Bank Hackers Steal Millions Via Malware

An anonymous reader writes: When cybersecurity firm Kaspersky Lab was called in to investigate ATMs that had begun dispensing cash without input from users, they expected to find a simple problem. Instead, they found the ATMs were just the tip of the iceberg. The bank's internal computer systems were completely compromised, and in addition to the slow but steady siphoning of funds through physical machines, a criminal group was quietly transferring millions of dollars into foreign bank accounts. A report set to be published on Monday shows the attack extended to over 100 banks in 30 nations.

"Kaspersky Lab says it has seen evidence of $300 million in theft from clients, and believes the total could be triple that. But that projection is impossible to verify because the thefts were limited to $10 million a transaction, though some banks were hit several times. In many cases the hauls were more modest, presumably to avoid setting off alarms." Kaspersky Lab is unable to name the banks involved because of non-disclosure agreements, and no banks have come forward to acknowledge the breach. "The silence around the investigation appears motivated in part by the reluctance of banks to concede that their systems were so easily penetrated, and in part by the fact that the attacks appear to be continuing."

Re:The Best Way to Rob a Bank is to Own One

[ColdWetDog]

Second best way is to impersonate the person that owns one. Sounds like what these guys did. However, according to TFA they were very patient and methodical, leading up to the assertion that they were 'cybercriminals' rather than state actors. Of course, the last time this weird dichotomy came up, the attackers were state actors because they were so patient and thus weren't plain ol criminals.

Sounds a bit clueless to me. Given the level of information we get from fine articles such as this, I have to wonder just what, if anything at all, really happened.

Best thing about the article is Sergey Golovanov's T-shirt.

Re:The Best Way to Rob a Bank is to Own One

[datavirtue]

Banks are one of the most antiquated troglodytes on the planet. It goes to the root of the governments who are essentially run by the banks more or less. There is little drive to provide better services to consumers as the entire payments and clearing industry is mired in something I would dare call (old) "technology." There are very few players, invisible to consumers and far outside thee average consumers' intellectual reach the system, very simple, seems complex and magical. It is not. It is an old, crusty, dusty, farty mechanism rooted in the 1800s at best. The innovators are hamstrung by politics and regulation, almost happy to be so because this monopolistic club is very profitable. One of the greatest achievements AND ills of mankind is the current (certainly not modern) banking system.

Trace the Transfers?

[chill]

So shouldnt' they be able to trace the transfers to the destination accounts? And continue doing so until the money is withdrawn?

Hell, even in places like Kazakhstan they don't have pallet loads of $100 bills waiting around for people to withdraw millions in cash. And you don't really walk into a bank ANYWHERE in the world and pull out millions in cash from a newly opened account without tons of ID, paperwork, being on cameras, access to large armored trucks, etc.

I'm familiar with the concept of mules and blinds, but for a scheme so sophisticated it sounds suspicious to use low level mules to pull out millions in cash. Multiple points of failure/discovery.

How the hell do they get the actual money OUT?

Bank of America?

[Etherwalk]

The theory behind "not naming banks" is that if named, people would leave the bank and go to another one.

Why are banks allowed to do this? This completely negates the "vote with your wallet" power that the public should have.

Because they signed a nondisclosure agreement, and because people are afraid of defamation lawsuits.

It is worth noting that Bank of America just had a five-day IT outage/upgrade/etc... during which their credit card interfaces had limited data, etc... It may be unrelated, but... it was for *five days*.

It may well be unrelated--credit cards v. bank accounts and all that--but it may not be. That's a *really* long time to do the public part of upgrading a system.

Anyway, it's all insured (don't read the stuff about losing your online banking password too closely), and you can always sue if they tried not to cover you, so it's not worth a run on any banks unless they start losing a lot more. At least they're paying attention.

Re:Two words

[Shakrai]

It's not like we have debtors prison: you're clear of bankruptcy after a few years, and maybe learn a thing or two about living within your means in the widow when you can't borrow money.

I've never understood the opposition to bankruptcy, as seen in our political debates on topics ranging from health care to the mortgage crisis. Perhaps I'm somewhat jaded because I've gone through Chapter 7 twice (once for medical bills, the second time for divorce); there was literally nothing to the experience, 20 minutes in an assembly line legal hearing, a few months of waiting, and presto! New start. Chapter 13 is a bit more drawn out, 3 to 5 years depending on your repayment plan, but even that isn't a terribly burdensome ordeal if your lawyer has half a brain.

