not accessible to customers. The tellers simply use web browsers to access internal web servers. Naturally, banks all have databases.
They can use an ATM. ATMs are basically HSMs. Some are owned by the bank and built in to the wall of the bank; others are stand-alone and privately owned, and are connected by some sort of link to a bank.
They can deposit checks via a mobile app

Customers can initiate money transfers to other customers, via an app or a web site
Payments between customers of different banks go through a clearinghouse that all banks talk to
Credit card payments go from merchants to credit card processors, which in turn talk to the banks

There are a number of aspects I've deliberately left unspecified. Make any reasonable assumptions you like, but document them. If there is a more secure option than the one you choose, explain why your choice is better under the circumstances, given the usual tradeoffs of cost, usability, etc.

You may find this diagram useful. Dotted lines are manual operations; solid lines are electronic transfers. The arrows show the direction of a connection initiation. (Yes, this is oversimplified…)

Out of scope: physically stealing ATMs, walking into a bank branch with a gun, etc. This is a computer security class; you can invoke physical security issues if and only if they're relevant to a computer security issue. Avoid heist movie scenarios!