Slashdot Mirror
UK Banks Blackmailed by Crackers
Palin Majere writes "This story from USAToday reports on how banks in the UK are finding it cheaper (and easier) to pay off cracker groups rather than try and defend themselves properly."
← Back to Stories (view on slashdot.org)
that gets me thinking:
If I go to a company and say - I found those security breaks in your system, I can fix them if you'd pay me.
Is that blackmail?
Ballerinas have fins that you'll never find
Sure.
Bank: What did you do to break in?
Blackmailer: Well, I... (yadda yadda yadda)
Where is the trust in this situation? As mentioned before in the comments, the blackmailer could have multiple ways in, or multiple backdoors, etc. It would only take one easy way in to do more damage -- or have the potential to do more damage.
Blackmail is not about trusting someone. It's about knowing that you definitely don't trust them, but attempt to make the situation better for yourself. Getting answers from blackmailers would be just as easy as eating an asphalt pie.
Karnal
Regarding the activites of crackers and blackmailing backs. I'm sure most of the threats are just DOS attacks that may or may not actually involve compromising the security of the bank.
Consider the scenario of a banks communication network breaking down.
Here's how it might work:
Lets say the main branch in London has a computer failure. Now, that's all ok for an hour or too, but if it lasts much longer, especially at some strategic time (like during backups) then the bank will start having problems.
Now, instead of transferring monies out of an account the crook simply withdraws the money from several banks, one after the other. They won't notice untill after the link comes back up.
Ok, so the banks that are offline can't deal with major withdrawals. So now, they really can't do anything, except dissalow withdrawals. Then, when the news hits, there may be a run on the bank... (This is really bad news.)
Now, the tricky part here is that the bank would rather pay someone to not attack than to loose it's buisness for a day, no big deal. As soon as the scenario becomes reasonably common, the bank may well move to more economical means of protection.
Also, it seems like this kind of scenario is likely to be an inside job. A banker should be well versed in how to perform massive money transfers discreetly, and have appropiate contacts to do so. The insider already has acess to the system, and can easily forge an e-mail by simply bypassing physical security.
Furthermore, with inside information, the crook could verry well know what sums of money would be considered small enough to be acceptable payoffs.
Otherwise there are massive issues with this sort of caper. AFAIK most banks use proprietary systems. Most of these systems were written a long time ago by professional high-end programmers, not the indian sweatshop programs available from MS, so each system is unique, and may well require insider info. The actual transfer of money would also be very difficult to perform securely.
NTG
Perhaps it's not monitary transactions that the crackers threat is based on. Privacy is a large concern of most banks ( especially in Ireland where a couple of large banks have been exposed of stealing from their customers ).
There is a lot of sensitive information in a bank, and more importantly, a bank's financial success depends on it's public image.
Can you imagine the bad press if a cracker group post a/c details of some corporate clients?
mmmmm... bad medicine....
-- hjw http://puzl.info/
--Phil (Pardon if I misunderstood--as I said, I haven't yet had much experience in this area.)
355/113 -- Not the famous irrational number PI, but an incredible simulation!
Many worldwide banks offer NetBanking as a way of allowing customers access to their account, bill payments, loan payments, etc over the net. The way this is done is not through a browser, but through a secure on-line client terminal, developed by the bank (which is not open source ;-) ).
My bank has an interesting solution here: It uses a client, which does all the wacky password stuff, and then acts as a local proxy, so that you can use your normal browser, but only with the security program working. It can be a bit of a pain to setup when you're already using a proxy, but not all that bad. And it seems to work - I haven't heard of any great problems yet.
Of course, the nice thing about just having stuff on the web is that you don't need any proprietary software - it'll work on any OS that has a browser!
Of course, you'll want decent encryption - would a "simple" solution that used 128 bit encryption be generally decent? Would most of you trust it?
(of course it would depend on a lot of other things... but hey)
If so, all we need is to allow 128 bit encryption everywhere! There's that familiar refrain again...
I can't imagine that banks can't track down their own money to find out where it is, and then nab the crackers from there. ("Yeah, sure, we'll give you money! --Aha, gotcha!")
I also can't believe that these skript kiddiez all have secret Swiss bank accounts or something. Wouldn't a deposit of $400,000 by an unemployed teenager be suspicious? This isn't exactly an amount of money you can hide under your bed.
Reminds me of a local incident a couple years ago, where a couple skript kiddiez hacked an e-commerce server, stole credit card numbers, then had stuff *shipped to their homes*. And they wonder why they got caught...
