Bank Hackers Steal Millions Via Malware

An anonymous reader writes: When cybersecurity firm Kaspersky Lab was called in to investigate ATMs that had begun dispensing cash without input from users, they expected to find a simple problem. Instead, they found the ATMs were just the tip of the iceberg. The bank's internal computer systems were completely compromised, and in addition to the slow but steady siphoning of funds through physical machines, a criminal group was quietly transferring millions of dollars into foreign bank accounts. A report set to be published on Monday shows the attack extended to over 100 banks in 30 nations.

"Kaspersky Lab says it has seen evidence of $300 million in theft from clients, and believes the total could be triple that. But that projection is impossible to verify because the thefts were limited to $10 million a transaction, though some banks were hit several times. In many cases the hauls were more modest, presumably to avoid setting off alarms." Kaspersky Lab is unable to name the banks involved because of non-disclosure agreements, and no banks have come forward to acknowledge the breach. "The silence around the investigation appears motivated in part by the reluctance of banks to concede that their systems were so easily penetrated, and in part by the fact that the attacks appear to be continuing."

The Best Way to Rob a Bank is to Own One

[Shakrai]

William K. Black

Re:The Best Way to Rob a Bank is to Own One

[ColdWetDog]

Second best way is to impersonate the person that owns one. Sounds like what these guys did. However, according to TFA they were very patient and methodical, leading up to the assertion that they were 'cybercriminals' rather than state actors. Of course, the last time this weird dichotomy came up, the attackers were state actors because they were so patient and thus weren't plain ol criminals.

Sounds a bit clueless to me. Given the level of information we get from fine articles such as this, I have to wonder just what, if anything at all, really happened.

Best thing about the article is Sergey Golovanov's T-shirt.

Re:The Best Way to Rob a Bank is to Own One

[datavirtue]

Thanks for the link.

Re:The Best Way to Rob a Bank is to Own One

[Shakrai]

Second best way is to impersonate the person that owns one. Sounds like what these guys did. However, according to TFA they were very patient and methodical, leading up to the assertion that they were 'cybercriminals' rather than state actors. Of course, the last time this weird dichotomy came up, the attackers were state actors because they were so patient and thus weren't plain ol criminals.

I'm not usually given to CTs but I am just cynical enough about the banking industry to wonder if some of this isn't an inside job. Certainly not all the way to the top, those asshats have golden parachutes and legally steal^Wearn their inflated salaries, but at the mid-level? It's not that much of a leap to wonder.

Re:The Best Way to Rob a Bank is to Own One

[datavirtue]

Banks are one of the most antiquated troglodytes on the planet. It goes to the root of the governments who are essentially run by the banks more or less. There is little drive to provide better services to consumers as the entire payments and clearing industry is mired in something I would dare call (old) "technology." There are very few players, invisible to consumers and far outside thee average consumers' intellectual reach the system, very simple, seems complex and magical. It is not. It is an old, crusty, dusty, farty mechanism rooted in the 1800s at best. The innovators are hamstrung by politics and regulation, almost happy to be so because this monopolistic club is very profitable. One of the greatest achievements AND ills of mankind is the current (certainly not modern) banking system.

Re:The Best Way to Rob a Bank is to Own One

[yuhong]

I wonder what would happen if government made all banks non-profit or something list that.

Re:The Best Way to Rob a Bank is to Own One

[yuhong]

I wonder what would happen if governments made all banks non-profit or something like that.

Re:The Best Way to Rob a Bank is to Own One

[Opportunist]

I think that would be a communist paradise, because then the last entities that make a profit won't make one anymore either.

Re:The Best Way to Rob a Bank is to Own One

I wonder what would happen if governments made all banks non-profit or something like that.

Credit unions?

Re:The Best Way to Rob a Bank is to Own One

This is speculative, but hear me out:

1. Take note of the origin: Russia/Ukraine, this is also a hotspot for "hacking"
2. Likely someone was working at the bank for over a year and "activated" said malware, or brought it in themselves.
3. The lack of separation between the internet and the business network is astounding. It's also very common. e-commerce platforms (eg eBay) often have nothing stopping gmail/hotmail sending or receiving data to be run on the local machine, nor block any attachments of software/data stolen from inside the network.

Often corporate policy is "DO NOT FACEBOOK" and "DO NOT USE YOUR PERSONAL EMAIL" from the business machines. It doesn't stop people from using their cellular-connected toys however. Sometimes those devices are plugged into the desktop to charge... and that's when the payload can be pushed onto it.

Like it seems to me that the future may require some modification to desktops so that once the mouse and keyboard are plugged in, all the cables and ports are not reachable. There was a call center I worked at that did just this. However the supervisory machines were not locked down. All the machines allowed outside internet access too, which ... was pretty stupid on their part, but necessary to do the job since the instruction manuals to the devices sold were not available from the local network.

Re: The Best Way to Rob a Bank is to Own One

[hackwrench]

You mean get rid of banks and have only credit unions?

Re:The Best Way to Rob a Bank is to Own One

[minstrelmike]

...Of course, the last time this weird dichotomy came up, the attackers were state actors because they were so patient and thus weren't plain ol criminals....Sounds a bit clueless to me.

That's because according to all the rabid wannabe economists here on slashdot, if you're a government, you don't need to break into a bank to steal money. In the Sony break-in, there was no actual money to be stolen. Those Hollywood accountants are really good ;-)

"Why stop at one?"

[smittyoneeach]

"Why stop at one?" asked the Federal Reserve.

Re:"Why stop at one?"

[rubycodez]

Robbing is a legal concept, the federal reserve has never robbed.

Re: "Why stop at one?"

Robbing is a word and has more meanings beyond the law.
The FED is robbing from its creation.

Re:"Why stop at one?"

[fustakrakich]

:-) Don't you mean the IMF?

