Slashdot Mirror
Bank Hackers Steal Millions Via Malware
An anonymous reader writes: When cybersecurity firm Kaspersky Lab was called in to investigate ATMs that had begun dispensing cash without input from users, they expected to find a simple problem. Instead, they found the ATMs were just the tip of the iceberg. The bank's internal computer systems were completely compromised, and in addition to the slow but steady siphoning of funds through physical machines, a criminal group was quietly transferring millions of dollars into foreign bank accounts. A report set to be published on Monday shows the attack extended to over 100 banks in 30 nations.
"Kaspersky Lab says it has seen evidence of $300 million in theft from clients, and believes the total could be triple that. But that projection is impossible to verify because the thefts were limited to $10 million a transaction, though some banks were hit several times. In many cases the hauls were more modest, presumably to avoid setting off alarms." Kaspersky Lab is unable to name the banks involved because of non-disclosure agreements, and no banks have come forward to acknowledge the breach. "The silence around the investigation appears motivated in part by the reluctance of banks to concede that their systems were so easily penetrated, and in part by the fact that the attacks appear to be continuing."
"Kaspersky Lab says it has seen evidence of $300 million in theft from clients, and believes the total could be triple that. But that projection is impossible to verify because the thefts were limited to $10 million a transaction, though some banks were hit several times. In many cases the hauls were more modest, presumably to avoid setting off alarms." Kaspersky Lab is unable to name the banks involved because of non-disclosure agreements, and no banks have come forward to acknowledge the breach. "The silence around the investigation appears motivated in part by the reluctance of banks to concede that their systems were so easily penetrated, and in part by the fact that the attacks appear to be continuing."
William K. Black
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
"Why stop at one?" asked the Federal Reserve.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
Bitcoin Unaffected.
Buh buh buht... uhhh... yeah... Damn. Bitcoin Unaffacted. That's all I can say.
The theory behind "not naming banks" is that if named, people would leave the bank and go to another one.
Why are banks allowed to do this? This completely negates the "vote with your wallet" power that the public should have.
It became clear to me years ago that I could only make something fool-resistant, since as soon as I imagined foolproof had been achieved, they kept making a better fool.
My takeaway: The most devilishly clever security system, devised by the most gifted programmers, in a scenario where money was no object, can still be compromised because of the human user element in the implementation of the system.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
..... Wait, what?
Oh. Nevermind then.
So shouldnt' they be able to trace the transfers to the destination accounts? And continue doing so until the money is withdrawn?
Hell, even in places like Kazakhstan they don't have pallet loads of $100 bills waiting around for people to withdraw millions in cash. And you don't really walk into a bank ANYWHERE in the world and pull out millions in cash from a newly opened account without tons of ID, paperwork, being on cameras, access to large armored trucks, etc.
I'm familiar with the concept of mules and blinds, but for a scheme so sophisticated it sounds suspicious to use low level mules to pull out millions in cash. Multiple points of failure/discovery.
How the hell do they get the actual money OUT?
Learning HOW to think is more important than learning WHAT to think.
The theory behind "not naming banks" is that if named, people would leave the bank and go to another one.
Why are banks allowed to do this? This completely negates the "vote with your wallet" power that the public should have.
Because they signed a nondisclosure agreement, and because people are afraid of defamation lawsuits.
It is worth noting that Bank of America just had a five-day IT outage/upgrade/etc... during which their credit card interfaces had limited data, etc... It may be unrelated, but... it was for *five days*.
It may well be unrelated--credit cards v. bank accounts and all that--but it may not be. That's a *really* long time to do the public part of upgrading a system.
Anyway, it's all insured (don't read the stuff about losing your online banking password too closely), and you can always sue if they tried not to cover you, so it's not worth a run on any banks unless they start losing a lot more. At least they're paying attention.
Printing money like crazy is just a different kind of robbing. But the Fed actually was more clever than that. They printed $2 Trillion while incenting banks to deposit $2 Trillion in reserves with the Fed, thus enabling the government's spending addiction without expanding the money supply. That part was clever. What happens once banks decide to start investing that money they have parked with the Fed is anyone's guess.
