Three Banks Lose Millions After Wire Transfer Switches Hacked

mask.of.sanity writes "Criminals have stolen millions from three unnamed U.S. banks by launching slow and stealthy denial of service attacks as a distraction before attacking wire payment switches. The switches manage and execute wire transfers and could have coughed up much more cash should the attackers have pressed on. RSA researcher Limor Kessem said, 'The service portal is down, the bank is losing money and reliability, and the security team is juggling the priorities of what to fix first. That's when the switch attack – which is very rare because those systems are not easily compromised [and require] high-privilege level in a more advanced persistent threat style case – takes place.'"

Smart Criminals

[Fluffeh]

I like stories like this. If something is done really well and in a clever way (whether it was really being naughty or not) the effort, cleverness and ingenuity should indeed have its merits praised. Slashdot should have more stories like this: Hey, they did a bad thing, but look at just how WELL they did it.

Re:Smart Criminals

[flargleblarg]

I immediately thought of Daniel Ocean when I read TFS.

Re:Smart Criminals

I once stalked a woman for fifty years before making my move. It was a beautifully coordinated attack that required no less than sixty seven coincidences to occur at once. Once I have her isolated, I realized that she was like ninety, so I gave up and left. Kind of a let down. Just one of the downsides of being a vampire I guess.

Re:Smart Criminals

[ls671]

Where do you think those US banks are going to take the money to make it up? In their customer pockets maybe? It's like insurance fraud, shoplifting etc. The end consumer ends up paying for that. We might think; well they already make enough money so, good for them but don't let that fool you. They are going to make up for that to keep investors happy and their stock healthy.

Worse, they may have insurance coverage and insurance companies may raise premium for all banks making sure everybody pays for it.

Sure, it looks nice as a hacker movie scenario although...

Re:Smart Criminals

[jovius]

True, it makes a great read - when nobody is cleverly and ingeniously maimed or killed.

Re:Smart Criminals

[sound+vision]

In that situation, the woman hadn't committed any wrong against the man. Maybe didn't even know him. On the other hand, banks rape the people on a daily basis...

Re:Smart Criminals

They stole from american banks did they really do a bad thing? SO 'criminals' took a few million from the banks.. how much did these same banks probably take from all the people they've fucked over in the past

good for them, and kudos for doing it so well

Re:Smart Criminals

Shoplifting raising prices is a popular myth. Prices are determined by profit maximization. Raising prices will only reduce sales volumes, make the merchandise more attractive to thieves, and hurt profits. Shoplifting hurts the owner(s) of the store and nobody else. Most people with a 401(k) are probably stock holders in a little bit of everything making most investors victims.

Re:Smart Criminals

[narcc]

In this specific case, it's more like a serial rapist finally getting raped.

I miss car analogies...

Re:Smart Criminals

[tuo42]

*clear throat

*taptap...onetwo...thisthingon?...taptap...onetwothree...good

*clear throat again

Ladies and Gentlemen, I present to you: the car analogy for our topic tonight

It's like...with the police behind following you in your car...

blinking left, but taking a right turn!

*badabumm

Thank you, thank you, I'm here all night.

Re:Smart Criminals

[sonamchauhan]

Three unnamed banks. They could be three credit unions who have done you no wrong.

Plus, the more banks r*** people on a daily basis, the more profit bank robbers achieve. Its in their best interest this situation continue.

The banks simply pass on the costs to their customers.

Re:Smart Criminals

[ls671]

Supermarkets have a typical profit margin of 1 to 2%. It means that if you steal 10$ worth of food they need to sell 1000-2000$ worth more to make it up unless they already have calculated the shoplifting costs in their 1-2% profit margin. No store stays open for long without makings profits so your "profit maximization" argument makes no sense.

Any businessman will factor in all costs, like hiring more cashier, security guards, security cameras, utility bills etc. when determining their sale prices, it is economy 101.

The goal for any business is to keep shoplifting as low as possible for the cheapest cost ratio possible in order to be able to keep prices down and maximize profits.

Re:Smart Criminals

[Jesrad]

And so, in the end, it's really the customers that the thieves did fark over, weighted inversely against the efficiency of these customers' bank's security. This is exactly like how, with welfare states, net wealth transfers are averaging to the base amount of voluntary contribution to the wealth pool by participants, minus the losses of doing the transfers ; and at the individual scale those net effects are weighted against the participant's competitive advantage at being a recipient and at avoiding being a contributor. Same mechanics, same dubious morality, same usual victims.

Re:Smart Criminals

Gosh, I didn't even know!

Re:Smart Criminals

[Antonovich]

Sorry, no mod points but +1 anyway!

Re:Smart Criminals

[bobstreo]

Actual supermarket profit margins statistics:
http://answers.google.com/answers/main?cmd=threadview&id=204979

Re:Smart Criminals

[InterGuru]

Another example of the increasing skill requirements for today's work force. 50 years ago the only skills required to rob a bank was the ability to hold a gun and drive a getaway car. Now - sheesh - you have to know how to break into a high security switch.

The average guy has no chance to make it nowadays.

Re:Smart Criminals

[geekymachoman]

End consumer (commoners) always end up paying, one way or another, in all situations. Nothing new there.