Re:"Why stop at one?"

Robbing is a legal concept, the federal reserve has never robbed.

No, the Federal Reserve robs the American People. It's a little step up from what your garden variety bank does.

Re: "Why stop at one?"

You need to go back to school and learn the meanings of the word robbery.

Re: "Why stop at one?"

[blue+trane]

Th Fed is not taxpayer-funded. It gives its profits to the Treasury. It is mandated to work in the public interest. Saying the Fed robs anyone is hyperbolic paranoia.

The Fed was created to do what the private banking system was already doing: provide liquidity in a crisis. No one wanted J. P. Morgan to bail the country out again as he did in 1907, because there were too many conflict-of-interest issues (Morgan deciding to help his friends and hurt his enemies).

The Fed is not perfect but it can learn. It learned from the Depression that its defense of the gold standard and reluctance to commit to expansionary monetary policy prolonged the depression. So this latest time, it has been more expansive.

In the future, it should learn to bail out people instead of banks. Even Conservative darling Kenneth Rogoff thinks that would have been the best policy.

Re:"Why stop at one?"

[blue+trane]

The Fed creates money, why would it need to rob? Note that the dollar has gained strength: the more dollars the Fed creates, the stronger it gets.

Re:"Why stop at one?"

[blue+trane]

True! The IMF has the power to create money too but it doesn't, instead imposing draconian austerity measures on countries that don't work. The IMF is a killer, robbing countless Greeks of their lives.

Re: "Why stop at one?"

Yes, it pays interest it receives from the treasury on the treasury notes that it purchases from the treasury back to the treasury as profits. Thus it lets the treasury print money. So it is complicit in a robbery. Unless you don't believe that printing money is a form of a robbery. It does rob everyone else who got the money without printing it.

Re: "Why stop at one?"

[ganjadude]

It learned from the Depression that its defense of the gold standard and reluctance to commit to expansionary monetary policy prolonged the depression.

Really? Im pretty sure that politics had more to do with the prolonging of the great depression. I know FDR likes to get credit for it, but truth is he made things worse, it wasnt until war was around the corner that we actually started to come out of it

I have yet to hear anyone talking about the feds role in things, do you have any reading suggestions?? Id love to look into it more

Re:"Why stop at one?"

[ganjadude]

by creating money, it makes our money worth less, hence the robbery

Re: "Why stop at one?"

You need to go back to school and learn the meanings of the word robbery.

You didn't say what you thought the meaning of the word "robbery" is.
For the edification of the others, I'll point out that the word "robbery" means theft by force or threat of force, and done in the presence of the victim.

One can claim that the Federal Reserve is stealing or that it is committing larceny, but I am not aware of any instance of the Federal Reserve using force or the threat of force to take money from people.

Re: "Why stop at one?"

Are you forgetting they also destroy old money too?
Yes, you are.

Re: "Why stop at one?"

[vlad30]

You might consider it robbery but you didn't have to borrow the money I consider those who expect government handouts to be thieves but no one is arresting them after all they are stealing my hard earned tax dollars

Re: "Why stop at one?"

[G-forze]

Someone stole your punctuation marks.

Re:"Why stop at one?"

[smittyoneeach]

By all means include them, if you can catch Dominique Strauss-Kahn in a moment when clad.

Re: "Why stop at one?"

Try to go against the FED and you will know for sure what force means.

Re: "Why stop at one?"

[hackwrench]

What makes you think that simply creating money makes yours worth less? I mean, do you curse all the cryptocurrency creators for making your money worth less?

Re: "Why stop at one?"

[ganjadude]

are they creating more money than they destroy? if the answer is yes my statement is still correct. and that has been the case since we got off the gold standard

Bitcoin Unaffected

Bitcoin Unaffected.

Buh buh buht... uhhh... yeah... Damn. Bitcoin Unaffacted. That's all I can say.

Re:Bitcoin Unaffected

[beelsebob]

Right, because no one has ever stolen bitcoin by hacking into a computer and emptying accounts... oh wait...

Re:Bitcoin Unaffected

[blue+trane]

If this happened to bitcoin, people would have lost money. Thanks to insurance, no bank customer was robbed.

Re:Bitcoin Unaffected

[ganjadude]

that depends. I know at most banks it will say things like "garenteed up to 100K or something along those lines. I would hope if one had more money than the limit, they would spread it to different accounts but no, people could lose real money over this

Re:Bitcoin Unaffected

Bitcoin is 100% unhackable if you know what you're doing. It's really not that hard.

Re:Bitcoin Unaffected

oh you naive little sheep.

It's not "hackable", but it is stealable. And if you have the source code to it, you can also fork it, and sell unusable bitcoins to people who can't trade with others. Hence bitcoin has a "rot" problem.

Re:Bitcoin Unaffected

Thank banks are 100% un-hackable if THEY know what they're doing, too. You're relying on fantasies.

Why are we protecting these guys?

[Okian+Warrior]

The theory behind "not naming banks" is that if named, people would leave the bank and go to another one.

Why are banks allowed to do this? This completely negates the "vote with your wallet" power that the public should have.

Re:Why are we protecting these guys?

Because that might cause a run on the bank, potentially driving them to default, which would hurt their creditors, clients, and might trigger a chain reaction. "Too big to fail" at work.

Re:Why are we protecting these guys?

[fustakrakich]

Why are banks allowed to do this?

Because the customers let them. They are welcome to withdraw their money on mere suspicion. We already know that the big banks are criminal organizations, yet nobody is closing their accounts. Too inconvenient for one thing. So, here we are.

Re:Why are we protecting these guys?

"... Really the police try to protect the banks - and everything else is secondary ...."

SUBURBAN MONASTERY DEATH POEM
by d.a.levy
http://www.thing.net/~grist/l&...