"During your times of trial and suffering, when you see only one set of footprints, it was then that I was riding the pogostick."
A good traveller has no fixed plans and is not intent on arriving.
Gee, from my experiance, you are wrong assuming that it's not tcp/ip, and that it is DES encrypted...And actually, the Loan accounts and individual accounts are perhaps interesting, but not blackmail-worthy... I think the only extortion (one should look at the penalty for such before making any career changes!) that might fly would be the threat to alter records and then publicize the fact...You will, of course, immediately become an item for Secret Service and Treasury agents...I'd certainly bag the idea. Use your brain for something legal!
Perhaps opening an account to receive the message leaves too much of a trail? I don't recall the article saying *how* the crackers were paid off (suitcase full of cash, say; or seized collateral, or whatever) but the bright ones, presumably, wouldn't accept anything like a personal check...
Only the dead have seen the end of war.
I think he meant that it was backwards in that crackers are more commonly known as malicious hackers (at least as far as the media is concerned), rather than vice versa.
Jason.
Thanks for the info. I'd never even heard of this shmoe, but i was *very* suspicious of an article like this in USA today. I mean, come on. This is a news paper more used to telling you what kind of potato chips most americans eat, in 98 eye-catching colors ("The dreaded USA-Today effect").
-nme!
CitiBank did the right thing when they were cracked. They went to the authorities, cooperated, helped in tracking the crackers down, and were willing to testify against them. Exactly the right way to go about putting these criminals in jail
Unfortunately, as these things go, the press ran with the usual "CitiBank gets hacked!" headlines, with the result that CitiBank lost nearly all of its most lucrative accounts almost immediately. This lesson has not been lost on other banks, who will now gladly pay a protection racket "reasonable" fees rather than loose their own lucrative accounts. This will probably go on until either the authorities jail some high-level banking executives for obstruction of justice or complicity in covering up a crime, or depositers wise up and realize that a bank like CitiBank is probably a much more secure place to put one's money than a competitor which gets cracked in exactly the same way, but covers up the incident and finances future cracking missions with payoffs to boot!
The Future of Human Evolution: Autonomy
Nope, Homer said: "Mmmmmmmmm, Chocolate". I've never heard Homer say anything about crackers. He probably wouldn't even eat crackers... too salty, not enough sugar. Well, maybee graham crackers :-)
There is one good reason why most banks in this situation will not inform the authorities at all. Banks rely on public trust in them to earn their money. If they reported such a blackmail attempt to the police it would necessesarily become known by the public. The cost of this in terms of plummeting business (would you lend your money to a bank with that lax security?) would far exceed the $100000 or even $1000000 in ransom. So they pay up and hope it just will go away. /Dervak
Wince through the teller screen at your local bank and I'm willing to bet what you'll see... No, it's not a gaggle of blonds - it's passowrds on postit-notes stuck onto monitors. They're crying to be abused!
And on a related note: Until recently TSB's ATM network in The UK used modem dial-up to network their cash machines in the North of Scotland to the rest of their network. Further more no encryption was employed over these lines. Unencrypted transfers on public lines - sheesh!
- A bit of hype about those evil hackers will go a long way (i.e., from newspaper to newspaper, country to country...)
- Sufficient doses of hype will induce TREMBLES (Traumatic Reflex Evoking Multiple Blank Line Entry Syndrome), as evidenced in your message.
Hope this helps...(I will admit I was unable to distinguish in this case between TREMBLES and MUMBLES [Monkey Using Multiple Blank Lines for Emphasis Syndrome] so I gave you the benefit of the doubt.)
No Laughing Allowed!
Some members of a mailing list I subscribe to (ukcrypto) have suggested that this is simply a scare story whipped up by GCHQ (think British NSA) to try to get big companies to use their consulting services.
See this archive.
