Last week another bank in the SWIFT system was attacked by digital thieves. Authorities speculate that this look to be an inside job involving one or more people installing programs on this bank’s computers that pretend to be legitimate applications, but that are really malicious tools. These tools pretend to be PDF file viewing applications, but really change the PDF without the user seeing. It’s interesting that these articles mention specifically that these used a malicious PDF program – a “trojan PDF viewer” – and it reminds me of some perhaps little-known facts about PDF files and computer files in general:
- While many users perceive PDF files to not be editable, that’s not the case. PDFs can be added to, edited, changed and updated – just like other files. It’s true that file formats that are designed for users to work on making content (like MS Word or Adobe InDesign) tend to have tools that make editing easier and faster. However, just like HTML is not permanent and unalterable, so too can PDF files be edited and changed.
- PDF has a great advantage over image formats like TIFF or JPEG and over more ephemeral formats like HTML and EPUB: you can include a digital signature right inside a PDF file and use this to verify that a PDF file hasn’t changed since the author made the PDF file. Many PDF readers take advantage of this to make it very easy to see that a PDF has been altered or damaged – as well as making it easy to see that a PDF that you get is exactly as the creator intended.
- Unfortunately, the attack on the bank relied on putting a PDF reader in place that pretended to be a tool often used by the bank’s employees for validating SWIFT transactions, but was really a different tool that only pretended to be doing the right things. Hidden in the background it was changing the files used for tracking transactions. This is a security problem that goes past any type of file or format and into the need for vigilance in securing networks and computers, as well as educating users to look out for anything suspicious.
The validation and change detection features built into file formats like PDF are incredibly useful, but they are only so secure as the the weakest link in the broader environment. Unfortunately, inside jobs like this can’t be stopped through just the choice of the right file format. Security needs to be viewed through a systems point of view. This includes systems to prevent inside jobs like this.