Re:Why are we protecting these guys?

[Opportunist]

Any bank, literally ANY bank, can be driven out of business if there is as much as a hunch that they are unable to pay.

Quite seriously, no bank on this planet has any liquid assets worth mentioning. If the average manufacturing company had that much unsecured foreign capital floating about, they'd be liable for delayed filing of insolvency.

Re:Why are we protecting these guys?

[TheReaperD]

For the answer on why we don't reveal this information read up on the 1929 bank failures. For the tl;dr crowd: There's a very good reason that we don't say which banks are having problems because they get ran out of business quickly (often within hours) and everyone that didn't make it in time looses their money. It happened in 1929 in the U.S. and it destroyed our economy for a decade.

Re:Why are we protecting these guys?

[vm146j2]

yes. does this help people who believe stuff like "you can vote with your wallet" understand that they are working with a flawed model of the world? sadly, no.

Re:Why are we protecting these guys?

[Okian+Warrior]

For the answer on why we don't reveal this information read up on the 1929 bank failures. For the tl;dr crowd: There's a very good reason that we don't say which banks are having problems because they get ran out of business quickly (often within hours) and everyone that didn't make it in time looses their money. It happened in 1929 in the U.S. and it destroyed our economy for a decade.

Are you saying people would actually lose money if their bank went under? That there's no FDIC (Federal Deposit Insurance Corporation) or other safeguards? Are you saying that the federal reserve wouldn't overnight a truckload of cash if there was a run on the bank?

Are you saying that banks can do a slip-shod job, have no repercussions, and this is a *good* thing?

Just as GM can lose business by making a faulty ignition switch, banks should lose business when they lose the public trust.

Banks SHOULD lose business if they screw up.

Re: Why are we protecting these guys?

LOL. 1929. It's not 1929 anymore. Most of our money is fucking digital now. They can simply transfer your balance and be done.

Re:Why are we protecting these guys?

Any bank, literally ANY bank, can be driven out of business if there is as much as a hunch that they are unable to pay.

Quite seriously, no bank on this planet has any liquid assets worth mentioning. If the average manufacturing company had that much unsecured foreign capital floating about, they'd be liable for delayed filing of insolvency.

You are right that a run on a bank would be difficult for any bank, but to say that no bank has any liquid assets worth mentioning isn't quite right, in EU the new requirement is that all banks have to have more than 10% of its total capital in liquid assets.

Re:Why are we protecting these guys?

Because banks exist -- and have always existed -- to make money by investing their customers' deposits under the assumption that the amount they are investing will not exceed the amount that customers may wish to withdraw at any given time -- you know; a run on the bank.

There is a maximum percentage of deposits that banks are allowed, by Federal legislation, to invest at any given time, defined as Leverage. Beginning in the 80s under the Reagan administration, republican congresspeople and republican appointees to financial regulatory agencies began dismantling the protections against bank failures that had been put in place after the Great Depression, including (among a large number of other moves) hugely increasing the permitted Leverage amount. This is only one of the many changes the Republicans introduced which undid decades worth of protections and directly caused the financial collapse we are still enduring.

Re:Why are we protecting these guys?

[Opportunist]

...for varying definitions of liquid. Those "liquid" assets are not cash in a big safe vault.

Re:Why are we protecting these guys?

[TheReaperD]

You do realize who picks up the tab when the FDIC has to bail out a bank right? The answer is you and me. I agree the banks should be punished for bad behavior but, history has taught us that standard capitalist repercussions are bad for the economy as a whole and different solutions to the problem need to be used.

Re: Why are we protecting these guys?

[TheReaperD]

You obviously have no idea how this works. Your balance is NOT transferred because there is no one to guarantee that whoever takes over the debt (the money the bank owes its account holders) will get paid so, no one will accept the debt. The FDIC then has to step in, take over the deposits, loans, etc. and then sell them to a bank at a huge loss, that is picked up by the taxpayer, and pay any portion of the deposits that fall short up to a maximum of $100,000; again at taxpayer expense. Banks should be punished but, this method doesn't work because the American people pick up the bill one way or the other (either through higher taxes or an economic depression). This was true in 1929 and is still true today.

Re:Why are we protecting these guys?

You think those guys actually tell the truth about market value of their assets?

Re:Why are we protecting these guys?

No, history didn't teach you that. Bank marketing and propaganda programmed that into your head. Those guys are nothing but terrorists who try to inflict as much damage on everyone else when they're going to experience hardship. They need to be held accountable for their actions so that other banks will fall in line and clean up their act. Messy for a period, yes, but the flip side is much worse, and that's what's happening now.

Is nothing Hackproof?

[rmdingler]

Is it likely that defenses employed by banks (and other market segments) will need to be downgraded to hacker-resistant in the same vein that things are now fire-resistant instead of fireproof?

It became clear to me years ago that I could only make something fool-resistant, since as soon as I imagined foolproof had been achieved, they kept making a better fool.

My takeaway: The most devilishly clever security system, devised by the most gifted programmers, in a scenario where money was no object, can still be compromised because of the human user element in the implementation of the system.

Re:Is nothing Hackproof?

...devised by the most gifted programmers...

There's your problem.

You want security, have it designed by someone that specializes in breaking things, not making them.

Re:Is nothing Hackproof?

[CaptainDork]

The most devilishly clever security system, devised by the most gifted programmers, in a scenario where money was no object, can still be compromised because of the human user element in the implementation of the system.

Banks don't have any of that shit. That's the problem.

Re:Is nothing Hackproof?

[Opportunist]

Yes, it is possible to create a hack proof system. Is it economically feasible? That's the real question here.