Multiple choice answers: a. Steal a lot of money anonymously 1) be your own boss 2) enjoy your ill-gotten gains 3) enjoy your privacy b. Get paid a little money, identify yourself. 1) go to jail now 2) be surveilled forever i. go to jail later
http://www.google.com/search?q=PROMIS+Meese+Casola ro+Charles+Hayes
...to lone teen cracker on PROZAC ...whose intitials are LHO ...not news; history-- http://www.dcia.com/prouty.html
Gotta be rubbish. In Australia, at least it would be illegal (for the bank too). If you pay blackmail, or do a deal with an imbezzeler - YOU go to jail. You go to the police with proof - and the BANK would loose their banking licence- fast. Besides, our banks only take- Never give - ever. E-greenmain would never work here (although the stupid banks are open targets for cheque and credit card fraud). For all their many faults, aussie banks will kick ass if you try anything. Their motto is ordinary people don't deserve tellers, and encourage electronic banking, with 40 minute long queues and $5 withdrawal fees ($2 if from an ATM). We have just three (mainstream) banks, and just one telephone company, so tracking is easy too. The legal system here is banana'y too. Door kicked in , tried, jailed, and nothing printed in the papers or media (as the banks place lots of ads). No ammendments or rights in our court system if you probably did it. If any American bank offers decent international internet banking - they will make a fortune. The ones that FOLD over here (as in can't compete)fail because they don't innovate. Roll on amazon e-bank. PS: I kinda think that tacky goverment agreements have prevented international e-banking in the past, but this temporary e-border will go eventually. We even have a state tax on bank transactions!!!!
Inhabitants of the "UKcrypto" mailing list, for discussing government cryptology policy, have come to the conclusion that this story is a complete fabrication, "cut from whole cloth" by GCHQ (the UK equivalent of the NSA) to spread bad words about strong crypto and encourage regulation.
The original story has bizarre references to "hackers" holding up banks "with crypto" - I know it's a munition, but you can't point it at a bank teller!
See for example thi s article by highly respected cryptologist and computer security expert Ross Anderson, who is also co-author of AES candidate Serpent. Note also thi s observation on bank panic stories, or read the whole thread (search for "today's Times").
I'll also echo the comments here about Jonathan Ungoed-Thomas's hilarious attempts to cover security issues, among other iGaffes.
--
Xenu loves you!
Aside from that this article is an old one and that banks and other companies do not tell, not just in the U.K. .. yawn. Welcome to the real world.
Go read some back issues of www.ntk.net to know more about the most outrageous cyber-journalist in the UK, Jon Ungoed-Thomas. This story is pure fantasy, as are most of his stories. He is a scare-monger of the worst kind.
:-)
Many times he has been caught sending out emails from his work account, pretending to be a female eco-terrorist. Then he started using hotmail but filled out the registration form with his own name, and it was sent with the emails. He is astoundingly stupid and clueless.
Now, there may have been some extortion attempts against banks recently by script-kiddies. During the Secondary DNS Con, civic minded hackers announced that the Scottish National Party's web site had no security. They then gave the web masters 2 weeks to fix it (the idiots applied a single M$ patch), then cracked the system and defaced the home page with some very funny stuff. Obviously the hack was long in the making.
Since then, there has been a lot of poking around websites all over the place in the UK, and since most of the security holes are application based, adding firewalls doesn't do much good.
I expect some script-kiddies sent an email to a web master at a major bank, demanding money or "the web site gets it". Mr double-plus-Ungoed has managed to fabricate a huge threat out of that with his tabloid trash writing.
Bank security for transactions doesn't go through web sites, despite what clueless wanna-be hackers would love to think. Any real cyber-threat to banks is well funded by organized crime, and the hacks are months in the execution. The payoff can be huge, and usually requires inside knowledge. Mr Ungoed can't even figure out hotmail
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
- The AC who hasn't changed his stockpiling plans (money, food, guns, ammo, etc.) for Y2K. Afterall, the more the gov't insists that "everything will be just fine" the more I worry.
What on earth could our bankers be afraid of? Do they really care about security for us, or do they live in a self-inflicted but constant state of fear, from us? Consider this.
According to Mr. Virtue Himself, former drug czar Bennett, during the Bush administration illicit drugs were traded at the reported rate of $500B per year. $500B per year hard M-1 cash being sucked out of the bankers' vaults, "never" to be returned. Right? That's 50% of the above-ground U.S. economy, annually, including MS vaporware, and a significant portion of ongoing M-3, and a multiple portion of the required cash reserves. As the focal point for this kind of "underground" activity, why does a banker need "security" for the rest of us?
What banks use the stolen Promis program to maintain account histories of our transactions?
And, why are banks required to share details of our account histories with central computers at the NY Fed? What's it to them? Who are the stockholders of the Federal Reserve Banking System anyway?
