Users left stranded with no access to FX
Three days after foreign exchange provider Travelex pulled its systems offline after discovering a “software virus” on New Year’s Eve, the company’s UK website remains unavailable and partners from Barclays to Travelex have been unable to offer online currency services through Travelex, which provides them with FX services.
Security experts say the company — which is FCA regulated and was running a payment platform on AWS — appears to have showed signs of poor network segmentation.
As Drew Perry, CEO of security firm Tiberium noted to Computer Business Review: “Its ‘digital transformation’ appears to have only covered its travelex.com estate (hosted on AWS using Cloudfront) while its UK domain remains down and is hosted on its own BT provided IP, so this server must be linked to internal infrastructure.”
Travelex appears to have recently created https://response.travelex.co.uk, with its UK site still returning an IIS error page: even the company’s investor relations pages remain offline.
Security researcher Kevin Beaumont meanwhile noticed that “Travelex’s AWS platform had Windows servers with RDP enabled to internet and NLA [network location service] disabled, oops.”
Travelex also appears to have been running Windows Server 8 – aging software that will see security support end on January 14. Insiders confirmed to Computer Business Review that it was a ransomware attack and said they understood it to have been the Sodinokibi variant, although they were not able to confirm this.
One staffer told us: “Global Travelex sites are offline (excluding those operated by partners – South Africa, Brazil). Services also offline include partners who whitelabel the service including Barclays, HSBC, FirstDirect, Tesco, ASDA, Sainsbury’s, Virgin Money, NatWest, RBS, Manchester Airport and Heathrow.”
They added: “Oddly their dev centre site reports no service issues… probably not a priority. Right now, there’s little else to tell as staff are kept in the dark.”
The company is the world’s largest foreign exchange specialist, with almost 800 retail branches in more than 26 countries. It is owned by India’s Finablr, an LSE-listed financial services company that owns a range of payments and FX brands.
Many customers reliant on Travelex’s cards meanwhile have been left stranded overseas without access to foreign currency.
Security experts say such attacks increasingly come at the end, rather than the beginning of targeted system intrusions, with such payloads triggered after system surveillance and in some instances data exfiltration.
Travelex provided few details about the incident, saying that the unnamed virus had “compromised some of its services”. It added: “As a precautionary measure in order to protect data and prevent the spread of the virus, we immediately took all of our systems offline”, saying that it believes no customer data has been stolen.
Customers took to social media to castigate the company for its response. One, Matt Bartlett, said he had been stuck in Canada for four days as a result.
Perhaps this explains why we have been stuck in Canada for four days with no access to our money? I’ve been calling you every day for an update, maybe your phone agents could explain the situation instead of constant false promises?
— MattBartlett (@MattBRecruiter) January 2, 2020
The incident comes less than 24 months after Travelex leaked the details of nearly 17,000 Tesco Bank customers. (Travelex provides Tesco Bank’s FX services).
Happy New Year! As #travelex has suffered an incident over the holiday period, this is your annual reminder to patch your infrastructure and mitigate vulnerabilities as you become aware of them, specifically your external Citrix servers #CyberSecurity https://t.co/8LbCohqKL1 pic.twitter.com/A4UAqKFvI4
— Tiberium (@TiberiumSec) January 2, 2020
Recent ransomware strains are increasingly sophisticated, for example bypassing Windows protections by immediately rebooting computers and running them in safe mode, where end-point protection software doesn’t run.
As Aron Brand, CTO at Israel’s CTERA told Computer Business Review last week, robustly protected back-ups are an essential prerequisite for a rapid recovery after a ransomware attack.
He said: “Make sure all of your data is reliably backed up and physically separated from the main dataset, with backup versions in a read-only repository. In the event of an attack, you can rollback to an uninfected file version and be up and running quickly.”
He adds: “If your data is outside your firewall, it must be encrypted. Keys should be generated and managed internally by trusted individuals, separate from any third-party service to ensure total data privacy.”
Updated 23:00 January 4, 2019, corrects Travelex owner to Finablr.
Banner image credit Tejvan Pettinger, Creative Commons, 2.0, Flickr.