And here even the old metric of risk assessment goes out the window. No, seriously. We're talking about a mission crippling threat (or, in simple terms, "if it happens, we're fucked"), something that usually is required to protect against. For the obvious reason, if it happens, we're done for. Like a rocket engine on a space ship, you want one that DOES work no matter what because if it for some odd reason does not work, you're fucked. You want it well designed, preferably with dozens of fallback systems and spare parts around, despite all of this being heavy and shit but you know that you NEED that thing. More than any scientific instrument you might want to take along because all of it is nixed if you can't get your precious payload up into space and maybe even back down to earth.

Now of course there's even a limit to that. In security terms, the cutoff is where security costs more than what you protect because it's economically nonsense to spend more on protecting something than losing it would cost you. To stay in the comparison above, when your engine gets so heavy that it can't lift itself anymore, you've overdone it.

But all this is academic cerebral masturbation material for risk assessment enthusiasts and rocket engineers because what happens here and now is something that is bullshit all the way up to the sky and back. It's the good old schoolyard metric of "but the others do it too". And whoever said that managers are just little petty kids who refuse to grow up should get some sort of prize for economy because he's not only absolutely right but also identified what the fuck's wrong with economy today.

What happens here is that security goes out the window as soon as there is someone else in the market who shits on security, because they don't know better, because they think they know better than their risk managers (who they hired for whatever reason if they don't want to listen to them) or because the greedy part of their brain took an unhealthy marriage with the stupid part and decided that their bonus is heaps bigger if they go with the security metric that we all know well from the times when we played hide and seek as a kid, where you close your eyes and hope really hard that if you can't see them they can't see you and that they'll simply forget that you're there and hopefully find someone else to pick on.

And whoever had that great idea first is what I'd like to call "Asshole 0", as in "Patient 0" of a pandemic. Because now everyone else had to follow the same shitty idiocy because else their financial results would have looked worse. You see, security is one of these things that you can argue rather badly towards shareholders. It's nothing you can pretend to be an asset, it's nothing that leaves any kind of shit stain on the balance like the near bankrupt Generistanian bank you gobbled up for more than it's ever been worth in its entire existence where you bullshit your shareholders into thinking that you were the only one who had the vision to foresee how it will be the next big thing in investments Really Soon Now (tm).

Money you spend on security is simply gone. And if you can't point to two big towers that were mistaken for landing strips by well meaning towelheads you can't even present a strawman that would burn for more than a nanosecond to argue that expense with people who know shit about IT and will complain that that whole computer crap was sold to them with the promise that they can fire another few thousand people if they only cram enough of that blinkenlight stuff into some room. And now you come and say that they should spend a metric fuckton of money because it's "insecure"? Now, that can't be, the consultant who told us all about how much money we can save with computers and then was even so friendly to shovel a load of them into our rooms sure would have told us, right?

And look over there, that other bank that is run by Asshole 0

Re:Is nothing Hackproof?

[Livius]

...because of the human...

But we're talking about banks.

This is a clear example of why Bitcoin won't work.

[grnbrg]

..... Wait, what?

Oh. Nevermind then.

Trace the Transfers?

[chill]

So shouldnt' they be able to trace the transfers to the destination accounts? And continue doing so until the money is withdrawn?

Hell, even in places like Kazakhstan they don't have pallet loads of $100 bills waiting around for people to withdraw millions in cash. And you don't really walk into a bank ANYWHERE in the world and pull out millions in cash from a newly opened account without tons of ID, paperwork, being on cameras, access to large armored trucks, etc.

I'm familiar with the concept of mules and blinds, but for a scheme so sophisticated it sounds suspicious to use low level mules to pull out millions in cash. Multiple points of failure/discovery.

How the hell do they get the actual money OUT?

Re:Trace the Transfers?

How do we know it's not the US government using it to clandestinely fund groups like ISIS so they have an excuse to go into Syria? Wouldn't be any worse than the Iran-Contra affair.

Re:Trace the Transfers?

[rmdingler]

How the hell do they get the actual money OUT?

Bypass encryption from a Country not beholden to cooperate with the U.S. Sadly, the list is growing.

Here's the craziest part of the whole story. One of these banks may not have cashed a check I had, made out to me... by my employer ... who rented office space out of the same building, simply because I was one shy of three IDs.

$Tens of millions U.S. leaves out in the night without any real-time human authentication.

Re:Trace the Transfers?

You've essentially described the entire industry of money laundering.

There's a couple of easy-to-think of ways, kind of in order of sophistication:

1) Use the assets as collateral for a loan

2) Use a front business that you invest in, with no expectations of the actual investment being repaid, but where a chunk of the profits of the business are funneled back to you "off-the-books". Businesses that deal primarily in cash (restaurants/bars/clubs, many 'personal service' operations, etc.) are particularly useful for this, as it's easy to set aside the cash receipts in a mostly untraceable way.

3) Use the money to manipulate the price of other assets (think penny stock pump-and-dump schemes - where your "clean" money buys in, your "dirty" money helps to inflate or deflate the price, and then your "clean" money exits the market and pockets the gain. This tends to be somewhat risky, overall... cornering even small markets for a time is very challenging.

There are more ways, but fundamentally, it's all about using the money to pay someone else that's unrelated to you, and them providing valuable goods or services to you in a way that's hard to automatically trace. The hard part is finding people you can appropriately trust to do this for you without taking the money and running off with it... because you can't exactly call the cops about someone stealing your stolen money.

Re:Trace the Transfers?

I bet it was the Koch brothers, to pay GOP astroturfers such as yourself.

Re:Trace the Transfers?

[Opportunist]

That last part is easy. You can always trust people who know that you'll break their legs if they betray you.

Re:Trace the Transfers?

[HiThere]

I don't think those ways would work for this magnitude of theft. The "Cayman Islands" approach is much more plausible. Or using some government's intelligence agency to launder it.

Re:Trace the Transfers?

Sounds more like the left starting a donation drive for another failed attempt at Billary becoming prez.