Sometimes I think that instead of being a obedient sheep, waking up early, working 10 hours and generally being exploited while barely having enough for comfortable "life", I should turn to let's say.. victimless crime*.
I know this is frowned upon by society, but only because those in power are propagating idea that we should be obedient.. so they can keep all the f money and have less competition.
The banks are criminals, the politicians are criminals, the religious leaders are criminals, insurance companies, pharmaceutical companies, governments, etc. In modern world, they just upped it to a new, modern level. It's not corruption same as in 3rd world country, but it still exist just behind the curtains and/or through loopholes they made for themselves.

I know people that acquired wealth by pillaging (literally), smuggling cigarettes and guns. Now they are respected businessmen that have legal businesses, and are hiring you to work 10 hours a day for them while they propagate the idea that doing anything "illegal" is bad. Exactly the same as those mentioned above are doing.
It's all just to keep you in check and under control. Every each one of them are full of it.

(*) = As a programmer, that would be let's say hacking wordpress sites and selling them to someone or using them to make a profit. System Administrators should be happy. This creates jobs for them.

Re:Smart Criminals

[Mike+Frett]

What's worse is those new fees they attach to recover those lost funds, will be ongoing long after the funds have been recovered from our pockets. It's Corporate Rape against the populous.

Re:Smart Criminals

[ls671]

Don't forget gross margin is not real profit. Net profit margin is. Gross margin doesn't take into account salaries, rent, utility bills, security camera installation and maintenance etc. And of course; lost due to shoplifting.

Re:Smart Criminals

[coofercat]

If you're going to go down for something, make sure it's big. In the case of theft, make sure you're stealing several wasted lifetimes worth of money so that you can afford the legal defence, and eventual breaking out of jail. And you can afford to do the same for everyone involved.

There's no point getting banged up and a criminal record for petty theft.

I'm with you on this - it might be criminal, and it might be taking money from the banks customers, but it sure is a slick manoeuvre.

Re:Smart Criminals

[AmiMoJo]

UK supermarkets make much more than that. The US ones must be doing something wrong.

Maybe on the cheapest lead-in items they make 1-2%, or even a small loss, but there are lots of higher profit items they sell too. The classic rip-off are the "premium" ranges like Tesco Finest which are basically the same shit as their value stuff but in a different packet. Medicine is even worse - if you look at the "PL" code on the box you will see that the cheap own-brand stuff is usually exactly the same as the expensive premium brands, only 1/10th the cost or less. Exactly the same medicine.

Re:Smart Criminals

[ls671]

Profit margin isn't constant from year to year, look at the averages. Some even have negative averages. I would say the average of all the averages is around 1-2% over the years, say 3% if that makes you happy ;-) Oh, and this is from 2009 to 2013. Not a decade ago:
Link 1:
http://ycharts.com/companies/LBLCF/profit_margin
Link 2:
http://ycharts.com/companies/SWY/profit_margin
Link 3:
http://ycharts.com/companies/KR/profit_margin
Link 4:
http://ycharts.com/companies/SVU/profit_margin
Link 5:
http://ycharts.com/companies/WFM/profit_margin
Link 6:
http://ycharts.com/companies/NGVC/profit_margin

Re:Smart Criminals

[Nidi62]

I miss car analogies...

The Ford Pinto plant getting rear-ended and blowing up?

Re:Smart Criminals

[__aaltlg1547]

And that's your justification for stealing money out of my account?

Re:Smart Criminals

[Hatta]

If the banks had a way to extract more money from us, wouldn't they already be doing it? Why would they wait until they were hacked and lost money to raise prices, if they thought it would increase their income?

Re:Smart Criminals

[__aaltlg1547]

Not so. Kroger corporation, which owns a huge number of supermarkets, has a gross profit of 20.3% (basically margin on sales), EBIDTA of 4.6% and net income AFTER interest, depreciation, taxes and amoritiztion of 1.5%. So to make up for a loss (say spoilage or pilferage) of $1 value, they need to sell about $5 worth of product because the interest, depreciation and amortization are FIXED COSTS and the taxes are a combination of fixed costs (such as real estate taxes) and income taxes.

Re:Smart Criminals

[gweihir]

Indeed. And they even were smart enough to not get greedy, the typical downfall of otherwise smart criminals and criminal hackers.

Re:Smart Criminals

[ls671]

I wrote:
" to sell 1000-2000$ worth more to make it up unless they already have calculated the shoplifting costs in their 1-2% profit margin"

which they obviously have, along with other costs. Thank for the clarification anyway ;-)

Also if you look here, you will find out that Kroger as an average net profit of 0.99% for the past 5 years.
http://slashdot.org/comments.pl?sid=4111255&cid=44629005

Re:Smart Criminals

[Nyder]

Supermarkets have a typical profit margin of 1 to 2%. It means that if you steal 10$ worth of food they need to sell 1000-2000$ worth more to make it up unless they already have calculated the shoplifting costs in their 1-2% profit margin. No store stays open for long without makings profits so your "profit maximization" argument makes no sense.

Any businessman will factor in all costs, like hiring more cashier, security guards, security cameras, utility bills etc. when determining their sale prices, it is economy 101.

The goal for any business is to keep shoplifting as low as possible for the cheapest cost ratio possible in order to be able to keep prices down and maximize profits.

http://www.foxbusiness.com/personal-finance/2012/12/20/retail-worst-enemy-their-own-employees/

Says that employee stealing is worse then shoplifters, so it seems that Supermarkets biggest problem is it's own employee's.

Re:Smart Criminals

[ls671]

Sure, but that isn't different in other industries. I have worked for a bank that got 5 millions robbed through computer system manipulation from insiders and they never managed to identify the culprit although they were positive it came from inside. It doesn't make the guys who rob branches at gun point heroes although, even if they rarely get 5 millions and shoplifting is still a cost of doing business for supermarkets.

