The Hack­ing Job: Here’s how banks lose money to cy­ber­crim­i­nals

Sun.Star Pampanga - - BUSINESS! -

With to­day’s con­tin­u­ous rise in on­line bank­ing and other fi­nan­cial trans­ac­tions, it seems that go­ing dig­i­tal is now also a pre­ferred method for theft — mone­tary or oth­er­wise. The old-fash­ioned way of rob­bing banks through sheer force, like the one at the be­gin­ning of The Dark Knight or through stealth and cre­ativ­ity as shown in heist films such as in Ocean’s Eleven, may look as out­dated to the mod­ern crim­i­nals of to­day who pre­fer a more sub­tle ap­proach that re­quires less phys­i­cal ef­fort: hack­ing.

Cy­ber­crime is just one of the many pos­si­ble dan­gers of go­ing dig­i­tal, and with con­sumers in­creas­ingly look­ing for more dig­i­tal ser­vices such as on­line and mo­bile pay­ments from fi­nan­cial in­sti­tu­tions we can ex­pect more banks to im­prove their dig­i­tal in­fra­struc­ture by in­stalling the lat­est data se­cu­rity mea­sures.

But these un­for­tu­nately aren’t enough against hack­ers who con­stantly find new ways of pen­e­trat­ing a bank’s en­tire net­work. Aside from up­dat­ing data se­cu­rity soft­ware, bank per­son­nel should also be up­dated with the lat­est hack­ing trends. In light of this,

IPC, lo­cal cloud pi­o­neer and the first and only DDoS mit­i­ga­tion ser­vice provider in the coun­try with a lo­cal data scrub­bing fa­cil­ity, came up with a list of the five most com­mon bank hack­ing tech­niques crim­i­nals use against banks and some tips on how to over­come them.

Main­tain­ing and op­er­at­ing dig­i­tal trans­ac­tions in an ef­fi­cient man­ner is crit­i­cal for banks. In or­der to gain new cus­tomers and keep their loy­alty, they must hire some of the best I.T. tech­ni­cians to keep the whole en­gine run­ning smoothly with­out any bumps along the way.

Be­cause I.T. per­son­nel can have ac­cess to the en­tire dig­i­tal in­fra­struc­ture of the bank, some hack­ers pre­tend to be one just so that they can in­fil­trate the net­work.

One such at­tempt hap­pened back in Septem­ber of 2013 when a man pos­ing as an I.T. en­gi­neer walked away with £1.3 mil­lion us­ing a key­board video mouse (KVM) switch which he in­stalled prior to the theft. The de­vice gave the crim­i­nals re­mote ac­cess to Bar­clays’ma­chines. For­tu­nately, Bar­clays no­ticed the trans­ac­tion and a week af­ter the heist, the eight peo­ple be­hind it were ar­rested.

As a way to avoid this predica­ment, banks should con­duct back­ground checks as part of their hir­ing process. One rogue I.T. em­ployee can do more dam­age than an army of hack­ers. Also, as a way to mit­i­gate risks, bank ad­mins should con­sider im­ple­ment­ing sep­a­ra­tion of du­ties and two or mul­ti­ple per­son ac­cess con­trol so that sen­si­tive tasks are man­aged ap­pro­pri­ately.

There have been re­ported in­stances of Dis­trib­uted De­nial of Ser­vice (DDos) at­tacks be­ing used as a de­coy for an­other at­tack. This in­volves hack­ers first tak­ing down a bank’s web­site by send­ing thou­sands of re­quests. Be­cause a bank’s I.T. per­son­nel will scram­ble to get the site back up and run­ning, the bank is now open to a more tech­ni­cal and sur­gi­cal at­tack. One of the ear­li­est ac­counts of this hap­pen­ing was back in Christ­mas of 2012 when $900K was taken un­der the veil of a DDoS at­tack.

The bank’s I.T. per­son­nel aren’t at fault here. Most banks and fi­nan­cial in­sti­tu­tions have al­ready es­tab­lished an on­line pres­ence for cus­tomers, thereby mak­ing their web­site a pri­or­ity.

Banks can seek help from com­pa­nies who of­fer DDoS mit­i­ga­tion ser­vices to keep their web­site up and run­ning. IPC’s DDoS mit­i­ga­tion ser­vice can help web­sites with­stand DDoS at­tacks while main­tain­ing low la­tency due to hav­ing its own data scrub­bing cen­ter in the coun­try. This en­ables IPC to de­liver faster turn­around time for data trans­mis­sion de­spite an at­tack.

Banks should also con­sider in­creas­ing their in-house I.T. se­cu­rity per­son­nel just so they can have enough man­power to fend off at­tacks from both sides.

An­other way hack­ers can gain ac­cess to banks is to send phish­ing emails to em­ploy­ees that con­tain mal­ware. Back in 2014, a sin­gle em­ployee of JPMor­gan fell for the at­tack which led to 76 mil­lion house­holds be­ing com­pro­mised. Weeks af­ter the in­ci­dent, JPMor­gan “tested” its em­ploy­ees by send­ing a fake phish­ing email and a whop­ping 20% of the staff opened it.

This is quite alarm­ing as ac­cord­ing to For­ce­point (then Web­sense) in a 2015 sur­vey, phish­ing at­tacks against fi­nan­cial in­sti­tu­tions is 300 per­cent higher than those from other in­dus­tries.