Re:Trace the Transfers?

As someone who has worked vulnerability analyst in the biggest banks in the US. The security is well just not there. Ever seen 300,000 vulnerabilities on one network? I have. What would it take to get this cash out? Cracking a VPN from the 80's with 56 bit encryption. Bang! your in one of the flattess networks you ever seen. Sure there are firewalls between the DMZ and internal servers but the firewall rules are any any. Unpatched machines like Windows 2000, Red Hat 2.4 and Solaris8. Once in their network you would have the ability to move cash around through private networks to where no one could trace where it went.

Since working there I now only keep enough cash in my account to pay bills. Everything else gets turned into cash and kept in a safety deposit box.

Everyone "thinks" their money is in the big vault at their bank when the truth is it is stored in a cradboard box with holes all in it. You need to remember your money isn't in 100 bills at the bank it is 1s and 0s in an insecure datadase. Shifting data well thats trival you don't need a pallet jack to move data. Doesn't take mules and blinds to steal just a smart person with a laptop.

I've been waiting on this article to be published.

Yes I am Anonymous Coward I don't want to get sued.
Yes this is how their name doesn't get leaked.... NDA. I know I signed one.

Re:This is a clear example of why Bitcoin won't wo

..... Wait, what?

Oh. Nevermind then.

The money comes out of "a" bank not individual accounts, the bank will cover the loss, who will cover stolen Bitcoins?

Re:This is a clear example of why Bitcoin won't wo

[rubycodez]

dollars in a bank can be insured, how's that bitcoin insurance industry doing?

Two words

Quantitative Easing

Re:Two words

[blue+trane]

The money for quantitative easing was created, not taxpayer-funded. No robbing took place. The Fed, however, should have forgiven the mortgage defaults of the mortgages it bought, instead of letting banks continue to foreclose.

Re:Two words

[lgw]

Printing money like crazy is just a different kind of robbing. But the Fed actually was more clever than that. They printed $2 Trillion while incenting banks to deposit $2 Trillion in reserves with the Fed, thus enabling the government's spending addiction without expanding the money supply. That part was clever. What happens once banks decide to start investing that money they have parked with the Fed is anyone's guess.

Did the Fed invent a new way to support deficit spending in a downturn, or a new way to destroy a currency through hyperinflation? Only time will tell, but kudos for at least trying something new.

(BTW, the Fed didn't buy so much in the way of direct mortgage debt as it did complicated mortgage-backed securities of dubious value. The Fed shouldn't have bailed out anyone. Every single bank involved in those securities should have been allowed to collapse (nothing of value would have been lost), and everyone who signed for a mortgage they couldn't possibly pay deserves bankruptcy. It's not like we have debtors prison: you're clear of bankruptcy after a few years, and maybe learn a thing or two about living within your means in the widow when you can't borrow money.

Re:Two words

[Shakrai]

The money for quantitative easing was created, not taxpayer-funded.

How'd that work out for the Wiemar Republic?

Do note that I'm a knee-jerk anti-Fed zealot, I think most of those people are hopelessly naive at best. It just remains to be seen whether or not QE is a long term success or simply masked fundamental structural problems that will re-emerge at a later date. It's worth noting that our cheap money policy has virtually destroyed every form of investing other than stocks; I can't find any "safe" investments that can keep pace with inflation right now, can you? Wall Street sure is profiting from QE, I'm not so certain about Main Street. This is a very disturbing trend that few people are talking about, one that we're not likely to reverse so long as there's no incentive (near 0% interest rates) to save money and every policymakers response to a recession is "consume, consume, consume!"

Mark your calendar and we'll come back to this discussion in 10 or 15 years to find out what happened.

Re:Two words

[Shakrai]

It's not like we have debtors prison: you're clear of bankruptcy after a few years, and maybe learn a thing or two about living within your means in the widow when you can't borrow money.

I've never understood the opposition to bankruptcy, as seen in our political debates on topics ranging from health care to the mortgage crisis. Perhaps I'm somewhat jaded because I've gone through Chapter 7 twice (once for medical bills, the second time for divorce); there was literally nothing to the experience, 20 minutes in an assembly line legal hearing, a few months of waiting, and presto! New start. Chapter 13 is a bit more drawn out, 3 to 5 years depending on your repayment plan, but even that isn't a terribly burdensome ordeal if your lawyer has half a brain.

Corporations engage in stratgeic bankruptcies all the time but it's somehow the end of the world if a consumer has to file Chapter 7 or 13? I've grown cynical enough watching our rigged financial system that I'm tempted to engage in a repeating cycle of strategic chapter 7 bankruptcies until the day I die. Why the hell not? You can park limitless amounts of money in retirement accounts that can't be touched, buy tangible goods on credit that can't be or aren't worth being repossessed, and milk those fucking "too big to fail" banks for every last penny you can get out of them. All you need is a little bit of estate planning, knowledge of the credit system and bankruptcy code, and the willingness to see your name in the paper every eight years.

I doubt I'll actually do this but boy there are days when it's incredibly tempting. Spend a few years rebuilding your credit, get insanely huge credit lines, live off them for a few years while parking as much real money into exempt retirement accounts as you can, bankruptcy, rinse and repeat. I had nearly ten times as much money as I owed to my creditors in my 403(b) and IRAs during my last bankruptcy and that fact was completely irrelevant. All that mattered was I couldn't pay them with my income. At least our financial system does something right for the little guy.

Re:Two words

[drinkypoo]

The money for quantitative easing was created, not taxpayer-funded. No robbing took place.

Wait, what? When they print more money, all of my money is now worth less. They robbed everyone. Of course, it's irrelevant to the obscenely wealthy, who cannot live long enough to spend all their money.