Re:Smart Criminals

[kilodelta]

So the thin margin is a lie propagated to think we're getting some sort of value. Who would have known.

Re:Smart Criminals

[Dishevel]

Banks only rape he willing.

Re:Smart Criminals

[Trimaxion]

End consumer (commoners) always end up paying, one way or another, in all situations. Nothing new there.

Sometimes I think that instead of being a obedient sheep, waking up early, working 10 hours and generally being exploited while barely having enough for comfortable "life", I should turn to let's say.. victimless crime*.

(*) = As a programmer, that would be let's say hacking wordpress sites and selling them to someone or using them to make a profit.

If you're working a middle class job in western society and you are healthy, your greatest burden is probably deciding what you want to eat for dinner. The standard of living you enjoy is higher than what most people have endured since humans began walking the earth. Your life or the life of someone you love has probably been saved at least once by the pharmaceutical companies you rail against.

And on what planet is "hacking wordpress sites and selling them to someone or using them to make a profit" a victimless crime? That wordpress site belongs to somebody. Perhaps somebody whose life is not as good as yours.

Re:Smart Criminals

[flimflammer]

Same.

Re:Smart Criminals

[flimflammer]

Makes me glad I am not going to live 300 years in the future. You know what they'll be teaching in high schools then? Shit would probably go way over our heads.

Re:Smart Criminals

[virgnarus]

Annnnnnnnd it's gone.

Re:Smart Criminals

[cusco]

My wife has worked in retail for 20+ years, and during that time we've seen a shift from the highest losses moving from internal employee theft to salaries of the top two layers of management. I'm fairly certain that the Walton family, which brings nothing useful to the company and hasn't since Sam stepped down, sucks more out of WalMart (not her employer) than employee theft and shoplifters combined.

Re:Smart Criminals

[DNS-and-BIND]

You seem to be coming at this from some sort of angle that suggests this was ever otherwise. Do you have any proof? Because frankly, we have it better today than we've ever had it in history. When did this theoretical paradise exist?

Re:Smart Criminals

[cusco]

You might find Catherine Austin Fitts' 3-part essay "NarcoDollars for Beginners" on the NarcoNews.com web site interesting. (It has been copied without attribution to other web sites as 'NarcoDollars for Dummies'.) She lays out in pretty undeniable logic why and how **ALL** of the large fortunes in the US today are involved in the drug trade one way or another, some of the ways that money is laundered and the effects it has on our economy and our communities, and some of the mechanisms that our politicians use to exploit it. A bit dated now, but still fascinating.

Re:Smart Criminals

[CODiNE]

And then the cops turn left and are all "Where'd he go? He just disappeared!"

Re:Smart Criminals

[tlhIngan]

Another example of the increasing skill requirements for today's work force. 50 years ago the only skills required to rob a bank was the ability to hold a gun and drive a getaway car. Now - sheesh - you have to know how to break into a high security switch.

The average guy has no chance to make it nowadays.

Not to mention that takes were probably higher in the bad old days as well. Nowadays since it's all numbers in a database, the bank only needs enough cash to cover withdrawals for the day (which aren't that much because most people do their withdrawals from an ATM, or they just use debit/credit and twiddle numbers in a database), so the end result is most bank robberies really only get the robber $10K or less.

Hell, sometimes If you're planning on doing a big withdrawal in cash, you have to give the bank several days notification so they can actually get the bills ready. (If it's just closing your account, they write you a money order or bank draft, which is just a form of database twiddling again).

Re:Smart Criminals

[plover]

Look at it another way: Maybe these are banks that haven't wasted a lot of investor funds on computer security, and instead saved that money and loaned out those funds to turn a bigger profit. Maybe they made more money over the years through loans than they lost in the theft?

Let's say that $45 million would be the profit on about a billion dollars in loans (a very rough approximation, but good enough for this analysis.) Suppose that billion was spread out over a decade. They had to have saved more than $100 million dollars every year on computer security, which is highly unlikely. I guess these banks simply failed at security.

Re: Smart Criminals

[mspohr]

how about a drunk driver crashing and burning.

Re:Smart Criminals

[Krneki]

Or they just dodge taxes so their official profit is minimal.

Re:Smart Criminals

[ls671]

Then, nobody would pay taxes and the government would go bankrupt. A company only pay taxes on profits which is very little. A basic principle in our capitalist society is that only the end user pay taxes. The end user is the cash cow and ends up paying for everything, all the time ;-)

Re: Smart Criminals

[RoknrolZombie]

Give them a couple of weeks. They'll start pulling the same shady shit that the credit card companies pulled - changing late fees and late dates without notice, etc. Remember: These are the assholes responsible for the mortgage collapse...they'll close their doors before they cover the costs, and since nobody gets a paycheck without their help there's not a whole hell of a lot that anyone can do about it.

Re:Smart Criminals

[jonbryce]

But shoplifting increases the cost of doing business, and therefore the profit maximisation point on the supply/demand curve will be at a higher price.

Re:Smart Criminals

[HiThere]

As an earlier post suggested, this may be a number determined by tax laws. If high profits result in high taxes, then the money is likely to be spent on things that, while benefical, reduce the profits. What things are likely to depend on what they can buy from their parent corporation, or from other companies owned by their parent corporation.