Corporations engage in stratgeic bankruptcies all the time but it's somehow the end of the world if a consumer has to file Chapter 7 or 13? I've grown cynical enough watching our rigged financial system that I'm tempted to engage in a repeating cycle of strategic chapter 7 bankruptcies until the day I die. Why the hell not? You can park limitless amounts of money in retirement accounts that can't be touched, buy tangible goods on credit that can't be or aren't worth being repossessed, and milk those fucking "too big to fail" banks for every last penny you can get out of them. All you need is a little bit of estate planning, knowledge of the credit system and bankruptcy code, and the willingness to see your name in the paper every eight years.

I doubt I'll actually do this but boy there are days when it's incredibly tempting. Spend a few years rebuilding your credit, get insanely huge credit lines, live off them for a few years while parking as much real money into exempt retirement accounts as you can, bankruptcy, rinse and repeat. I had nearly ten times as much money as I owed to my creditors in my 403(b) and IRAs during my last bankruptcy and that fact was completely irrelevant. All that mattered was I couldn't pay them with my income. At least our financial system does something right for the little guy.

Re:Robust versus Secure

[drinkypoo]

An interesting question is whether or not it can be both very robust and very secure at the same time?

You can have a very secure network right now, and have it be very robust, too. You can deny all non-encrypted communications, use certs for all comms, and exercise close control over your certs. You can prevent users from running any unauthorized software, and you can use software without extraneous bullshit, e.g. avoid using Windows as a thin client which is truly a full retard move. But that's a huge PITA, so nearly nobody ever does these things properly, even banks.

Banks should have to announce to their customers when their networks have been penetrated.

Re:Is nothing Hackproof?

[Opportunist]

Yes, it is possible to create a hack proof system. Is it economically feasible? That's the real question here.

And here even the old metric of risk assessment goes out the window. No, seriously. We're talking about a mission crippling threat (or, in simple terms, "if it happens, we're fucked"), something that usually is required to protect against. For the obvious reason, if it happens, we're done for. Like a rocket engine on a space ship, you want one that DOES work no matter what because if it for some odd reason does not work, you're fucked. You want it well designed, preferably with dozens of fallback systems and spare parts around, despite all of this being heavy and shit but you know that you NEED that thing. More than any scientific instrument you might want to take along because all of it is nixed if you can't get your precious payload up into space and maybe even back down to earth.

Now of course there's even a limit to that. In security terms, the cutoff is where security costs more than what you protect because it's economically nonsense to spend more on protecting something than losing it would cost you. To stay in the comparison above, when your engine gets so heavy that it can't lift itself anymore, you've overdone it.

But all this is academic cerebral masturbation material for risk assessment enthusiasts and rocket engineers because what happens here and now is something that is bullshit all the way up to the sky and back. It's the good old schoolyard metric of "but the others do it too". And whoever said that managers are just little petty kids who refuse to grow up should get some sort of prize for economy because he's not only absolutely right but also identified what the fuck's wrong with economy today.

What happens here is that security goes out the window as soon as there is someone else in the market who shits on security, because they don't know better, because they think they know better than their risk managers (who they hired for whatever reason if they don't want to listen to them) or because the greedy part of their brain took an unhealthy marriage with the stupid part and decided that their bonus is heaps bigger if they go with the security metric that we all know well from the times when we played hide and seek as a kid, where you close your eyes and hope really hard that if you can't see them they can't see you and that they'll simply forget that you're there and hopefully find someone else to pick on.

And whoever had that great idea first is what I'd like to call "Asshole 0", as in "Patient 0" of a pandemic. Because now everyone else had to follow the same shitty idiocy because else their financial results would have looked worse. You see, security is one of these things that you can argue rather badly towards shareholders. It's nothing you can pretend to be an asset, it's nothing that leaves any kind of shit stain on the balance like the near bankrupt Generistanian bank you gobbled up for more than it's ever been worth in its entire existence where you bullshit your shareholders into thinking that you were the only one who had the vision to foresee how it will be the next big thing in investments Really Soon Now (tm).

Money you spend on security is simply gone. And if you can't point to two big towers that were mistaken for landing strips by well meaning towelheads you can't even present a strawman that would burn for more than a nanosecond to argue that expense with people who know shit about IT and will complain that that whole computer crap was sold to them with the promise that they can fire another few thousand people if they only cram enough of that blinkenlight stuff into some room. And now you come and say that they should spend a metric fuckton of money because it's "insecure"? Now, that can't be, the consultant who told us all about how much money we can save with computers and then was even so friendly to shovel a load of them into our rooms sure would have told us, right?

And look over there, that other bank that is run by Asshole 0