Re:Two words

[TheReaperD]

Most industrialized economies are designed to be ran with continual inflation. Central banks around the world consider 1.5-3.0% annual inflation to be ideal with 2.0-2.5% to be the sweet spot. The only time you hear about inflation is when it gets outside this range. Capitalist(ish) economies usually suffer a near collapse or total collapse when the currency hits 0% inflation or starts to deflate. Because of this, the money you keep always devalues and always will as long as we keep this economic model. I've never understood the rant against the intentional push for inflation that happened after the 2008 recession in the U.S. All that did was return inflation to the "safe" range. Both Bush and Obama supported doing this so it isn't even a Democrat/Republican issue. (Note to all the "gold standard" junkies: This happens with gold and silver too! ...and its price is more volatile. Our economy was designed to roughly mimic gold and silver without having to lug it around and have more control over the inflation.)

Now, if you hate the inflation based economic system in general, that's another matter. No, going "back to gold" will not change this. See reason above. Barter was the only real system we had in the past that didn't suffer from this design. I think that there can be better systems but, it would take someone much smarter than me to design one and have it work for a global economy. (We're talking Nobel prize territory here.)

Re:Two words

[jader3rd]

I think that there can be better systems but, it would take someone much smarter than me to design one and have it work for a global economy. (We're talking Nobel prize territory here.)

That sounds like what turned Brazil's economy around. How Fake Money Saved Brazil

And, basically, inflation did end, and the country's economy turned around. In the years that followed, Brazil became a major exporter, and 20 million people rose out of poverty.

Re:Two words

[thrich81]

There are two US government bonds you can buy which by definition keep pace with inflation as defined by the Consumer Price Index:
TIPS -- from https://www.treasurydirect.gov...:
Treasury Inflation-Protected Securities, or TIPS, provide protection against inflation. The principal of a TIPS increases with inflation and decreases with deflation, as measured by the Consumer Price Index. When a TIPS matures, you are paid the adjusted principal or original principal, whichever is greater. TIPS pay interest twice a year, at a fixed rate. The rate is applied to the adjusted principal; so, like the principal, interest payments rise with inflation and fall with deflation.
or you can buy I-bonds: Series I Savings Bonds are a low-risk, liquid savings product. While you own them they earn interest and protect you from inflation. You may purchase I Bonds via TreasuryDirect or with your IRS tax refund.
The world is awash right now in investment money looking for a safe place to earn interest, with more demand than supply of safe interest bearing instruments the returns are going to be small.

Re:Two words

Adding money to the federal reserve system DOES expand the money supply; through fractional reserve. More reserves means more lending and more deposits. Those deposit accounts are part of the money supply. Even if no currency is being generated, more money is being generated.

Re:Two words

You're doing it right.

Why should the banks care?

With the Fed loaning them money at 0% and their government lackeys ready to bail them out at the drop of a hat, does $300M really matter to them? $300M barely qualifies as material to their financial statements.

thanks for sharing kapersky

[chasm22]

Boy what a freaking scam these security firms are engaged in these days. "Gee, we can tell you what happened but that million dollar 'hush' money payout they gave us precludes us from offering any REAL protection to everyone else.

Re:thanks for sharing kapersky

[Vlad_the_Inhaler]

Not quite. That particular malware makes it into their database so other customers should be slightly safer.
I'm not sure how effective this anonymity through obscurity is though, presumably people in Kiev know which bank's ATMs randomly regurgitate cash. It will also have been reported so Ukranian (or Russian) speakers will be able to use Yandex or Google.

Re:thanks for sharing kapersky

No it called an NDA if you want the job you must sign one. After you sign it and you talk you will be sued into your next life. Its not hush money it is a pay check. You want real protection do what I did pull your money out of the bank into cash and rent a safety deposit box. The vault is secure the database ins't

So easily?

reluctance of banks to concede that their systems were so easily penetrated

Just because their systems were penetrated, doesn't mean it was easy. Why downplay the skill involved?

Re:So easily?

Have you seen the lame excuses that pass for modern bank security nowadays ?
Banks are like other institutions, they don't give a rat's ass about cyber security.

Re:So easily?

[CaptainDork]

This.

And, banks aren't alone.

Cyber security will only happen after litigation kicks in.

Re:So easily?

[Opportunist]

Huh? Why should cyber security be different from any other legislation concerning companies?

Whether a corporation does something to protect against something that could be considered negative depends on three things: Cost to implement it, cost if bad thing happens, likelyhood of bad thing happening.

Laws and fines are part of the "cost if bad thing happens" part.

Re:So easily?

[CaptainDork]

No.

Your criteria fail to explain why businesses (US) have sprinklers, fire extinguishers, fire exits, fire retardant furnishings and fire-specific building codes ... all backed by ordinances.

Only after many lives were lost and much litigation did these become "the cost of doing business."

Re:So easily?

[Opportunist]

Because insurances get cheaper if you have those things, and by more than their cost, and the fines for not having them if they are required by law are higher than the cost to have and maintain them.

That's basically the reason. Certainly not because any of the peons slaving away in there matters. Any of them can be replaced by any others.

Bank of America?

[Etherwalk]

The theory behind "not naming banks" is that if named, people would leave the bank and go to another one.

Why are banks allowed to do this? This completely negates the "vote with your wallet" power that the public should have.

Because they signed a nondisclosure agreement, and because people are afraid of defamation lawsuits.

It is worth noting that Bank of America just had a five-day IT outage/upgrade/etc... during which their credit card interfaces had limited data, etc... It may be unrelated, but... it was for *five days*.

It may well be unrelated--credit cards v. bank accounts and all that--but it may not be. That's a *really* long time to do the public part of upgrading a system.

Anyway, it's all insured (don't read the stuff about losing your online banking password too closely), and you can always sue if they tried not to cover you, so it's not worth a run on any banks unless they start losing a lot more. At least they're paying attention.