N.B.: I'm not asserting that this is true. I am, however, asserting that one shouldn't put too much trust in that number.

Re:Smart Criminals

[slew]

Don't forget gross margin is not real profit. Net profit margin is.

That's a bit like saying salary is not really salary because it doesn't account for utility bills, rents, maintenance, etc. If businesses are to be taxed only on what's left after paying the bills, individuals should be afforded the same luxury and vice versa.

FWIW, for businesses, most taxes are paid on the NET (e.g., income tax, SE tax), but some are paid on the GROSS (e.g., excise/sales tax, business tax/licenses). For individuals where most taxes are paid on the GROSS (income tax and SS tax), but taxes on passive gains (such as investments) are paid on the NET.

One theory is the expenses of a business are like an investment that the business is making in itself to generate revenue. If a business itemizes $2M in "existance" bills to sell $2.1M worth of stuff, they don't pay taxes on $2.1M, only $100K. Most individuals can only subtract the approved expenses for "existance" (basically the standard deduction of $6K or some itemized list of mortgage interest and state taxes and various other minuta)...

Maybe it isn't fair that the government says you probably only should have $6K in bills/expenses to exist, but that's the way it is. That's why many folks try to run a business on the side...

Re:Smart Criminals

[Deliveranc3]

Yea, they probably got cheap on security or personnel. This took a lot of skill to pull off, probably someone feeling undervalued.

If there's a mistake which pisses off one employee a company can probably get away with it (and misunderstandings are bound to happen) but when it chronically mistreats employees it's easy for pissed off employees to find each other.

My bet though, is that this is IBM or Intel syndrome, no one ever got fired for buying from (big name security) so they bought from them for a few years, (big name security) didn't really care about some specific element of (bank) infrastructure and so it slipped through the cracks.

Probably mixed with social-itis, friendly comforting guy who reassures gets position while scary crazy guy who constantly talks about potential problems is overlooked. Banks are pretty much the definition of conservative, chances are erring in this direction led to this problem.

Another option is some poorly implemented additional layer of separation designed to frustrate potential competitors ("We need to run your systems through this alternative implementation, so we can monitor your - entirely different yet, identical needs - yea it'll take a little longer and you'll have to pay us higher fees... are you sure you wouldn't rather open a "BIG BANK" franchise? Together we could really optimize home loan and transfer profits *Wink*!")

Re: Smart Criminals

[Deliveranc3]

The mortgage collapse happened because 1/3 of America doesn't realize that 2/3 of America is in the shitter.

Politicians pressured banks to get people homes and offered incentives, banks seeking these incentives invented loans that didn't make any sense and hired people unethical or stupid enough to sell them.

Banks being denied traditional means of income (think small business loans, venture capital, development loans) moved into the financial instruments industry where a whole bunch of people who didn't realize how little they actually understood derivatives (it's a little like insurance for investments coupled with transitional timings) decided they could move ship fulls of money through home loans, when a bunch of overseas investors who DID understand derivatives decided to eat them for lunch.

Re:Smart Criminals

[david_thornley]

Depends. The banks are already ideally making as much off you as they can, and raising fees will drive business to other banks. The shareholders take the hit in this case. If this were to become widespread, everybody would raise fees, and the banks would take in more money. The demand for banking services is quite inelastic, so industry-wide price changes will bring more revenue in, but there's competition among banks.

stealthy?

[phantomfive]

slow and stealthy denial of service attacks

I don't think a DOS can be stealthy......if it's denying service, are people going to notice?

Re:stealthy?

If nobody's around when the DOS is being executed, did it really happen?

Re:stealthy?

[morcego]

slow and stealthy denial of service attacks

I don't think a DOS can be stealthy......if it's denying service, are people going to notice?

A stealthy DOS is when the attack looks like a normal occurrence, and not an attack. It is not the DOS that is stealthy, it is the attack or, rather, the reason for the lack of service.

It is a very neat thing, actually. Say you have a very long, segmented fence. There are 1000000 segments, and every day 1 of those will break and stay broken for 10 seconds. You can't explore that, because it is random, and you can't try all 1000000 segments in 10 seconds. However, if you can force the dice and make a specific segment tail, you can be there and exploit it, because you know which one and when. To the external observer, however, it was just a normal, run of the mill segment fail.

It is the same concept. The failure is there, they notice it, but it is done in such a way they don't notice it is an attack.

Re:stealthy?

[phantomfive]

They don't notice the increase (or sharp decrease) in traffic?

Re:stealthy?

[cheater512]

Woosh.

No they don't notice that the real attack is different from the previous 'fake' attacks.

Re:stealthy?

Old magician and pickpocket trick, first get their attention focused in a given direction, then do whatever you please right under their nose. Thousands of variations but essentially the same thing and variant skills. Easiest people to con are greedy thieves.

Re:stealthy?

unless it was an inside job.,,

Knowing that the current banking environment is more like Vegas and the people involved have less ethics than a toad, then it likely was an inside job.

Re:stealthy?

[bactus]

A DoS should be stealthy if the purpose is to e.g temporarily get a part of the system to accumulate transactions.
The resulting queue can then be manipulated before stopping the DoS

Re:stealthy?

[Jesrad]

Stop giving toads such a bad reputation, thanks.

Re:stealthy?

DOS can be very stealthy if you don't have drivers for your sound card. Well, except for the noise of your floppy drive, of course. ;-)

Re:stealthy?