And, what is the IRS and whom do its collections secure, i.e. to whom does it pay its loyalties; and why do we, the continent of the clueless, ratify perpetual debt to the fed, when all they lend us is fictitious currency created from nothing anyway? How come I couldn't pay my taxes by check made payable to U.S. Treasury, and when I send a check payable to IRS, it is deposited into a fed account at Mellon Bank?
Why do our bankers need security for us?
Uhhh, I too might be totally clueless, but I know a leader when I see one. I choose ... Charlie Battenberg, the man who wished he could spend eternity as the tampon of his adulterous lover, and who as leading male member of the Royal Family, sits next in line as the future figurehead of the super waspish C of E.
Btw, a couple of years ago, there was an incident where somebody fraudulently transferred away a large sum of money from Pernot-Ricard's (famous pastis drink producer) account to a numbered account in Switzerland. The perps were hoping that the incident would stay undiscovered, in the naive belief that at a company nobody would check bank accounts...
"If you know what you're doing, getting inside one of these links can be quite easy."
If this is so easy, then it *really* ought to be trivial to listen to any phone conversation you want (I mean come on, a lot of the phone network isn't even digital).
If you are such a badass information warfare expert, why don't you just tap into a few conversations between CEOs of huge evil companies (ie MSFT) and let everyone know about the nefarious schemes they are hatching.
And hey if it's so easy to jump from the PBX into the data network, it should be just as easy to do it from the power grid, right? I mean c'mon they're all wires that are sorta, somewhat, in some way connected with each other.
Gimme a break. Somehow I just don't think getting information is quite as easy as you say, or we wouldn't have the NSA squawking about encryption technologies and the like all the time.
My bank (Toronto Dominion) has a net banking solution.
It grew from a touch-tone system (which I avoid using) to a proprietary client to a browser based app. They recently phased out the propietary client.
However, I would not be able to legally access my info outside of North America. Yep, it only allows 128-bit crypto. It'll reject anything else.
Between that and the phone, I trust the browser more. It is really easy to just record a phone session and get the touch-tone password and card number.
So banks outside North America are getting the shaft due to dumb US export restrictions.
Quite frankly, I'm surprised they're "letting" us use it. But then again, is that IP owned by the US government? What right do they have to impede international business?
What pisses me off the most is that I can't really do anything about it. They're not going to listen to me, as I'm not a US citizen.
All of you US people should each write a monthly letter to their politicians, or a monthly fax. Let them know how strongly you feel.
From my point of view the decision of the banks makes sense. First, they have to protect themselves from the loss if customers. This can be acomplished by paying the ransom. As someone else pointed out already, you can try to catch the blackmailers when picking up the money.
Second, you fix the holes quietly to prevent other crackers to do the same. And you still keep it quiet.
Trust is really important when you give somebody your money. You trust the bank that they give back the money you gave them. Therefor you trust them to be able to protect the integrity of the finance tracking system.
Let's take that a bit farther: What if it becomes known, that more than one or two banks, namely nearly all banks, are vulnerable and not too difficult to crack? What might happen? The customers may lose their trust in the banks and get their money back and/or keep it to themselves. If this happens on a big scale you decrease the available money for the servies of the banks like investing and credits. Without being able to get a decent credit other investments will not be made and so on... The financial system slows and the economy suffers. Therefor there is less money on the side of the investors, which they still keep to themselves...
Trust is really important for the economy. You have to trust the government, that those cheap printed paper slips with numbers on them are really worth more than the paper value. You have to trust the banks, that you get your money back. And therefor they have to pretend that they are invulnerable. Behind the scenes they may act completely different, but in the face of the public they have to keep their face.
BTW: I really liked it, too, that the author didn't mix hackers with crackers as many others do.
Björn
City investigators say at least two London financial institutions have paid out ransoms totaling more than a million pounds ($1.6 million)," says the paper.
So what's the uk rate for a competent sysadmin? 80 pounds or so? An ounce of prevention...
--Shoeboy
It should be possible to form a company that acts as a go-between for companies and hackers.
First you would contact banks & other businesses and get them to "Subscribe" to your service. You offer a schedule of prices that basically equates to bounties for different levels of cracks.
Then you start offering bounties to crackers. The contract will prevent the businesses from prosecuting crackers as long as they don't cross certian boundaries, and will provide payment as long as they reveal their techniques.
You provide the techniques to your businesses (or even provide contractors to fix the problem), and collect the bounties for the crackers.
I wonder if anyone has given thought to where we would be right now without crackers--even the script kiddies are helping to immunize businesses against true organized attacks.