Did the Fed invent a new way to support deficit spending in a downturn, or a new way to destroy a currency through hyperinflation? Only time will tell, but kudos for at least trying something new.
(BTW, the Fed didn't buy so much in the way of direct mortgage debt as it did complicated mortgage-backed securities of dubious value. The Fed shouldn't have bailed out anyone. Every single bank involved in those securities should have been allowed to collapse (nothing of value would have been lost), and everyone who signed for a mortgage they couldn't possibly pay deserves bankruptcy. It's not like we have debtors prison: you're clear of bankruptcy after a few years, and maybe learn a thing or two about living within your means in the widow when you can't borrow money.
Socialism: a lie told by totalitarians and believed by fools.
The internet was designed to be amazingly robust, able to successfully get a message through a nuked-out infrastructure -- point A to point Z via any number of non-predetermined intermediate points. It was not designed to be secure because such security wasn't deemed necessary to the completion of the mission of getting a message to point Z from point A regardless the damage inbetween the two points.
What security it does have has been bolted on after-the-fact much like bolting a wind spoiler onto a Volkswagen Beetle. and with pretty much the same comical effect. "Secure" internet will require some serious redesign at the various hardware and sofware levels before it can be secure.
An interesting question is whether or not it can be both very robust and very secure at the same time?
My point being that the warnings about the above were made loud and clear in the mid-1990s when the internet was "discovered" by the citizenry and the commercial interests and yet everyone yelled "Full speed ahead!" and so here we are.
Everything in the Universe sucks: It's the law!
The money for quantitative easing was created, not taxpayer-funded.
How'd that work out for the Wiemar Republic?
Do note that I'm a knee-jerk anti-Fed zealot, I think most of those people are hopelessly naive at best. It just remains to be seen whether or not QE is a long term success or simply masked fundamental structural problems that will re-emerge at a later date. It's worth noting that our cheap money policy has virtually destroyed every form of investing other than stocks; I can't find any "safe" investments that can keep pace with inflation right now, can you? Wall Street sure is profiting from QE, I'm not so certain about Main Street. This is a very disturbing trend that few people are talking about, one that we're not likely to reverse so long as there's no incentive (near 0% interest rates) to save money and every policymakers response to a recession is "consume, consume, consume!"
Mark your calendar and we'll come back to this discussion in 10 or 15 years to find out what happened.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
It's not like we have debtors prison: you're clear of bankruptcy after a few years, and maybe learn a thing or two about living within your means in the widow when you can't borrow money.
I've never understood the opposition to bankruptcy, as seen in our political debates on topics ranging from health care to the mortgage crisis. Perhaps I'm somewhat jaded because I've gone through Chapter 7 twice (once for medical bills, the second time for divorce); there was literally nothing to the experience, 20 minutes in an assembly line legal hearing, a few months of waiting, and presto! New start. Chapter 13 is a bit more drawn out, 3 to 5 years depending on your repayment plan, but even that isn't a terribly burdensome ordeal if your lawyer has half a brain.
Corporations engage in stratgeic bankruptcies all the time but it's somehow the end of the world if a consumer has to file Chapter 7 or 13? I've grown cynical enough watching our rigged financial system that I'm tempted to engage in a repeating cycle of strategic chapter 7 bankruptcies until the day I die. Why the hell not? You can park limitless amounts of money in retirement accounts that can't be touched, buy tangible goods on credit that can't be or aren't worth being repossessed, and milk those fucking "too big to fail" banks for every last penny you can get out of them. All you need is a little bit of estate planning, knowledge of the credit system and bankruptcy code, and the willingness to see your name in the paper every eight years.