[higuita]

what if they are requesting heavy pages? what if they slowly increase the load for several hours/days? you can see a increase, but don't care much, it looks like normal users , a natural increase of traffic ... only after it keep increasing or is sustain for a long period you start to be alert. And even that you may point finger to a deploy made a few minutes/hours/days ago that might have change the site load distribution ( you may test for errors before deploying, but load factor is harder to test, specially on complex sites)

Re:stealthy?

[phantomfive]

Well, if the load isn't heavy enough to deny access (or cause problems), then it's not a DOS. If the load is heavy enough to deny access, then if you think it's normal usage, you will buy more servers

Re:stealthy?

[plover]

A better analogy would be a case of an actual bank burglar. There was a guy (many decades ago) who found a way to set off a specific burglar alarm sensor at a local bank. Every night at 2:00 AM or so he would do whatever it was to trip the alarm, then quickly sneak away. He'd watch the cops arrive, shine their flashlights around, find nothing, then leave. After repeating this pattern for a couple of weeks, the cops stopped showing up after the alarm was tripped. He then broke into the bank.

Re:stealthy?

[higuita]

agree, but the problem is the load increasing slowly... the site starts to get slower and slower, moving the admin minds away from a DoS (that usually is a spike in load) to a internal problem (a bad query to the DB, some internal timeout, locks or cluster problems, etc) or a external high profile link (slashdot effect, some viral marketing/joke/news). The site may even still be working, no need to really to put it offline, just overload it enough so the admins will have to investigate what is happening. When the admin start looking for the incoming requests and internal load and access to investigate the problem, the attacker are diverting the admin attention away from the real attack (on the switch in this case)

Re:stealthy?

[phantomfive]

Hmmmm that's a possibility

Something

[Impy+the+Impiuos+Imp]

I must be missing something -- did these people transfer it to an account then go withdraw millions in cash quickly? Or did it take months for it to be discovered?

I can't conceive of any other way that would insulate against a reversal, no matter how many accounts and banks around the world they forwarded it to. Even Swiss banks go along with obvious criminality investigations nowadays.

Re:Something

[cheater512]

You assume that banks have full referential integrity. I.e. Every transaction must have a source and destination account, and both accounts can be verified from their server.
If they don't then you just say it got sent to another bank where they can't verify the destination, then send another transaction to a different bank for the same value.

Or if you really want to cause hell, just change numbers. Make money appear from nowhere or make it vanish.
You can't stop the world's banking networks and replay each transaction to verify them,

Re:Something

[jxander]

You assume the banks actually WANT to catch the criminals. They'll just use this as an excuse to fleece their customers. "We're now adding a $1/month anti-wire-payment-switching fee to all accounts." Add a little spin, and the cost is there to protect YOU, Mr or Mrs Customer ... and there you have it. The millions stolen will be reimbursed in short order. After that, it's pure profit.

Re:Something

[Somebody+Is+Using+My]

They'll just use this as an excuse to fleece their customers. "We're now adding a $1/month anti-wire-payment-switching fee to all accounts."

But first, they need to collect from the insurance companies.
And then they need a government subsidy to help protect their infrastructure in the future
Next, they'll re-negotiate costs with their partners who failed to protect them ("Why are we paying you so much? If you want to keep us as your customers then we need to talk price. Oh, no need to actually fix anything; we'll keep the current service... we'll just pay less")
THEN they can add a fee to squeeze more from the customers.

That's why banks are the true visionaries of capitalism.

Re:Something

[internerdj]

I'm pretty sure the banks are pretty good at catching criminals. They just don't tend to do with them what we would expect...

Re: Something

[AvitarX]

If the market will bare that fee, why are they waiting? Shouldn't they already be charging the most fees possible without loosing customers?

Re:Something

[jonbryce]

They transfer the funds to money mules who then transfer it to them using Western Union or similar. It is the money mules who end up losing out when the fraud is discovered. The transfer to them gets reversed, leaving an overdrawn account, but withdrawing the money as cash to take to a Western Union shop isn't a reversible transaction.

Re: Something

[jxander]

A "crisis" like this will increase what the market will bear. A new threat, a new boogieman. Quick QUICK! Pay me extra money. Wire-swap-man is gonna get ya! Think of the children!!

Re: Something

[AvitarX]

Aside from the /. and banking crowd, does anyone even know about this?

And now to our resident expert:

Ok, where's the dude who's done decades of banking work who will tell us all why this was inevitable?

Re:And now to our resident expert:

[muphin]

He's currently in jail for speaking up against the banks, ya know.. letting those terrorists know about the loopholes so they can exploit it

Re:And now to our resident expert:

[91degrees]

As a dude who's done decades of banking work, this was inevitable, because uhm... something to do with 1970's infrastructure or something.

In real life

In reality, criminals and spies don't use high-tech equipment to break-in to facilities. They use inside knowledge, which this sounds like. Although it required a highly educated criminal to use it. I think this is the price of a well-trained work-force that is slowly down-sized. Hasn't a lot of the previous 12 months been about the lack of built-in security in networked devices? Both deliberate omission and that driven by penny-pinching.

Re: This is spectacular

No problem.... Just send me your bank details.

Banks...

[Dj+Stingray]

..will just use this as an excuse to hold your money even longer. Thanks Obama.

Unsigned transactions?

[dutchwhizzman]

You can put authorization codes in transactions, but if they aren't digitally signed, you can alter them in transit. Maybe banks should start exchanging signing keys and not transfer authorization codes?

Re:Unsigned transactions?