Re:Bank of America?

I thought they HAD to be named, or at least a report will make it evident in 6 months or so.
IF the crackers they had full walk of the accounts, I doubt it you could be certain all unlawfully stolen money was returned.
If this was not some third world bank, the customers who were not notified, and who discover money missing or re credited - where's the class action?

Has the CIO been fired yet? Any lines hidden in the annual report to mislead shareholders?

Re:Bank of America?

Outage is for an upgrade, largest one BoA has ever had.

Spyware and malware

[pigsycyberbully]

Most of the malware problem is white listing. Spyware and malware are using government spyware signatures which are white listed by virus scanners. If you run a well-known keylogger and network spyware software it is white listed by virus scanners. Recently the poor quality antivirus product McAfee, was listing network monitoring software ( Surveillance ) by its actual name even when it was in zip format. No other virus scanning products does. No doubt within a few weeks McAfee, will no longer name it. If you mess with the governments they will come and get you and they will kill you. no virus signature scanning company is going to mess about with what ever government.

Re: Spyware and malware

[Marginal+Coward]

Although I enjoy a good conspiracy theory as much as the next guy, I can't figure out why McAfee, which is based in the US, and Kaspersky, which is based in Moscow, would work together to conceal each others' government spyware from us via some sort of universal white list. You'd think everybody would have a different white list to serve their own governments' conspiracies.

Hey...wait a minute...I just realized how naive I've been not to have realized that all world governements actually are conspiring together to oppress us. Now that's one whoppin' good conspiracy!

Re: Spyware and malware

[HiThere]

The thing is, your "one whoppin' good conspiracy!" is correct, except that you included one word too many. You should have said: "Hey...wait a minute...I just realized how naive I've been not to have realized that all world governements actually are conspiring to oppress us. Now that's one whoppin' good conspiracy!" Only the word "together" makes it incorrect. But sometimes some of them cooperate. (OTOH, I do accept that the secrecy is enforced contractually in this case. )

Re: This is a clear example of why Bitcoin won't w

Large amounts of money are covered by the FDIC who gets their money from the treasury who gets their money from the Federal Banks who can print money stealing from any one who owns US dollars. Increasing the money supply is a hidden tax on everyone so everyone will pay for this crime.

Robust versus Secure

[eyepeepackets]

The internet was designed to be amazingly robust, able to successfully get a message through a nuked-out infrastructure -- point A to point Z via any number of non-predetermined intermediate points. It was not designed to be secure because such security wasn't deemed necessary to the completion of the mission of getting a message to point Z from point A regardless the damage inbetween the two points.

What security it does have has been bolted on after-the-fact much like bolting a wind spoiler onto a Volkswagen Beetle. and with pretty much the same comical effect. "Secure" internet will require some serious redesign at the various hardware and sofware levels before it can be secure.

An interesting question is whether or not it can be both very robust and very secure at the same time?

My point being that the warnings about the above were made loud and clear in the mid-1990s when the internet was "discovered" by the citizenry and the commercial interests and yet everyone yelled "Full speed ahead!" and so here we are.

Re:Robust versus Secure

[CaptainDork]

Excellent point.

I grew up with all this shit. I got my first micro computer in 1978 (I was a 33-year old electronics tech) and my first coding gig in 1986.Computers were very easy to hack via floppy disk (the 5 1/4" kind).

Each computing device has much greater responsibility nowadays, but the security has made NO advances.

Re:Robust versus Secure

[drinkypoo]

An interesting question is whether or not it can be both very robust and very secure at the same time?

You can have a very secure network right now, and have it be very robust, too. You can deny all non-encrypted communications, use certs for all comms, and exercise close control over your certs. You can prevent users from running any unauthorized software, and you can use software without extraneous bullshit, e.g. avoid using Windows as a thin client which is truly a full retard move. But that's a huge PITA, so nearly nobody ever does these things properly, even banks.

Banks should have to announce to their customers when their networks have been penetrated.

Re:Robust versus Secure

The internet isn't secure or insecure. You can't hack the internet it's just an idea; maybe at best you could consider the infrastructure like routers, cables, and modems if you wanted to though I wouldn't. But really it's the computers that are connected to the internet that can be insecure or secure and security will probably always be an issue as long as people keep connecting things that shouldn't be on the internet to it.
As you said as long as the network gets it's packet from point A to point Z it's done it's job.

Re:Robust versus Secure

[Bob_Who]

Each computing device has much greater responsibility nowadays, but the security has made NO advances.

Neither has human nature.

Re:Robust versus Secure

[Marginal+Coward]

Each computing device has much greater responsibility nowadays, but the security has made NO advances.

I've noticed the same problem with cats and mice. No matter what advances the cats make, the mice remain. One can only assume that the mice make advances at about the same rate as the cats.

Re:Robust versus Secure

It's not clear if the mice need to advance, given how very good they are at making baby mice.

Re:Robust versus Secure

But why should banks have to announce anything? If I have a factory that gets robbed, I don't have to tell anybody as long as I still deliver the promised goods to my clients. If none of their customers are actually out any money (for more than a few days or hours while they clean up the mess) why does it really matter? It's between the bank, their insurance provider, and possibly the government.

Re:Robust versus Secure

How does using that offensive slur against persons born with intellectual disability in any way advance your reasoning. It does not. Put away that hateful slur. The only justifiable use for it is to advocate against the hateful, hurtful, ignorant attitude it expresses about those using it in any other way.

Re:This is a clear example of why Bitcoin won't wo

[ganjadude]

hmm, you just gave me a business idea. Alt coin insurance.

Not quite true Re: Robust versus Secure

[davidwr]

We can and do use the insecure internet to securely transmit information.

All to often we do it wrong though. Doing it wrong means we can be fooled.

