BREAKING THE BANK: HOW HACKERS ARE REDEFINING THE TRADITIONAL HEIST
Thieves have found a way to deliver higher rewards than an old-fashioned hold-up or vault robbery, with much less risk
No need for stocking masks and sawn-off shotguns. The unprecedented heist of US$81 million (2.85 billion baht) from the US account of Bangladesh’s central bank is the latest among increasingly large thefts by criminals who have leveraged the speed and anonymity of hacking to revolutionise burgling banks.
Hundreds of millions of dollars, and perhaps much more, have been stolen from banks and financial services companies in recent years because of this alliance of traditional and digital criminals, with many victims not reporting the thefts for fear of reputational damage.
Typically, security and cybercrime experts say, hackers break into the computer systems of financial institutions and make, or incite others to make, fraudulent transactions to pliant accounts. Organised crime then uses techniques developed over decades to launder the money, giving the alliance much higher rewards than a hold-up or bank vault robbery, with much less risk.
“The internet has made it easier for criminals to get inside banks,” said Shane Shook, an independent security consultant. “Criminals are moving away from consumer-targeted attacks to much more substantial bank hacks because it takes less effort to get more money.”
There’s no evidence that old-fashioned bank robberies are in the decline. But there are increasing instances of the cyber variety of the crime.
Last year, researchers at Russian security software maker Kaspersky Lab publicised the activities of the prolific Carbanak gang, which it says hacked into banks, then ordered fraudulent money transfers and also forced ATMs to spit out cash. Mr Kaspersky estimates the group hit as many as 100 banks, with losses averaging from $2.5-$10 million per heist.
A Turkish computer hacker pleaded guilty in a US court in March to one of the most astonishing crimes in this category: “Cashing crews” pulled $40 million out of automated teller machines in 24 countries over a 10-hour period. The 2013 heist was accomplished with the precision of a Hollywood drama, thanks to hackers who breached financial networks, then inflated balances on prepaid debit cards.
In another case, Russian banks lost more than $25 million over the past six months to a hacker group infecting their computers using tainted phishing emails, according to Russian security firm Group IB.
The malware gave the hackers access to the bank’s inner network, allowing them to craft seemingly authentic transfer requests via networks including the same Swift messaging system used in the Bangladesh Bank attack.
“It [the malware] provides remote access to the attacker. Then the attacker manually orders fraudulent transfers over Swift or other payment systems,” said Dmitry Volkov, head of cyber intelligence for Group IB.
In the Bangladesh case, the bank says unknown hackers used malware to access the central bank’s computers and spoof messages to the US Federal Reserve Bank. They transferred $81 million from the central bank’s account at the New York Fed to Philippine banks.
The funds were then passed on to casinos and handed over in cash to a junket operator in Manila, according to testimony at a Senate hearing in the Philippines.
A transfer of $20 million to an entity in Sri Lanka was reported as suspicious because of a spelling mistake in its name and reversed.
UNREPORTED HEISTS
Cyber fraud experts say they expect more big heists because the industry has yet to properly defend itself. “The fact is that most of the breaches that happen don’t get reported,” said Bryce Boland, chief Asia-Pacific security officer of computer security company FireEye.
One senior banking security executive, who declined to be identified because he was not authorised to speak to the media, said he had worked on three cases of cyber thefts that his bank clients had not reported to regulatory authorities. He said the largest involved about $20 million.
In many jurisdictions, banks and financial services companies were not required to report breaches unless there’s a material impact, Mr Boland said.
The definition is left vague enough so that many are not reported at all.
Mr Boland said that while 20% of his banking customers had been targeted in the second half of last year, FireEye had also found cases of financial services companies not realising they had been breached, in one case leaving the attackers inside their computers for five years.
An ongoing Senate hearing in the Philippines is still struggling to determine how the stolen money was laundered. In most cases the heists go unpunished and the perpetrators remain a mystery.
FireEye’s Mr Boland said the company has compiled detailed dossiers on six of the groups behind attacks on financial services companies, but he said he had less complete data on 600 other groups.
Not all focus on extracting money, he added. Hackers aimed at specific institutions, often at specific individuals, and often for financially useful data — inside information on mergers and acquisitions, for example, or data that could be used to create fake credit cards.