Three Banks Lose Millions After Wire Transfer Switches Hacked

← Back to Stories (view on slashdot.org)

Three Banks Lose Millions After Wire Transfer Switches Hacked

Posted by Soulskill on Tuesday August 20, 2013 @06:09PM from the we're-all-choked-up,-really dept.

mask.of.sanity writes "Criminals have stolen millions from three unnamed U.S. banks by launching slow and stealthy denial of service attacks as a distraction before attacking wire payment switches. The switches manage and execute wire transfers and could have coughed up much more cash should the attackers have pressed on. RSA researcher Limor Kessem said, 'The service portal is down, the bank is losing money and reliability, and the security team is juggling the priorities of what to fix first. That's when the switch attack – which is very rare because those systems are not easily compromised [and require] high-privilege level in a more advanced persistent threat style case – takes place.'"

23 of 179 comments (clear)

Min score:

Reason:

Sort:

Smart Criminals by Fluffeh · 2013-08-20 18:15 · Score: 5, Insightful

I like stories like this. If something is done really well and in a clever way (whether it was really being naughty or not) the effort, cleverness and ingenuity should indeed have its merits praised. Slashdot should have more stories like this: Hey, they did a bad thing, but look at just how WELL they did it.

--
Moved to http://soylentnews.org/. You are invited to join us too!
1. Re:Smart Criminals by Anonymous Coward · 2013-08-20 19:06 · Score: 5, Funny
  
  I once stalked a woman for fifty years before making my move. It was a beautifully coordinated attack that required no less than sixty seven coincidences to occur at once. Once I have her isolated, I realized that she was like ninety, so I gave up and left. Kind of a let down. Just one of the downsides of being a vampire I guess.
2. Re:Smart Criminals by ls671 · 2013-08-20 19:17 · Score: 5, Insightful
  
  Where do you think those US banks are going to take the money to make it up? In their customer pockets maybe? It's like insurance fraud, shoplifting etc. The end consumer ends up paying for that. We might think; well they already make enough money so, good for them but don't let that fool you. They are going to make up for that to keep investors happy and their stock healthy.
  Worse, they may have insurance coverage and insurance companies may raise premium for all banks making sure everybody pays for it.
  Sure, it looks nice as a hacker movie scenario although...
  
  --
  Everything I write is lies, read between the lines.
3. Re:Smart Criminals by narcc · 2013-08-20 19:54 · Score: 3, Funny
  
  In this specific case, it's more like a serial rapist finally getting raped.
  I miss car analogies...
  
  --
  Required reading for internet skeptics
4. Re:Smart Criminals by tuo42 · 2013-08-20 20:08 · Score: 5, Funny
  
  *clear throat
  
  *taptap...onetwo...thisthingon?...taptap...onetwothree...good
  
  *clear throat again
  
  Ladies and Gentlemen, I present to you: the car analogy for our topic tonight
  
  It's like...with the police behind following you in your car...
  
  blinking left, but taking a right turn!
  
  *badabumm
  
  Thank you, thank you, I'm here all night.
5. Re:Smart Criminals by bobstreo · 2013-08-20 22:10 · Score: 3, Informative
  
  Actual supermarket profit margins statistics:
  http://answers.google.com/answers/main?cmd=threadview&id=204979
6. Re:Smart Criminals by geekymachoman · 2013-08-20 22:30 · Score: 3, Insightful
  
  End consumer (commoners) always end up paying, one way or another, in all situations. Nothing new there.
  Sometimes I think that instead of being a obedient sheep, waking up early, working 10 hours and generally being exploited while barely having enough for comfortable "life", I should turn to let's say.. victimless crime*.
  I know this is frowned upon by society, but only because those in power are propagating idea that we should be obedient.. so they can keep all the f money and have less competition.
  The banks are criminals, the politicians are criminals, the religious leaders are criminals, insurance companies, pharmaceutical companies, governments, etc. In modern world, they just upped it to a new, modern level. It's not corruption same as in 3rd world country, but it still exist just behind the curtains and/or through loopholes they made for themselves.
  I know people that acquired wealth by pillaging (literally), smuggling cigarettes and guns. Now they are respected businessmen that have legal businesses, and are hiring you to work 10 hours a day for them while they propagate the idea that doing anything "illegal" is bad. Exactly the same as those mentioned above are doing.
  It's all just to keep you in check and under control. Every each one of them are full of it.
  (*) = As a programmer, that would be let's say hacking wordpress sites and selling them to someone or using them to make a profit. System Administrators should be happy. This creates jobs for them.
7. Re:Smart Criminals by ls671 · 2013-08-20 22:46 · Score: 3, Insightful
  
  Don't forget gross margin is not real profit. Net profit margin is. Gross margin doesn't take into account salaries, rent, utility bills, security camera installation and maintenance etc. And of course; lost due to shoplifting.
  
