Metropolitan Bank, the hacking of whose website we reported here two days ago, were not the only local financial institution to suffer at the hands of site defacers in the past couple of weeks. We have confirmed this week that Tetrad Holdings and MBCA Bank also had their websites defaced. Unlike Metbank though, the two banks have since had their websites restored.
The Tetrad websites was defaced around the same time the Metbank websites was hit (Sunday, 20 January) and was indeed hacked by the same group of hackers who call themselves “Qifwhysoserious”. The MBCA website however was defaced by a different group of hackers some about a month and half ago.
A source we spoke to at Tetrad Holdings confirmed the incident had happened and explained that they fixed the security vulnerabilities in the content management system and restored the website within a day. The source also told us that apart from the defacement, no other damage was done.
An MBCA Bank spokesperson we communicated with, Dedrey Mutimutema, also confirmed the defacement of the company’s website and also pointed out that the defacement of the website was inconsequential as the website is not linked to the Bank systems or servers. “We nonetheless requested our agent to add more security features, which they did, and the website is now online,” she explained.
Another local bank, FBC Holdings, it appears also suffered some kind of security compromise on their website in recent weeks. Googling “FBC Bank” currently gives off a warning (shown below) that the website may be compromised.
We got in touch with officials at the bank and they advised us through their web development company that their website had not been compromised and that they had requested Google to remove the warning. Google explains in its support pages that it shows the warning message “for search results that we believe may have been hacked or otherwise compromised” to protect the safety of its users. Google goes on to explain that the hacking “typically means that a third party has taken control of the site without the owner’s permission.”
To be clear, we do not think the hackers are specifically targeting the financial institutions. It’s just that unlike other companies whose websites that have been hacked in the past several months, the security of such institutions should be well above the average CMS vulnerability hack job that these attacks have in common. One commenter, after reading Metbank hacking story, suggested:
Big companies (e.g. Banks) that can afford it should rather buy their own Virtual Private Server at a hosting company and implement more security rather than using shared hosting, but even more importantly they should have a maintenance contract with their developer to keep their site patched and secure.
We’d only add that financial institutions especially should contract competent developers too. Even though it’s technically accurate, explaining that your website and your banking (and online banking) website are two separate systems is not enough anymore. Fact that someone entered and defaced your internet property doesn’t instill any confidence at all in the security of your technical products like internet and mobile banking.