From what happened in "Independance Day", I can guarentee that those aliens did not have hackers--pity for them.
That's because you have. This same story is reported by the UK media every 6-12 months, and they've been doing it for years. They just change the details a bit each time.
>I guess newspapers have some kind of archive which they use to fill up their pages over and over again.
Actually it's probably not driven by the papers but by people peddling security services. It appears to work as follows:
- vendor wants to sell something which isn't currently selling too well (let's say it's aluminium caps to shield you from the orbital mind control satellites)
- vendor goes to reporter and tells them a horror story about banks
- if the reporter questions the story (unlikely) -> vendor tells them it has to be true because the same thing appeared six months earlier in the National Enquirer
- reporter writes scare story about banks being blackmailed
- vendor is quoted in the story as saying that the only defence against this is to buy their aluminium caps
Normally this rubbish is confined to one or two UK tabloids, the fact that it's speading to the US (although still a tabloid) is worrying.
Now that it's been revealed that banks have poor records in dealing with electronic attacks, does that mean that faith and trust will be lost in the entire banking sector (rather than just the banks that are actually sloppy)?
This is bad timing - just in time for the Y2k currancy rush. I wouldn't want to be working at a bank at the moment. Remind me to have more on my credit card than in my bank account on the 31st of December...
CJ.
PS. First post again?!?
Its amazing.
I don't understand how it could be so easy to crack what should be such a single-minded system..
Sounds like the bank is trying to do too much on one server..
Or maybe is it a lack of encryption issue?
If I can set up my linux box to accept packets with a simple service, and I proof the code enough, then I don't have to worry about anything but DoS attacks.. and the firewall should be handling that...
And if they are cracking your firewall, you need to hire a new admin, because the old one is incompetent.
They called malicious hackers crackers. glad there not confusing the two.
Is it just me or did they get that backwards? :)
Well, at least they actually used the proper term some of the time...
Ribo
I wear pants.
You're quite right..
Just one thing that came to my mind: If the crackers are so good that they can do what they want (or at least that's what the banks think they are), why don't they just transfer the amount of money they want to their own accounts? Why go all the trouble in blackmailing the banks? Makes me wonder if a bank would give me money if I sent them a note I'll crash their machines if they don't..
--
It has to work - rfc1925
If there's one group that I trust to honor privacy even less than any of our governments it's large corporations. And if there's any group that I trust less than large corporations to honor privacy, it's crackers.
Does anybody know if these crackers are anything more than greedy script kiddies?
With this kind of thing (governments eroding privacy, eroding any attempts to use encryption, private sector being even worse about privacy, etc.) the average law-abiding citizen in any country might as well post a daily log of all their activities and financial statements to USENET, because everybody could get to the info anyways.
And, jeez, how hard is it, really, to separate a bank network from the internet entirely and only allow absolutely necessary things through firewalls? (and to keep computers up-to-date, for that matter) Or is this all mostly being done by people that manage to get access (somehow) to terminals in the banks themselves?
The methods of blackmail are very simple as most of the systems run over standard high bandwidth lines. It's a simple enough problem to get into these systems by going through the exchange points rather than walking through the front door of a bank (just like breaking into most company networks is actually much easier to break the PABX system and then jump across into the data stream that contains the network link rather than trying to attack the firewall directly).
Most of the time, the banks don't even bother with varifying the cracker's claims. They just pay up the cash and be done with it. You'd be surprised as just how lax most banks are with thier internal security. Oh, this system is inside the network so we don't even have to worry about encrypting the comms between our two mainframes even though their located at two different sites 50Km apart.
Another interesting whole to watch out for in the future will be the increasing use of direct fibre channel connections. Some of the setups that I've seen put the mainframe connection in one site and the drives and backdrives in two separate sites. The drives are hooked up using fibre channel as though they were local hard drives to the machine. If you know what you're doing, getting inside one of these links can be quite easy.
Despite repeated demonstrations of how easy some of these systems are to break, the banks just don't seem to be interested in trying to make it more secure. They don't want to spend the extra money because it eats into the profit margin. Security through obscurity seems to be their favourite mantra. Fscking idiots!
you never lose the Dane.
of all the policies I've heard, this is the most short sighted. Of course, not much detail is given out, but I can see this already:
1. crack root on one bank's machine.
2. metastatize into the whole LAN.
3. install backdoors everywhere.
Now:
4. give a vivid demo + ransom instructions, signed
with one handle. Obtain ransom. Observe which backdoors are undone. Restore what you can.