[Bob+the+Super+Hamste]

You forget that those sorts of things costs money and will never show a profit so why would they do that sort of thing.

A little too easy - sadly

[PerformanceDude]

These attacks are actually a little too easy to effectuate. The drive to outsource to third world countries and lack of training for local staff means that they are all a prime target for a social engineering attacks. It does not take a lot of organised resources to then create the requisite diversion for the often overwhelmed security staff and you have a big win in the pipeline. Of course it requires some skill, but nothing more than a course or two at Blackhat USA will give you. If you also have the benefits of the funds of a large Russian crime syndicate and the personal "motivation" that flows from that, along with an almost zero risk of prosecution due to jurisdictions - hell - why wouldn't you go for it?

The bottom line is that we need to harden up our defences more and more. We may even have to disconnect essential financial infrastructure from the internet and bring it back onto a completely private network that it costs a substantial amount of money to join and be authenticated to. It should come with the proviso that any device connecting to it, could also not be connected to the internet or an unknown intranet device at the same time. This would not be bulletproof, but it would substantially reduce the risk.

Re:A little too easy - sadly

[b4upoo]

Perhaps a 24 hour hold on all transfers would take care of much of the problem. By having a built in delay any institution could judge normal traffic by running software designed to notice unusual transfers. It is rather like a credit card situation. Many card holders are very consistent if shopping close to home exclusively. So why not have software that red flags when a person suddenly seems to be hundreds of miles away and have stores carefully check IDs or get a phone conversation with the card company. After all, they do have purchase histories that should indicate habits of spending.

Re:A little too easy - sadly

[clickclickdrone]

Did you really just use the word effectuate?

Re:A little too easy - sadly

[Sleuth]

Seems like they did.

Halarity ensues...

[MobSwatter]

Crooks robbing crooks...

You be amazed

[LordWabbit2]

You would be amazed - or maybe shocked - to see some of the banking systems out there. I have worked for several financial institutions and their systems are usually very very old legacy crap stuck together with bubble gum and faith. One place was dealing with 70% of the countries financial messaging and they were not using transactions, if there was a problem (and there often was) messages were lost. Asked if I could change it to use transactions, couple lines here, couple lines there.
NO.
Why?
Cost to test would involve the entire country and would cost millions.
OK.
So they are still losing messages.

Re:You be amazed

[game+kid]

Too big to fai^Wrepair.

Re:You be amazed

[neurovish]

You would be amazed - or maybe shocked - to see some of the banking systems out there. I have worked for several financial institutions and their systems are usually very very old legacy crap stuck together with bubble gum and faith. One place was dealing with 70% of the countries financial messaging and they were not using transactions, if there was a problem (and there often was) messages were lost. Asked if I could change it to use transactions, couple lines here, couple lines there.
NO.
    Why?
  Cost to test would involve the entire country and would cost millions.
    OK.
  So they are still losing messages.

How much do the lost messages cost the company?

Re:You be amazed

[cusco]

Even the internal staffing standards are ridiculous. I worked as a minimum wage Kelly Services temp for a time and ended up with a five month assignment to the trust department of a fairly large midwestern bank while the regular admin was on maternity leave. Two weeks after I started one of the trust managers gave me a list of several million dollars of checks to write as they were dissolving a large trust. I objected, "Rod, I'm just a temp. Are you sure I can do this?" Sure enough, not only did I have permissions to write checks and do transfers of over a million dollars, but the other admin decided to go to lunch and leave me alone in the office while I did it. And here we had closed our bank account in Peru just a few months earlier . . .

I had an instructor for Windows Server Security whose day job was doing pen tests of financial institutions. When they would arrive on a site and set up in a conference room he would unpack their equipment while his partner would get on the phone calling branch offices. "Hello, this is George, the new guy on the HelpDesk. I need to make some changes on the network equipment in your office, but I don't have the login details and my coworkers are at a benefits meeting. Since your branch manager has sufficient permissions can I ask a really big favor and get his login info?" In two years of pen testing he never failed to acquire branch manager credentials from at least one office by the time the equipment was even unpacked and set up.

Re:You be amazed

[Life2Death]

Few lines of code to have them lost into your bank account here, a few there. Testing is free!

uhh....what banks!!??!!

[spinninnzen]

Why has there not been any information as to which banks were involved. That's kind of important. regardless if this directly impacts a customer or not I would like to know if it was my bank...

Re:uhh....what banks!!??!!

[phantomfive]

You can feel confident that your bank is also running a lousy, hackable system as well. Most banks do.

Great. Just great

[WindBourne]

These banks run the crappiest OS and security systems. Then when they are cracked, they do not want it known who they are, BUT, we taxpayers will be on the hook for these idiots that refused to run secured systems.

You would think that at this time, that they would be smart enough to limit the internet's transactions, to being slower than what it takes to process the security issues.

Re:Think outside the box!

[gagol]

Tired of malware? Start WWIII, pissing off the rest of the planet will sure resolve all your problems.

Re:Think outside the box!

I do not think

you should have stopped there

Re:You know I really love

[pslytely+psycho]

From the article....
"The researchers said fraudsters were using Dirt Jumper, a $200 crimeware kit that launches DDoS attacks, to draw bank employees' attention away from fraudulent wire and ACH transactions ranging from $180,000 to $2.1 million in attempted transfers."

Sounds like theft to me. Now granted it says "attempted transfers," but, I think someone made themselves very rich while only giving the banking system a minor scratch. A few million is pocket change in the land of banking.

