Slashdot Mirror
Bank Hackers Steal Millions Via Malware
An anonymous reader writes: When cybersecurity firm Kaspersky Lab was called in to investigate ATMs that had begun dispensing cash without input from users, they expected to find a simple problem. Instead, they found the ATMs were just the tip of the iceberg. The bank's internal computer systems were completely compromised, and in addition to the slow but steady siphoning of funds through physical machines, a criminal group was quietly transferring millions of dollars into foreign bank accounts. A report set to be published on Monday shows the attack extended to over 100 banks in 30 nations.
"Kaspersky Lab says it has seen evidence of $300 million in theft from clients, and believes the total could be triple that. But that projection is impossible to verify because the thefts were limited to $10 million a transaction, though some banks were hit several times. In many cases the hauls were more modest, presumably to avoid setting off alarms." Kaspersky Lab is unable to name the banks involved because of non-disclosure agreements, and no banks have come forward to acknowledge the breach. "The silence around the investigation appears motivated in part by the reluctance of banks to concede that their systems were so easily penetrated, and in part by the fact that the attacks appear to be continuing."
"Kaspersky Lab says it has seen evidence of $300 million in theft from clients, and believes the total could be triple that. But that projection is impossible to verify because the thefts were limited to $10 million a transaction, though some banks were hit several times. In many cases the hauls were more modest, presumably to avoid setting off alarms." Kaspersky Lab is unable to name the banks involved because of non-disclosure agreements, and no banks have come forward to acknowledge the breach. "The silence around the investigation appears motivated in part by the reluctance of banks to concede that their systems were so easily penetrated, and in part by the fact that the attacks appear to be continuing."
The theory behind "not naming banks" is that if named, people would leave the bank and go to another one.
Why are banks allowed to do this? This completely negates the "vote with your wallet" power that the public should have.
Because they signed a nondisclosure agreement, and because people are afraid of defamation lawsuits.
It is worth noting that Bank of America just had a five-day IT outage/upgrade/etc... during which their credit card interfaces had limited data, etc... It may be unrelated, but... it was for *five days*.
It may well be unrelated--credit cards v. bank accounts and all that--but it may not be. That's a *really* long time to do the public part of upgrading a system.
Anyway, it's all insured (don't read the stuff about losing your online banking password too closely), and you can always sue if they tried not to cover you, so it's not worth a run on any banks unless they start losing a lot more. At least they're paying attention.
It's not like we have debtors prison: you're clear of bankruptcy after a few years, and maybe learn a thing or two about living within your means in the widow when you can't borrow money.
I've never understood the opposition to bankruptcy, as seen in our political debates on topics ranging from health care to the mortgage crisis. Perhaps I'm somewhat jaded because I've gone through Chapter 7 twice (once for medical bills, the second time for divorce); there was literally nothing to the experience, 20 minutes in an assembly line legal hearing, a few months of waiting, and presto! New start. Chapter 13 is a bit more drawn out, 3 to 5 years depending on your repayment plan, but even that isn't a terribly burdensome ordeal if your lawyer has half a brain.
Corporations engage in stratgeic bankruptcies all the time but it's somehow the end of the world if a consumer has to file Chapter 7 or 13? I've grown cynical enough watching our rigged financial system that I'm tempted to engage in a repeating cycle of strategic chapter 7 bankruptcies until the day I die. Why the hell not? You can park limitless amounts of money in retirement accounts that can't be touched, buy tangible goods on credit that can't be or aren't worth being repossessed, and milk those fucking "too big to fail" banks for every last penny you can get out of them. All you need is a little bit of estate planning, knowledge of the credit system and bankruptcy code, and the willingness to see your name in the paper every eight years.
I doubt I'll actually do this but boy there are days when it's incredibly tempting. Spend a few years rebuilding your credit, get insanely huge credit lines, live off them for a few years while parking as much real money into exempt retirement accounts as you can, bankruptcy, rinse and repeat. I had nearly ten times as much money as I owed to my creditors in my 403(b) and IRAs during my last bankruptcy and that fact was completely irrelevant. All that mattered was I couldn't pay them with my income. At least our financial system does something right for the little guy.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
We can and do use the insecure internet to securely transmit information.
All to often we do it wrong though. Doing it wrong means we can be fooled.
Sometimes we do it wrong on a technical level, such as using out of date encryption, fundamentally broken encryption, or worse.
Sometimes we do it on a human level, such as not occasionally verifying that the account-holder or bank employee is the one and only person who has used his credendials recently using a non-technical means.
Sometimes we do it wrong in our business practices, such as by not doing frequent-enough random audits and not forseeing that a particular type of attack is worth monitoring for. I will grant some leeway here in that "ridk management" != "risk elimination."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.