Insights learned from anatomy of cyber-attacks targeting banks

This is second part of three-part series exploring the rise and power of cyber-criminals; anatomy of cyber-attacks targeting banks; and defending a bank against cyber-criminals.

Banks, have always been and continue to be prime targets for criminals. Digitalisation of money rendered ‘Butch Cassidy and the Sundance Kid’ style bank robbery obsolete. However, a new breed of cyber-criminals is redefining the threat landscape; challenging existing security principles; and succeeding, not in-spite, but because of prevalent stringent security measures.

Countering these threats requires a rethink of core security principles starting with simplification of internal IT landscape, innovation of customer authentication, and focus on data analytics.

It stands to reason that risk and security professionals at banks will recognise, in time, that when the enemy deploys para-troopers it makes no sense to add additional walls rather the need of the hour is a redesigned fort.

 


Figure 1: Publically known major cybercrime incidents targeting banks (source: Innopay analysis)

2009 RBS WorldPay (source, source, source):

In the 2009 RBS WorldPay attack, a trio of hackers from Estonia, Russia, and Moldova gained unauthorised access to Atlanta (US) based computer systems of RBS WorldPay; downloaded confidential magstripe card-data; reverse engineered the encryption protecting this data to decipher the PIN needed for cash withdrawal at ATMs; and raised withdrawal limits on compromised accounts.

In the subsequent cash-out, in less than 12 hours a horde of cashers armed with 44 counterfeit payroll debit cards stole about US $ 9.4 million from more than 2,000 ATMs across 280 cities in United States, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan and Canada.

Joint investigation effort by US FBI, Estonian Central Criminal Police, Hong Kong Police Force, and Netherlands National High Tech Crime Unit eventually led to the arrest and indictment in 2010 of seven involved criminals including the masterminds behind the attack.

Key Insight: Security protocols will be cracked

2012/2013 Unlimited Operation (source, source):

In a cinematic sequel to the 2009 RBS incident, an international gang of criminals targeted UAE based National Bank of Ras Al-Khaimah PSC (RAKBANK) in December 2012 and Oman based Bank of Muscat in February 2013. In both cases, the criminals managed to gain unauthorised access to card processing systems; manipulated account balances and raised/eliminated withdrawal limits; and distributed counterfeit cloned cards for a synchronised global cash-out. In case of RAKBANK, in just a few hours on 22nd December, criminals cashed US $ 5 million from 4,500 ATM transactions across 20 countries. And in case of Bank of Muscat, in less than 10 hours on 19th February, criminals cashed US $ 40 million from 36,000 ATM transactions across 24 countries.

This time, however, the hackers did not rely on reverse engineering or stealing card data from bank databases, rather they purchased previously skimmed/stolen cards and directly went after manipulating account balances and withdrawal limits.

Subsequent investigations led to the arrest in 2013 of seven members of the New York (US) cell on charges of money laundering. One of the identified masterminds was shot dead, mafia execution style, allegedly by his gang members at his home in the Dominican Republic.

Key Insight: Large value cash-outs are possible

2014 JPMorgan Chase (source):

In October 2014, JPMorgan publicly reported that cybercriminals breached its computer systems and compromised data on 76 million personal accounts and 7 million small business accounts. A year later, US Federal Authorities indicted four men on charges of hacking multiple financial institutions, including JPMorgan, and operating a stock-pumping scheme and online gambling operations that netted more than US $ 100 million.

In this case, attackers did not steal money or secret information like credit card numbers, passwords, or social security numbers; only names, addresses, and email addresses were compromised. Yet the stolen information proved lucrative enough for running stock price manipulation schemes that let the criminals amass millions.

Key Insight: Customer data is as valuable as cash

2013 - 2015 Anunak/Carbanak (source, source):

These attacks are representative of a contemporary class of cybercrime illuminating the link between hackers and organised crime.

Between 2013 and 2015 an unidentified group (pseudo-name Anunak/Carbanak group) of cyber-criminals attacked about 50 Russian banks and 5 payment systems. Spending, on average, 42 days from first penetration into the bank’s network to cash-out, they managed to steal about one billion rubles ($25 million). In all these attacks, once the attackers were inside the bank’s network, they sought access to email servers and workflow servers to build a working understanding of their target. They identified banking system administration and operation workstations and ‘interesting’ servers; installed software to monitor user activities (screenshots, video recordings, key-stroke logs) and secured remote access to servers. This phase of the attack was carried out with utmost stealth and the attackers used an arsenal of commercial tools, underground tools, as well as proprietary custom built tools.

The attackers used diverse cash-out mechanisms, often customised to the situation. Known cash-out mechanisms include manually initiated business transactions; manipulation of ATM software to dispense cash on command; fraudulent electronic/online transactions; manipulation of settlement systems to send money to electronic wallets (Web Money, Yandex, QIWI), credit-cards, pre-paid cards, and mobiles.

The number of organised crime groups involved in executing the cash-out and siphoning off the loot was estimated to be two in spring of 2014, this grew to five by autumn 2014. Part of the money was transferred to Ukraine and Belarus. So far, two compromised financial institutions lost their banking license.

Key Insight: Complexity is not a deterrent

2016 Bangladesh Bank Heist (source):

In an as yet most audacious attack, between 4th and 5th February cyber-criminals attempted to steal US $ 951 million from Bangladesh Bank’s (the central bank of Bangladesh) account at Federal Reserve Bank of New York. 30 transactions totaling US $ 850 million were unsuccessful because fraudsters misspelled foundation as ‘fandation’ which made a routing bank suspicious enough to halt the transaction and alert Bangladesh Bank. 5 transactions totaling US $ 101 million actually succeeded, out of which only US $ 20 million were recovered. Of the balance US $ 81 million, the criminals managed to withdraw and launder US $58.15 million from a bank in Philippines.

This attack led to the resignation of Atiur Rahman, Chief Governor of Bangladesh Bank; launch of an international criminal investigation across US, Bangladesh, Sri Lanka, Philippines, and Hong Kong; and threatens reinstatement of Philippines to the blacklist of countries making insufficient efforts against money laundering.

Key Insight: The real threat is from inside

In summary, analysing the actions of cyber-criminals we can readily infer that:

  1. Security protocols will be cracked, reliance on secrecy of security measures is no longer safe;
  2. Large value cash-outs are possible in more ways than one - simultaneous cash withdrawal from ATMs across the globe; transfer to fake accounts - and with Instant Payment round the corner, cyber-criminals are about to get an extra edge;
  3. Customer data is as valuable as cash and in many cases easier to compromise. Now that data breach disclosure is a legal compliance requirement, even a suspected breach could, if mishandled, escalate into a major public-relations issue;
  4. Complexity is not a deterrent. For cyber-criminals, developing an understanding of the internal complexity of banks is an investment they can repeatedly capatilise;
  5. The real threat is from inside. So far, the known compromise of humans had been limited to simple social engineering - targeted email with malicious attachments. However, with proven high return business case, it is not hard to imagine cyber-criminals, perhaps in collusion with traditional organised crime networks, attempting to directly compromise multiple privileged users by coercion, bribery, or black-mail. Such an attack would not only be hard to foil but would also have far-reaching consequences for the targeted bank.

 

Source: Blog where Vikas Munshi publishes