Re:Still in many products you pay 300-400%

[ls671]

I wrote:
"Any businessman will factor in all costs", especially if they only make a 1-2% profit margin.

There is just too many middle men taking cuts along the way but this is a different topic. Local agriculture and buying local is one solution to that topic. Do you practice it? It sure beats shoplifting as a solution.

https://en.wikipedia.org/wiki/Local_food

Re:This is spectacular

[maliqua]

Yeah a few thousand more of these and the banks can finally receive an adequate fine for the crimes they committed a few years ago since the government doesn't have the balls to do it.

too much money

[zaax]

If this was a normal hold-up and they stole millions the police etc would be all over the place, but not so with this heistb and the owners of the bank wwould be on the phone to the local polcie cheif every 10 minutes, therefore it sounds like the bank can afford to loose this amount of money.

Re:Unless the man's a complete idiot

[Captain+Hook]

It's not superman without Lex Luther.

Bait and ...

[giorgist]

Bait and ... hit the switch ... lights out

No senior exec is going to be held accountable

[140Mandak262Jamuna]

No matter what happens, some one else faces the consequences, when it comes to these banks. There is bad security, bad implementation, total lack of understanding of how their systems could be breached. They will fire a few techies, for poor security. But the bigwigs drawing big salary, even their bonus would not be touched. May be they will get more bonus for taking a firm stand and firing these techies who show up to work in jeans and ear rings.

Even when they lie through their teeth to sell junk as gold to others they don't end up in jail. We all will pay, through more bank fees, more insurance costs, more taxes to bail them out. And they will dance all the way to their own private bank.

Which banks?

[realsilly]

I hate when an article eludes to a point but never actually provides the full disclosure details.

Which three US banks?

Re:Can someone explain...

[ixuzus]

If the money is still in the account, no. But if the bank that received the transfer has transferred that money out of the jurisdiction or exchanged that record in a database for a briefcase full of large denomination notes they're not going to be particularly keen on rolling the original transaction back.

Just a test of viability?

[Elisanre]

Are there any indications pointing to that this was just a trial run for something bigger or just prudent crooks that took what they could get away with?

Convenient Scheme

[Kanopy]

Banks have been looking for ways to make money since there was such a thing as a bank. Who's to say that the banks didn't engineer this little event so that they could keep the money they stole from themselves (clients) and get reimbursed by the insurance companies to fill the coffers back up again?
If the switches are that difficult to hack, then just maybe it was an inside job.

Ancient Everything

[bill_mcgonigle]

I happened to be at a bank yesterday, inquiring about a bank transfer. Turns out it was cheaper for me to get a bank check and overnight it than it would be to do a bank transfer, and the bank transfer wasn't even guaranteed to be complete within 24 hours.

The young teller thought the system was as odd as I did ("hey, I just work here") and was more interested in asking me about nuclear transmutation in star formation than banking (my strange little world...) but I have to assume that when the banks are 20 years behind Western Union and Walmart that their systems are too. I wouldn't expect 20 year old systems to be robust against attack and it would surprise me if they put much effort into otherwise defending them.

Re:Ancient Everything

[asylumx]

It's faster for me to write my wife a check and have her deposit it via her mobile phone than it is for me to do a direct transfer from my account to hers. Sad, isn't it? The first takes about a day for the money to clear, the second takes upwards of five days.

Re:Ancient Everything

[phantomfive]

FWIW if you have a local branch of their bank near you, then you can go deposit a check in their account for free. That's usually the best way to transfer money, I've found.

Re:Ancient Everything

[cusco]

We mail a debit card for our account to my in-laws in Peru. Doing an international bank transfer used to cost $30 (probably more now), took 4 days to 4 weeks (twice they sent it to a branch in the wrong city, once to the wrong country), and $10 + 1% to withdraw there. Didn't matter if it was $100 or $5000. A cash machine withdrawal for up to $500 costs us $2 here plus $1.50 there, and as many as three withdrawals can be done in a day.

Re:Ancient Everything

[bill_mcgonigle]

Cool tip, thanks. Not relevant in this case, but we do have a few national banks in the area and it might come up again.

Prime Risk

[clickclickdrone]

Sounds like some crooks watched the old 80's movie Prime Risk. Except they probably didn't use an Atari 800/810 combo for hacking.

Re:Still in many products you pay 300-400%

[Bob+the+Super+Hamste]

He probably doesn't because that takes too much effort and planning. I find you also get better quality if you buy locally since the farmers catering to that market know that their customers expect a higher quality product. The example I use is my father's friend who raises cattle, we pay the farmer for the beef and pay the butcher for the processing and it comes out to be about the same price per lb as the really cheap crappy ground beef but we get good ground beef, steaks, roasts. I have seen some meat that is somewhat comparable at the grocery store but it seems obscene to pay $10/lb for ground beef when I cut out the middle men and pay just under $4/lb and get all the cuts and ground beef.

Re:FDIC

[ls671]

I guess only if the bank goes bankrupt and cannot reimburse the account holders...

https://en.wikipedia.org/wiki/Federal_Deposit_Insurance_Corporation#Resolution_of_insolvent_banks

NSA

[fuzzywig]

And this is why the NSA is monitoring all the internet traffic in the country, to stop things like this happening. Except it didn't work very well this time did it?

RE: NSA

[xdor]

How do you know? It may have worked perfectly. The nice thing about monitoring all the Internet traffic in the country, is one has access to all the Internet traffic in the country.