  --
  Everything I write is lies, read between the lines.
8. Re:Smart Criminals by ls671 · 2013-08-21 00:10 · Score: 3, Informative
  
  Profit margin isn't constant from year to year, look at the averages. Some even have negative averages. I would say the average of all the averages is around 1-2% over the years, say 3% if that makes you happy ;-) Oh, and this is from 2009 to 2013. Not a decade ago:
  Link 1:
  http://ycharts.com/companies/LBLCF/profit_margin
  Link 2:
  http://ycharts.com/companies/SWY/profit_margin
  Link 3:
  http://ycharts.com/companies/KR/profit_margin
  Link 4:
  http://ycharts.com/companies/SVU/profit_margin
  Link 5:
  http://ycharts.com/companies/WFM/profit_margin
  Link 6:
  http://ycharts.com/companies/NGVC/profit_margin
  
  --
  Everything I write is lies, read between the lines.
9. Re:Smart Criminals by Hatta · 2013-08-21 00:59 · Score: 3, Interesting
  
  If the banks had a way to extract more money from us, wouldn't they already be doing it? Why would they wait until they were hacked and lost money to raise prices, if they thought it would increase their income?
  
  --
  Give me Classic Slashdot or give me death!
stealthy? by phantomfive · 2013-08-20 18:17 · Score: 4, Informative

slow and stealthy denial of service attacks

I don't think a DOS can be stealthy......if it's denying service, are people going to notice?

--
"First they came for the slanderers and i said nothing."
1. Re:stealthy? by morcego · 2013-08-20 18:33 · Score: 5, Interesting
  
  slow and stealthy denial of service attacks
  I don't think a DOS can be stealthy......if it's denying service, are people going to notice?
  A stealthy DOS is when the attack looks like a normal occurrence, and not an attack. It is not the DOS that is stealthy, it is the attack or, rather, the reason for the lack of service.
  It is a very neat thing, actually. Say you have a very long, segmented fence. There are 1000000 segments, and every day 1 of those will break and stay broken for 10 seconds. You can't explore that, because it is random, and you can't try all 1000000 segments in 10 seconds. However, if you can force the dice and make a specific segment tail, you can be there and exploit it, because you know which one and when. To the external observer, however, it was just a normal, run of the mill segment fail.
  It is the same concept. The failure is there, they notice it, but it is done in such a way they don't notice it is an attack.
  
  --
  morcego
Something by Impy+the+Impiuos+Imp · 2013-08-20 18:30 · Score: 4, Interesting

I must be missing something -- did these people transfer it to an account then go withdraw millions in cash quickly? Or did it take months for it to be discovered?
I can't conceive of any other way that would insulate against a reversal, no matter how many accounts and banks around the world they forwarded it to. Even Swiss banks go along with obvious criminality investigations nowadays.

--
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Re:And now to our resident expert: by muphin · 2013-08-20 18:39 · Score: 5, Funny

He's currently in jail for speaking up against the banks, ya know.. letting those terrorists know about the loopholes so they can exploit it

--
It's not a typo if you understood the meaning!
Unsigned transactions? by dutchwhizzman · 2013-08-20 19:09 · Score: 3, Interesting

You can put authorization codes in transactions, but if they aren't digitally signed, you can alter them in transit. Maybe banks should start exchanging signing keys and not transfer authorization codes?

--
I was promised a flying car. Where is my flying car?
A little too easy - sadly by PerformanceDude · 2013-08-20 19:11 · Score: 4, Interesting

These attacks are actually a little too easy to effectuate. The drive to outsource to third world countries and lack of training for local staff means that they are all a prime target for a social engineering attacks. It does not take a lot of organised resources to then create the requisite diversion for the often overwhelmed security staff and you have a big win in the pipeline. Of course it requires some skill, but nothing more than a course or two at Blackhat USA will give you. If you also have the benefits of the funds of a large Russian crime syndicate and the personal "motivation" that flows from that, along with an almost zero risk of prosecution due to jurisdictions - hell - why wouldn't you go for it?
The bottom line is that we need to harden up our defences more and more. We may even have to disconnect essential financial infrastructure from the internet and bring it back onto a completely private network that it costs a substantial amount of money to join and be authenticated to. It should come with the proviso that any device connecting to it, could also not be connected to the internet or an unknown intranet device at the same time. This would not be bulletproof, but it would substantially reduce the risk.