Once ac­ti­vated, the mal­ware can record key­strokes and take screen­shots of the bank’s com­put­ers, such as what hap­pened in the Bangladesh Bank hack a year ago where $951 mil­lion dol­lars were al­most stolen through SWIFT (So­ci­ety for World­wide In­ter­bank Fi­nan­cial Telecom­mu­ni­ca­tion)— a co­op­er­a­tive of 3,000 fi­nan­cial in­sti­tu­tions which over­sees mil­lions of global cash trans­fers ev­ery day through their mes­sag­ing sys­tem. ATMs are also com­pro­mised here and when hacked, can make un­lim­ited with­drawals such as what hap­pened in Rus­sia last year.

Mal­ware at­tacks also com­pro­mise the de­tails of ac­count hold­ers since these are usu­ally stored in­side banks. Through this, it can be pos­si­ble for crim­i­nals to siphon money from their ac­counts and even send them the ma­li­cious email at­tach­ment.

As a pre­cau­tion, banks should con­sider ed­u­cat­ing their em­ploy­ees when it comes to phish­ing emails, ma­li­cious links, and the ba­sics of file ex­ten­sions and ex­e­cutable files. Also, banks should al­ways up­date their an­tivirus soft­ware in or­der to de­tect and re­move mal­ware.

Tech­ni­cally a mal­ware, ran­somware de­serves a spot in this list just be­cause of its high suc­cess rate. It has even got to the point that banks are now buy­ing and stor­ing bit­coins to pay off crim­i­nals im­me­di­ately when­ever such an at­tack hap­pens.

When ex­e­cuted, a ran­somware “locks” and en­crypts al­most ev­ery file stored in­side a ma­chine, thereby bar­ring users from them. A usual at­tack fea­tures a ran­som note de­mand­ing peo­ple to pay up to get their files back within a pe­riod of time.

The rea­son for the sud­den rise in the num­ber of ran­somware at­tacks is its low cost to de­velop and the higher pay­back. In fact, there are ran­somware “con­struc­tion kits” such as Tox which are avail­able for free in the dark web, ac­cord­ing to McAfee.

Pay­ing up isn’t ac­tu­ally a so­lu­tion since it em­pow­ers crim­i­nals and will just give them more con­fi­dence to at­tack else­where. A more vi­able way to face ran­somware is to backup all files which can cir­cum­vent the mal­ware used to get banks to pay up in the first place.

Smart­phones are also vul­ner­a­ble to ma­li­cious soft­ware and when com­pro­mised, could re­sort to mil­lions of dol­lars be­ing stolen. Back in 2015, four of Aus­tralia’s largest banks cus­tomers were tar­geted by a so­phis­ti­cated An­droid at­tack which man­aged to re­move two-fac­tor au­then­ti­ca­tion sys­tem and stole bank­ing de­tails.

Mil­lions of cus­tomers of these four banks have been put at risk by the mal­ware which gets ac­ti­vated when a bank­ing app is opened.

The so­phis­ti­cated mal­ware puts a fake lo­gin screen on the phone and uses that to cap­ture the users’pri­vate de­tails. It is de­signed to look like lo­gin screens for var­i­ous pop­u­lar and dis­tin­guished ap­pli­ca­tions.

Down­load­ing apps from trusted app stores is the best so­lu­tion when it comes to ma­li­cious smart­phone ap­pli­ca­tions. Such le­git­i­mate app stores con­duct se­cu­rity scans on their apps cat­a­logue to look out for mal­ware. In a white pa­per re­leased by Google, they ad­mit­ted that Google Play con­ducts 200 mil­lion se­cu­rity scans ev­ery day as part of ef­forts to re­move mal­ware. Hu­man­ity — best layer of se­cu­rity Tak­ing into ac­count all of the above, it is clear that the hu­man el­e­ment is key in all of this. When it comes to hack­ing banks, em­ploy­ees and bank ac­count hold­ers are the first to be af­fected and our ac­tions can ei­ther help stop the hack or make it in­fin­itely worse.

The per­pe­tra­tors of the Bangladesh Bank heist would’ve got­ten away with $951 mil­lion if not for Zubair Bin Huda, a joint di­rec­tor of the bank, rec­og­niz­ing that the tray of a printer re­spon­si­ble for mak­ing pa­per copies of SWIFT trans­ac­tions was empty, de­spite know­ing on his end that trans­ac­tions were be­ing made. Af­ter fail­ing to print those man­u­ally, his in­quiry of the er­ror led to the dis­cov­ery of the mas­sive theft.

“This hack­ing phe­nom­e­non is a re­al­ity that causes sig­nif­i­cant dam­age not only to fi­nan­cial in­sti­tu­tions but to all of us,” said Niño Val­monte, the Di­rec­tor for Mar­ket­ing and Dig­i­tal In­no­va­tion of IPC. “Em­ploy­ing the lat­est se­cu­rity fea­tures and up­dat­ing them can help mit­i­gate this but we must also take it unto our­selves to study how these hack­ers op­er­ate if we want to face them.”

Un­doubt­edly in to­day’s dig­i­tal age where al­most ev­ery­one and ev­ery­thing is con­nected, it is our re­spon­si­bil­ity to arm our­selves with the knowl­edge of tech­nol­ogy and more im­por­tantly, with the knowl­edge of pro­tect­ing our data. As the say­ing goes, “a lit­tle knowl­edge goes a long way,” and this may some­day stop hack­ers from steal­ing your money.

(Press Re­lease)

Newspapers in English

Newspapers from Philippines

© PressReader. All rights reserved.