5. wait.
6. if (backdoors >= 1) {
a. select new handle and set of ransom
instructions.
b. repeat steps 4 and 5.
}
Lovely, eh?
Thi is exactly the kind of attitude I can't understand in the Capitalistc world were leaving in.
.....
Sure on the short terms it's cheaper to pay the hackers to send them elsewhere (like your comperitor). But on the long term this really is bad:
* Crackers will see in such deal a good way to make money, they'll come back (this will increase the cost of security)
* Since they just pay the cracker and don't do anything about security, what will happen when the cracker dosn't try to get paid by the bank but takes what he wants
On the long trem the money should be spend on increaing security
none Yet.
Why go to the trouble of actually doing something when you can just cash in on threats?
Make $$$ in your spare time! Have the bank pay you for your cracking skills!
it appears that it is actually cheaper to get this 'protection' from hackers than to employ a 'security expert' to protect the system.
I think that, at some point, giving in to these people will legitimize malicious cracking in the eyes of many. This will only lead to more cracking attempts, and the more people there are trying to crack systems, the more likely a given system is to fall.
:-)
Furthermore, this is bad because banks depend heavily on the trust of regular people. Since they take the money you deposit into your savings account and loan it out, making money on the interest the borrowers must pay, it isn't good for the bank if too many people lose faith at once and come for their savings.
I wouldn't feel good about having my money in a bank that gives in to the demands of script kiddies.
Take care,
Steve
Gee with this sort of behavior, I can only wonder how long it'll be before there's financial security in our time.
Idiots.
-- This and all my posts are in the public domain. I am a lawyer. I am not your lawyer, and this is not legal advice.
Overheard on an unsecured line:
"Did you pay off the hackers?"
"Yes, they're covered."
"How bout the crackers?"
"Ya, we got them too."
"Snackers?"
"Trying to find them."
"Meat packers?"
"I can only work so fast boss..."
Hotnutz.com
Isn't this MicroSoft's standard operating procedure?
MrCreosote Meow!Thump!Meow!Thump!Meow!Thump! "You're right! There isn't enough room to swing a cat in here!"
And don't underestimate the influence law enforcement has on policy, especially in the
uniquely British system of banking. And London
journalism is nothing if not sensational.
-fb Everything not expressly forbidden is now mandatory.
Let's say that a 200k$ machine brakes DES on a 3.5 day average(has been done!). So 20k$ brakes it on 35 day avarage. And 2k$ brakes it on 1year average! So security depends on the expiration time for the data: 1 year -> 50% chance of success, 6month -> 25% etc. Key change rate is also important. Already with 1% chance of BIG payoff such a machine is mighty tempting.
LINUX stands for: Linux Inux Nux Ux X
FRA: STFU GTFO
This issue has been discussed on the UK Crypto mailing list since the article appeared in the Sunday Times last weekend. The hwole meat of the article is unsubstantiated and is simply not true. The same spiel has been going the rounds for several years now, apparently hyped up by the spooks at GCHQ who are trolling for business reviewing commercial software system security.
Now I wonder why GCHQ want to know how banks and institutions secure themselves?
-- BtB
I can think of two possible scenaria, one which makes sense and another which does not:
And anybody who's taken a glance at Lord Gnome's organ (Private Eye) lately will also be aware of his general incompetence...
Being convinced that the internet is the tool of anti-capitalist anarchists, and was used to orchestrate violence at a demonstration in london, he contacted the organisers of the demonstration purporting to be interested in more direct action, as opposed to shouting and waving a placard about... ie yer basic journalistic sting. The only problem was, he used his Times email address to send the email, which was a bit of a bad oversight, really.
Not one to be worried, he tried again, this time sending from a hotmail account. Unfortunately, the thought never occurred to him that he should register the account in a name other than his own, thereby advertising who he was for all to see in the From: header.
Doesn't exactly inspire much confidence in his abilities...
Can you sum it up in a word? *No.* In a noise? *Whuuuurghhhhh!*
I think you've been watching too many films - most people would demand tens of thousands as its far easier to get away with. Millions is hollywood and people that havent thought it through. Most people in the UK that have been caught, have tried to set up systems to withdraw the ransoms from cash machines in several hits, and have been caught by the cash machine cameras. Not very clever as the cash machine is the perfect way to get the cash away from a random unknown location...
Cut out the blank lines will you? It just makes you look like a berk, and annoys the hell out of the rest of us.