Maybe some clandestine government operating budget needed a little walking around money. See Swordfish.

Re:NSA

[minstrelmike]

And this is why the NSA is monitoring all the internet traffic in the country, to stop things like this happening. Except it didn't work very well this time did it?

Or maybe this is one way the NSA gets around the sequestration, get 20% of their budget back and then they won't have to lay-off 90% of their sysadmins ;-)

Re:Still in many products you pay 300-400%

[Bigbutt]

You mean over at the Farmer's Market where the fruits and vegetables are significantly higher than they are over at Safeway? Eating local like eating organic isn't cost effective (comparing the costs of the two, not the long term costs of poor health due to eating GM food, etc).

[John]

Security and fraud teams the same?

[chronoglass]

Seriously? What bank has that setup?
you can distract the "security" team until the cows come home (even having just 1 "security" team.. that could be distracted is a bit.. odd here)

this is where having specialist in security are required for doing business. Layered defense.
the security team dealing with the DDOS and the security team watching the wire transfer systems should have been alerted when their respective domains were affected.
then when money starts going to the wrong places, a wire fraud team would be involved. if the money was coming from business accounts vs personal accounts, vs high value accounts, vs what have you.. each of those respective fraud and security teams would be working towards their own mitigation.

no.. these had to be small banks/credit unions without a proper layered defense.. OR a very very serious APT/collusion attack.

Re:Still in many products you pay 300-400%

[HiThere]

An interesting point. There is NO POSSIBILITY of ANYONE knowing the long-term costs or benefits of eating GMO products. In fact the entire concept is probably wrong, because it's likely that some GMO products will have positive benefits, some negative, and the majority neutral. Occasionally one can point to some specific benefit, as in golden rice, but even that may well be associated with long term costs that we don't know about.

Worse than that, the information about what the costs and benefits are is given to us selectively by groups that have biased opinions. Most of them will significantly benefit if the GMO products are deemed beneficial. So they tend to suppress studies that don't show them as beneficial, and promote studies that show them as beneficial. Given that, how much do you trust the available information? Why?

Mind you, I do understand that many of the changes LOOK as if they should be neutral for consumers. This isn't proof, and we are looking at complex systems. The only proof would be long term studies. And for most (all?) of the products there hasn't been time, even if they had been initiated at the time the GMO organism was developed.

Anecdotal evidence indicates that the wheat used in France is less likely to lead to allergic reactions than the wheat used in the US. There hasn't been a large enough study to demonstrate that this is a real phenomenon, but I've met two people who assert that it is true for them. When the visit france they can eat the local bread, but in the US bread produces an allergic reaction. (I'm not being specific as to which allergic reaction, because I'm not sure what's going on. It could be preservatives or something rather then the GMO wheat. That would require a good study, which hasn't, as far as I know, been done.)

Re:Unless the man's a complete idiot

[HiThere]

What will he tell the IRS? That could get tricky. And if he doesn't pay his protection money, the feds could get impatient with him.

He'd better have really thought things through.

Re:Brecht anybody?

[HiThere]

I would guess, without checking, that the quote is from Stalin. If so, I deny that he was ever a communist. He was a gangster, who was also good at political manipulation. Even the government he was manipulating wasn't communist, though it was trying, at least officially.

FWIW, there has never been a communist group ruling more than a small village. This is because the system doesn't scale at all well, and only works when EVERYONE knows EVERYONE. (Not everyone needs to be trusted, but you need to know how much trust to give to everyone.) Even Oneida didn't work after it got too successful. I think that was mainly a problem of size, but it could also have been wealth. Perhaps communism only works amoung groups that are really poor, as I can't think of any counter-examples.

Marx was trying to scale up something that doesn't scale well. For a really small group it may well be a nearly optimum choice. (The best, of course, is the "good king" model, but this requires a terminally violent recall method if the current kind ceases to be good.)

Tracing the Transfer

[nuckfuts]

When money is stolen like this, it must be transferred to an account somewhere. Why is it not a simple matter to trace where the funds were transferred to and go after them?

Re:Tracing the Transfer

[david_thornley]

AIUI, that's one of the big problems. It's possible to get the money untraceable, but that generally means having some fall guy do it for you, so you're limited by the availability of fall guys.

"Look, sir, here's a cashier's check for $110K. You deposit it, wait until it clears so there's no risk to you*, then just pass off $100K as we direct and keep the remaining $10K for your trouble."

*This is the lie here; cashier's checks are traceable and can clear as far as the fall guy can tell long before they're traced.

According to a story on /. a long time ago, this sort of robbery is basically robbing the fall guys. One problem, of course, is that people who will fall for this trick may well not have $100K in assets to pay the bank back.

Re:You know I really love

[pslytely+psycho]

yes, you fail to comprehend the meaning of:

"meant to divert the attention and resources of banks away from fraudulent wire transfers simultaneously occurring."

Complexity, banking tech and could computing

[ZoltanPapp]

Hi ! Maybe need to move over to simpler systems more difficult to hack. Online security is growing year by year. I can't imagine a hack, or difficult against online, server based service. More than likely, they did not use the proper technology to defend themselves, this is my opinion. Looks like a hack of an old banking system. Sure i would think about putting my money there too. No doubt. Zoltan

Re:Still in many products you pay 300-400%

[Bigbutt]

Sorry, I was trying to fend off the "GM Food!1!1!!!" replies.

[John]