I doubt I'll actually do this but boy there are days when it's incredibly tempting. Spend a few years rebuilding your credit, get insanely huge credit lines, live off them for a few years while parking as much real money into exempt retirement accounts as you can, bankruptcy, rinse and repeat. I had nearly ten times as much money as I owed to my creditors in my 403(b) and IRAs during my last bankruptcy and that fact was completely irrelevant. All that mattered was I couldn't pay them with my income. At least our financial system does something right for the little guy.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
This.
And, banks aren't alone.
Cyber security will only happen after litigation kicks in.
It little behooves the best of us to comment on the rest of us.
We can and do use the insecure internet to securely transmit information.
All to often we do it wrong though. Doing it wrong means we can be fooled.
Sometimes we do it wrong on a technical level, such as using out of date encryption, fundamentally broken encryption, or worse.
Sometimes we do it on a human level, such as not occasionally verifying that the account-holder or bank employee is the one and only person who has used his credendials recently using a non-technical means.
Sometimes we do it wrong in our business practices, such as by not doing frequent-enough random audits and not forseeing that a particular type of attack is worth monitoring for. I will grant some leeway here in that "ridk management" != "risk elimination."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The money for quantitative easing was created, not taxpayer-funded. No robbing took place.
Wait, what? When they print more money, all of my money is now worth less. They robbed everyone. Of course, it's irrelevant to the obscenely wealthy, who cannot live long enough to spend all their money.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Most industrialized economies are designed to be ran with continual inflation. Central banks around the world consider 1.5-3.0% annual inflation to be ideal with 2.0-2.5% to be the sweet spot. The only time you hear about inflation is when it gets outside this range. Capitalist(ish) economies usually suffer a near collapse or total collapse when the currency hits 0% inflation or starts to deflate. Because of this, the money you keep always devalues and always will as long as we keep this economic model. I've never understood the rant against the intentional push for inflation that happened after the 2008 recession in the U.S. All that did was return inflation to the "safe" range. Both Bush and Obama supported doing this so it isn't even a Democrat/Republican issue. (Note to all the "gold standard" junkies: This happens with gold and silver too! ...and its price is more volatile. Our economy was designed to roughly mimic gold and silver without having to lug it around and have more control over the inflation.)
Now, if you hate the inflation based economic system in general, that's another matter. No, going "back to gold" will not change this. See reason above. Barter was the only real system we had in the past that didn't suffer from this design. I think that there can be better systems but, it would take someone much smarter than me to design one and have it work for a global economy. (We're talking Nobel prize territory here.)
"Be particularly skeptical when presented with evidence confirming what you already believe." -
I think that there can be better systems but, it would take someone much smarter than me to design one and have it work for a global economy. (We're talking Nobel prize territory here.)
That sounds like what turned Brazil's economy around. How Fake Money Saved Brazil
And, basically, inflation did end, and the country's economy turned around. In the years that followed, Brazil became a major exporter, and 20 million people rose out of poverty.
There are two US government bonds you can buy which by definition keep pace with inflation as defined by the Consumer Price Index:
TIPS -- from https://www.treasurydirect.gov...:
Treasury Inflation-Protected Securities, or TIPS, provide protection against inflation. The principal of a TIPS increases with inflation and decreases with deflation, as measured by the Consumer Price Index. When a TIPS matures, you are paid the adjusted principal or original principal, whichever is greater. TIPS pay interest twice a year, at a fixed rate. The rate is applied to the adjusted principal; so, like the principal, interest payments rise with inflation and fall with deflation.
or you can buy I-bonds: Series I Savings Bonds are a low-risk, liquid savings product. While you own them they earn interest and protect you from inflation. You may purchase I Bonds via TreasuryDirect or with your IRS tax refund.
The world is awash right now in investment money looking for a safe place to earn interest, with more demand than supply of safe interest bearing instruments the returns are going to be small.
Bitcoin can and is being insured as well. After all, it's no harder to protect Bitcoin private keys than say Verisign's root certificates, which are insured against theft as well. And it's still an unfortunate thing that our banks are so susceptible to hacking and theft. After all, whether through increased costs of private insurance or FDIC, we all pay for the losses that a bank incurs.