The Hacking Job: Here’s how banks lose money to cybercriminals
With today’s continuous rise in online banking and other financial transactions, it seems that going digital is now also a preferred method for theft — monetary or otherwise. The old-fashioned way of robbing banks through sheer force, like the one at the beginning of The Dark Knight or through stealth and creativity as shown in heist films such as in Ocean’s Eleven, may look as outdated to the modern criminals of today who prefer a more subtle approach that requires less physical effort: hacking.
Cybercrime is just one of the many possible dangers of going digital, and with consumers increasingly looking for more digital services such as online and mobile payments from financial institutions we can expect more banks to improve their digital infrastructure by installing the latest data security measures.
But these unfortunately aren’t enough against hackers who constantly find new ways of penetrating a bank’s entire network. Aside from updating data security software, bank personnel should also be updated with the latest hacking trends. In light of this, IPC, local cloud pioneer and the first and only DDoS mitigation service provider in the country with a local data scrubbing facility, came up with a list of the five most common bank hacking techniques criminals use against banks and some tips on how to overcome them.
1. Fake I.T. staff
Maintaining and operating digital transactions in an efficient manner is critical for banks. In order to gain new customers and keep their loyalty, they must hire some of the best I.T. technicians to keep the whole engine running smoothly without any bumps along the way.
Because I.T. personnel can have access to the entire digital infrastructure of the bank, some hackers pretend to be one just so that they can infiltrate the network.
One such attempt happened back in September of 2013 when a man posing as an I.T. engineer walked away with £1.3 million using a keyboard video mouse (KVM) switch which he installed prior to the theft. The device gave the criminals remote access to Barclays’ machines. Fortunately, Barclays noticed the transaction and a week after the heist, the eight people behind it were arrested.
As a way to avoid this predicament, banks should conduct background checks as part of their hiring process. One rogue I.T. employee can do more damage than an army of hackers. Also, as a way to mitigate risks, bank admins should consider implementing separation of duties and two or multiple person access control so that sensitive tasks are managed appropriately.
2. Decoy DDoS attacks
There have been reported instances of Distributed Denial of Service (DDos) attacks being used as a decoy for another attack. This involves hackers first taking down a bank’s website by sending thousands of requests. Because a bank’s I.T. personnel will scramble to get the site back up and running, the bank is now open to a more technical and surgical attack. One of the earliest accounts of this happening was back in Christmas of 2012 when $900K was taken under the veil of a DDoS attack.
The bank’s I.T. personnel aren’t at fault here. Most banks and financial institutions have already established an online presence for customers, thereby making their website a priority.
Banks can seek help from companies who offer DDoS mitigation services to keep their website up and running. IPC’s DDoS mitigation service can help websites withstand DDoS attacks while maintaining low latency due to having its own data scrubbing center in the country. This enables IPC to deliver faster turnaround time for data transmission despite an attack.
Banks should also consider increasing their in-house I.T. security personnel just so they can have enough manpower to fend off attacks from both sides.
3. Malware through phishing
Another way hackers can gain access to banks is to send phishing emails to employees that contain malware. Back in 2014, a single employee of JPMorgan fell for the attack which led to 76 million households being compromised. Weeks after the incident, JPMorgan “tested” its employees by sending a fake phishing email and a whopping 20% of the staff opened it.
This is quite alarming as according to Forcepoint (then Websense) in a 2015 survey, phishing attacks against financial institutions is 300 percent higher than those from other industries.
Once activated, the malware can record keystrokes and take screenshots of the bank’s computers, such as what happened in the Bangladesh Bank hack a year ago where $951 million dollars were almost stolen through SWIFT (Society for Worldwide Interbank Financial Telecommunication)—a cooperative of 3,000 financial institutions which oversees millions of global cash transfers every day through their messaging system. ATMs are also compromised here and when hacked, can make unlimited withdrawals such as what happened in Russia last year.
Malware attacks also compromise the details of account holders since these are usually stored inside banks. Through this, it can be possible for criminals to siphon money from their accounts and even send them the malicious email attachment.
As a precaution, banks should consider educating their employees when it comes to phishing emails, malicious links, and the basics of file extensions and executable files. Also, banks should always update their antivirus software in order to detect and remove malware.
Technically a malware, ransomware deserves a spot in this list just because of its high success rate. It has even got to the point that banks are now buying and storing bitcoins to pay off criminals immediately whenever such an attack happens.
When executed, a ransomware “locks” and encrypts almost every file stored inside a machine, thereby barring users from them. A usual attack features a ransom note demanding people to pay up to get their files back within a period of time.
The reason for the sudden rise in the number of ransomware attacks is its low cost to develop and the higher payback. In fact, there are ransomware “construction kits” such as Tox which are available for free in the dark web, according to McAfee.
Paying up isn’t actually a solution since it empowers criminals and will just give them more confidence to attack elsewhere. A more viable way to face ransomware is to backup all files which can circumvent the malware used to get banks to pay up in the first place.
5. Hacking through smartphone apps
Smartphones are also vulnerable to malicious software and when compromised, could resort to millions of dollars being stolen. Back in 2015, four of Australia’s largest banks customers were targeted by a sophisticated Android attack which managed to remove two-factor authentication system and stole banking details.
Millions of customers of these four banks have been put at risk by the malware which gets activated when a banking app is opened.
The sophisticated malware puts a fake login screen on the phone and uses that to capture the users’ private details. It is designed to look like login screens for various popular and distinguished applications.
Downloading apps from trusted app stores is the best solution when it comes to malicious smartphone applications. Such legitimate app stores conduct security scans on their apps catalogue to look out for malware. In a white paper released by Google, they admitted that Google Play conducts 200 million security scans every day as part of efforts to remove malware.
Humanity — best layer of security
Taking into account all of the above, it is clear that the human element is key in all of this. When it comes to hacking banks, employees and bank account holders are the first to be affected and our actions can either help stop the hack or make it infinitely worse.
The perpetrators of the Bangladesh Bank heist would’ve gotten away with $951 million if not for Zubair Bin Huda, a joint director of the bank, recognizing that the tray of a printer responsible for making paper copies of SWIFT transactions was empty, despite knowing on his end that transactions were being made. After failing to print those manually, his inquiry of the error led to the discovery of the massive theft.
“This hacking phenomenon is a reality that causes significant damage not only to financial institutions but to all of us,” said Niño Valmonte, the Director for Marketing and Digital Innovation of IPC. “Employing the latest security features and updating them can help mitigate this but we must also take it unto ourselves to study how these hackers operate if we want to face them.”
Undoubtedly in today’s digital age where almost everyone and everything is connected, it is our responsibility to arm ourselves with the knowledge of technology and more importantly, with the knowledge of protecting our data. As the saying goes, “a little knowledge goes a long way,” and this may someday stop hackers from stealing your money.