Sometimes we do it wrong on a technical level, such as using out of date encryption, fundamentally broken encryption, or worse.

Sometimes we do it on a human level, such as not occasionally verifying that the account-holder or bank employee is the one and only person who has used his credendials recently using a non-technical means.

Sometimes we do it wrong in our business practices, such as by not doing frequent-enough random audits and not forseeing that a particular type of attack is worth monitoring for. I will grant some leeway here in that "ridk management" != "risk elimination."

4 Words

[Bob_Who]

Payback is a bitch.

Re:This is a clear example of why Bitcoin won't wo

>who will cover stolen Bitcoins?

You could implement the same scheme the government does when they cover the bank's losses. Just take a sliver of bitcoin from every single account to replace what was lost.

It's the same effect, you're all a little bit poorer each time they replace that money.

Banks steal billions

They are the malware. As for threats and force, ask the evicted, the downsized, the outsourced. Remember whatsisname representing the financial TBTFs threatening the USA's Congress with blood in the streets if they didn't get 70 (or 700?) Billion to cover their bad bets, huge debts, insolvency, negligence, crass manipulation, and general malpractice.

Banks stole trillilons, impoverished millions, financed wars, coups, drug cartels, blood diamonds (etc.), weapons, the militarization of society, and war zealots. And the USA's Federal reserve is a council of bank councils, with some US government's legal backing.

Re: Banks steal billions

And impoverished billions, not just millions. Between 50 and 100 billionaires have half of the world's wealth in their power. That is not obtained honestly or just through their own innate superiority and hard work. Thatbis the product of fraud, inequality, crime, and theft. With a lot of violence done along the way.

Re: Banks steal billions

[HiThere]

You oversimplify. It also involves a lot of hard work, and some of them didn't do anything very unethical....they just took advantage of an existing non-level playing field. (I'll grant that others ensured that the playing field *would* be non-level, but they aren't necessarily the same people.)

OTOH, I do agree that there's no justification for the excessive imbalance being maintained. And I see no way to reform the system from my position.

Re: Banks steal billions

You're confusing illegal and unethical. I think most people's system of ethics would consider taking that much advantage of a "non-level playing field" to the detriment of billions of other people to be highly unethical.

Re: Banks steal billions

[HiThere]

You say "to the detriment", and that isn't clear. The non-level playing field *is* clear. E.g., it's not clear that Steve Jobs was highly unethical rather than only mildly unethical. And it's not clear that he acted "to the detriment of billions of other people".

I'll agree that it's quite easy to come up with other examples where it *is* clear. But no class of people is uniform. Not even a pair of identical twins. Whenever you see them that way, you can be certain that you are simplifying...and perhaps oversimplifying.

dem haxxorz!!1!

Good cue to stop reading: The piece will be devoid of meaning so even trying to figure out what really happened will be a waste of time, guaranteed. Same with any other clickbait, only now with sensationalist "security" sauce.

Too bad that most "cyber security" consists of this sort of fluff. No wonder we're not making any progress in that field.

Banks were hit before Internet by fraude.

[houghi]

Before Internet, I know of one group who used fraude to take only a few million USD from different banks by leaning money from one bank, falsify the papers on that loan and use it as a warranty to get a bigger loan at another bank.

They were caught because they tried to kill one person who then talked to the police.

What amazed me was that this was possible. If I have a warrenty against a loan, they will check it 27 times and then decline the value. They added some zeroes and because it was from a bank, all was well. (Ok, simplified, but still).

Seems that banks have always been less cautious compared to what they let the public believe.

odd

what bank allows transfers of millions without paperwork??

Re:This is a clear example of why Bitcoin won't wo

[Canth7]

Bitcoin can and is being insured as well. After all, it's no harder to protect Bitcoin private keys than say Verisign's root certificates, which are insured against theft as well. And it's still an unfortunate thing that our banks are so susceptible to hacking and theft. After all, whether through increased costs of private insurance or FDIC, we all pay for the losses that a bank incurs.

I bet they were Windows machines

I am afraid that the compromised machines were running Windows. That would put the 'low cost of ownership' that Redmond propagates, in a different perspective.

If only computers ...

[CaptainDork]

... had been vaccinated at birth.

Re:

oh, yeah, poor Greeks...

Bank Hackers Steal Millions Via Malware?

[lippydude]

I always though computer operating systems were only capable of being hacked, but thanks slashdot for giving us that technically insightful and informative heads-up ..

"First, they get physical access to the ATMs and insert a bootable CD to install the malware -- code named Tyupkin by Kaspersky Lab. After they reboot the system, the infected ATM is under their control."

"The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem"

That's what happens

That's what happens when you employ / usurp in cheap Asian security "experts" people!.
Payback's a bitch!!

Putin?

Could this be Russia's plan to survive the sanctions and drop in oil prices?

Re:This is a clear example of why Bitcoin won't wo

[rubycodez]

No, some companies just started offering it. But "bitcoin is insured" is a generally false statement right now.

This is recycled old news.

[Morris+von+Habsburg]

"When cybersecurity firm Kaspersky Lab was called in to investigate ATMs that had begun dispensing cash without input from users, they expected to find a simple problem."

The problem is that Kaspersky wasn't "called in", it's just a dubious PR tactic coupled with a journalist who (surprise, surprise) didn't do any own research. They took a discovery from December, renamed the network, inflated the amounts and spun someone else's work as their own.

Graham Cluley had a suspicion about the details which looked awfully familiar: High-tech hackers stole $300 million from 100 banks. But here's what the media forgot to tell you (http://grahamcluley.com/2015/02/bank-hackers/)

Fox-IT, who uncovered this issue last year have since responded to confirm it was indeed a rehash of an older story (https://www.fox-it.com/en/press-releases/anunak-aka-carbanak-update/) but with some inflated amounts to get news headlines.