Search for "CYBERSTRIKE" the articles on this very subject from back in 93 I belive. (AT work, non work related surf, can't do a legitimate url paste sorry.) Now lets see if I remember correctly. $13m * 8-12 banks in the US and UK (that admit it) and here we are 6 years later? Seems someone needs to fund more covert ops perhaps.
It's gonna happen one way or another. But what if the crackers are just pulling their leg? I mean, they could just call up a bank, get the Head Suit, and tada, big payoff. But, If they are telling the truth, its their vault, pay whoever they want with it.
Ungoed-Thomas has been trying out his nefarious tricks elsewhere:
(extracted from Schnews - Brit eco-activist newsletter)
If you receive any unsolicited emails from wide-eyed activist females, don't count yourself so popular; it could be our mates at the Sunday Times with another lesson in the value of media liaison. While journalist Mark Macaskill came across reasonably enough, emailing activists with an approach to interview them, his colleague took a different tack.
So, it must now be our turn to take the piss out of super-sleuth journo John Ungoed-Thomas, who sent out a few emails under false names, in the hope of getting back some juicy info for an article.
'Jo' is just one 'committed environmental and anti-corporation activist' apparently now flocking to the ranks of our burgeoning movement, if an email recently received by Friends of the Earth is anything to go by. She wants to know how to get more involved indirect action, having ' really enjoyed' June 18 [anti- capitalist riots in London earlier this year]. Likewise, 'Laura' who eco-columnist George Monbiot of the Guardian was privileged to hear from, describes herself as a 'committed anti-corporationist' and is eagerto help in any way she can. Any ideas? Perhaps Laura and Jo might benefit from a few words of advice from someone more canny in covering their tracks, for both sent emails from addresses leading back to Clouseau-esque Ungoed-Thomas, the master of disguise himself. Hardly for us to take the piss now; he's practically giving it away.
Just as people don't call rustlers "cowboys" or (sea) pirates "sailors", so they won't call crackers "hackers" (though the former is almost an included set of the latter in all three cases).
Good for you, USA Today!
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
So soon they were networked, and checked the real records of the account. Big improvement.
But it costs a lot to keep the banks' machines up 24x7. So they went to standalone mode on weekend nights. And again they trusted the card, and again they were vulnerable.
I hear that one major bank in Detroit didn't bother with the extra shift on Sunday night when they were only losing $10K/weekend. When it got up to $100k, they paid for the extra shift, and the window of opportunity became very narrow and sporadic. (And nowadays the hosts are up so much of the time that they can program the ATMs to go out-of-service if they can't reach the host. So for these machines the window is zero.)
The same will likely happen with the blackmailers. If there are ever so many that it's cheaper for the banks to fight them than to pay them off they'll fight 'em. Menawhile, they can gain breathing room to work on their security by keeping the current few at bay with payoffs. And they can try to trace the payoffs and bust the blackmailer-of-opportunity now and then.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
oxymoron: "cracked windows" etymology: the "united lone gunman" cracker is so-named as an exercise in delayed cognitive blow-back. It seems there is no such thing as a "lone crazed" ANYTHING. http://www.madcowprod.com/4thissue/Sealp.htm
Thanks.
Criminals alwasy find a way to leverage physical force for money. It's an old, old, game. Of course, being able to do it remotely and internationally, is just cool as all hell. When's a good CRACKER movie coming out??
+&x
So the next obvious question is, does this get covered by insurance? If so, why isn't the insurance company screaming about getting some security installed and maintained? Or are they making more in premiums than losing in payouts and fine with things as they are?
While I don't know for sure, I'd be reasonably confident that the transaction-processing network is secure. For one thing, it's not TCP/IP based, it's probably DES encrypted (and despite its vulnerability to a well-funded attack, there's no evidence that anybody other than the EFF and the various TLAs have built the necessary hardware), and the banks have had plenty of practice securing these systems.
However, I'd imagine that the PC networks of your average bank is like most companies' networks - leaking like a sieve. I'm sure there's plenty of material lying around on those corporate hard drives that's quite blackmail-worthy.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
It seems much more likely that authorities could trace a single such (planned) transaction (even if it goes through an online Swiss bank or something) than if J. Random Cracker just transferred the $10 million to his account without the bank's knowledge. So, why would J. even demand a payoff at all unless he's bluffing or too stupid to realize he's increasing the chances of being caught?