--
Meus subcriptio est nocens Latin quoniam bardus populus reputo is sanus callidus
Halarity ensues... by MobSwatter · 2013-08-20 19:21 · Score: 5, Funny

Crooks robbing crooks...
You be amazed by LordWabbit2 · 2013-08-20 19:21 · Score: 5, Interesting

You would be amazed - or maybe shocked - to see some of the banking systems out there. I have worked for several financial institutions and their systems are usually very very old legacy crap stuck together with bubble gum and faith. One place was dealing with 70% of the countries financial messaging and they were not using transactions, if there was a problem (and there often was) messages were lost. Asked if I could change it to use transactions, couple lines here, couple lines there.
NO.
Why?
Cost to test would involve the entire country and would cost millions.
OK.
So they are still losing messages.

--
There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
1. Re:You be amazed by cusco · 2013-08-21 03:59 · Score: 4, Interesting
  
  Even the internal staffing standards are ridiculous. I worked as a minimum wage Kelly Services temp for a time and ended up with a five month assignment to the trust department of a fairly large midwestern bank while the regular admin was on maternity leave. Two weeks after I started one of the trust managers gave me a list of several million dollars of checks to write as they were dissolving a large trust. I objected, "Rod, I'm just a temp. Are you sure I can do this?" Sure enough, not only did I have permissions to write checks and do transfers of over a million dollars, but the other admin decided to go to lunch and leave me alone in the office while I did it. And here we had closed our bank account in Peru just a few months earlier . . .
  
  I had an instructor for Windows Server Security whose day job was doing pen tests of financial institutions. When they would arrive on a site and set up in a conference room he would unpack their equipment while his partner would get on the phone calling branch offices. "Hello, this is George, the new guy on the HelpDesk. I need to make some changes on the network equipment in your office, but I don't have the login details and my coworkers are at a benefits meeting. Since your branch manager has sufficient permissions can I ask a really big favor and get his login info?" In two years of pen testing he never failed to acquire branch manager credentials from at least one office by the time the equipment was even unpacked and set up.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Re:You know I really love by pslytely+psycho · 2013-08-20 20:40 · Score: 4, Informative

From the article....
"The researchers said fraudsters were using Dirt Jumper, a $200 crimeware kit that launches DDoS attacks, to draw bank employees' attention away from fraudulent wire and ACH transactions ranging from $180,000 to $2.1 million in attempted transfers."

Sounds like theft to me. Now granted it says "attempted transfers," but, I think someone made themselves very rich while only giving the banking system a minor scratch. A few million is pocket change in the land of banking.

--
Donald Trump, on a crusade to make Nixon look respectable
No senior exec is going to be held accountable by 140Mandak262Jamuna · 2013-08-20 22:57 · Score: 3

No matter what happens, some one else faces the consequences, when it comes to these banks. There is bad security, bad implementation, total lack of understanding of how their systems could be breached. They will fire a few techies, for poor security. But the bigwigs drawing big salary, even their bonus would not be touched. May be they will get more bonus for taking a firm stand and firing these techies who show up to work in jeans and ear rings.
Even when they lie through their teeth to sell junk as gold to others they don't end up in jail. We all will pay, through more bank fees, more insurance costs, more taxes to bail them out. And they will dance all the way to their own private bank.

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Ancient Everything by bill_mcgonigle · 2013-08-21 01:23 · Score: 3

I happened to be at a bank yesterday, inquiring about a bank transfer. Turns out it was cheaper for me to get a bank check and overnight it than it would be to do a bank transfer, and the bank transfer wasn't even guaranteed to be complete within 24 hours.
The young teller thought the system was as odd as I did ("hey, I just work here") and was more interested in asking me about nuclear transmutation in star formation than banking (my strange little world...) but I have to assume that when the banks are 20 years behind Western Union and Walmart that their systems are too. I wouldn't expect 20 year old systems to be robust against attack and it would surprise me if they put much effort into otherwise defending them.

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Tracing the Transfer by nuckfuts · 2013-08-21 07:22 · Score: 3, Insightful

When money is stolen like this, it must be transferred to an account somewhere. Why is it not a simple matter to trace where the funds were transferred to and go after them?