Now, there may be some arguments about morality and ethics and all that, but we are after all talking about large corporations, which aren't exactly paragons of virtue. They should phone up Big Tobacco or the gun lobby in the States if they need some pointers on technique.
As I suspected when I saw the reference to the Sunday Times, the original article that was cited in USA today was authored by Jon Ungoes-Thomas. Readers of ntk.net will be familiar with Ungoed-Thomas as a journalist who is long on unsubstantiated sensation, and very short on fact checking, and who is building a career out of predicting the collapse of civilization as a result of the Internet. I'd take this particular article with a few large and tasty grains of salt.
As I suspected when I saw the reference to the Sunday Times, the original article that was cited in USA today was authored by Jon Ungoes-Thomas. Readers of ntk.net will be familiar with Ungoed-Thomas as a journalist who is long on unsubstantiated sensation, and very short on fact checking, and who is building a career out of predicting the collapse of civilization as a result of the Internet.
I'd take this particular article with a few large and tasty grains of salt.
if once you have paid him the danegeld
You never get rid of the Dane.
From "Danegeld" by Rudyard Kipling
I work in the financial messaging sector of IT, and I find it difficult to believe that crackers have actually managed to move money from Bank Account A to Bank Account B.
You'd not only need to be a fairly talented cracker to get into the bank's network in the first place - but you'd also have to have an in-depth knowledge of how banking transactions work to actually pass the money around.
I've been working in this industry for five years now - working with a large number of banks - and I still don't think I could get away with it...
Gentlemen, start your penguins
Welcome to the next level. In the very near future, this type of activity will become all too common, and it will spread. Banks are high-publicity targets because the world in which we live is utterly obsessed with money.
How long will it be before eco-fanatics stop spray painting fur coats and simply trash the offending company's network? How long until terrorists simply threaten to destroy New York's phone systems until their demands are met? Not long, I say.
Yes, countries will always send soldiers with guns to do the dirty work. Many things won't change.
The potential situation with banks is just the tip of the iceberg...
Honest, I'm not 'united lone gunman'. I had to hear about him from TV, spoon-feed for script kiddies--Dvorak, Silicon Spin, ZDTV, 19990920, "Drudge probably doesn't know it yet, but his site, along with many other NT sites, has been hacked(cracked!) by the 'united lone gunman' ". etymology: 'united lone gunman'-- http://www.dcia.com/prouty.html http://www.google.com/search?q=McCaffrey+Conein+La nsdale
Hey, that's security through obscurity.
The money should be out on the kitchen table. Near the windows.
heh
the moral of the story is that "joe O'Public" is very gullible and can be led like sheep by unscrupulus "journalists". Because as you know anything to do with computers, e-mail, and micro-wave ovens is arcane and evil.
Hey, I have security. Money in the mattress and a shotgun besides the bed.
A little editorial control wouldn't have gone amiss here. Surely it is patently obvious that a story at "USA Today" is very unlikely to be "News for Nerds. Stuff that Matters"? Indeed, it's not even really a "USA Today" story, just lifted from "The Times" (no longer "the newspaper of record"; more of an upmarket National Enquirer). Slashdot really shouldn't be cluttered with second-hand reworkings of stuff that Ungoed-Thomas (as another poster has pointed out) probably made up in the first place.
Please help me, I am confused.
What kind of message are we trying to give it to the Joe o' Public out there?
That blackmailing banks are good?
That crackers (or in the NYT-speak, Hackers) are bad people who make a living by blackmailing others?
That banks are wimps waiting to be blackmailed?
That the future is bleak because our money is not safe no more in those wimpy banks?
What actually is the moral to this story, huh?!
Muchas Gracias, Señor Edward Snowden !
Stories like these (and, less frequently, those debunking them) have been going around for years. I'm extremely skeptical, especially with this latest article. Okay, so banks are giving payouts of millions of dollars to hackers, but the author can't get one single law enforcement officer or spokesperson to give a comment on the record? Gimme a freakin' break. Police departments would be more than happy to speak out about this, using it as an excuse to increase their funding. It's just as likely that banks are putting forth this excuse to cover up losses due to embezzlement and other crimes by their own bad-apple employees.
Whether any of it is true or not, I wouldn't rely on this article as a source if you paid me. Makes me wonder who's really being "taken for a ride," as the article puts it.
Cheers,
ZicoKnows@hotmail.com
Somehow I remember reading exactly the same story about two/three years ago.
I guess newspapers have some kind of archive which they use to fill up their pages over and over again.