Bank heists have gone digital
Computers and the internet keep the wheels of the modern financial system turning. They enable banks to move money, serve customers, and provide loans on a global scale and at unprecedented speed. But technology has also transformed how criminals operate. Instead of breaking into banks by carrying guns and stealing cash, criminals now use digital tools to siphon money from customer accounts without getting caught. In 2018, for instance, more than two thirds of financial institutions reported an increase in the number of cyber-attacks.
Hackers are also becoming increasingly bold in their attacks. Often supported by state actors and protected from prosecution, they target both central and commercial banks, trying to steal billions of dollars by exploiting security loopholes and employee mistakes. And as soon as security teams block one point of entry, thieves find new ways of breaching into the finance system. The effects of those attacks can be devastating, with loss of money the least of anyone’s worries, which is why investments in cybersecurity systems are critical for banks to survive modern, digital heists.
Cyber-attacks are a threat to both big banks and small startups
Cyber-attacks are not only growing in scale, but in complexity, too. Almost 80 per cent of financial institutions report that hackers are becoming more sophisticated, deploying targeted social engineering attacks and remaining in the network for a long time. What’s more, 26 per cent of banks faced destructive attacks in 2018, with criminals simply trying to destroy data rather than steal money. And even when they improve the security of their digital operations, financial organisations have to monitor supply chain partners as well, since hackers sometimes use them to infiltrate bank infrastructure.
And big retail banks that boast millions of customers are obvious targets for cyber criminals. These institutions typically have legacy systems that are prone to failure and have major security flaws. Meanwhile, fintech startups launch their business using the latest digital tools that were built with security in mind. But that doesn’t necessarily result in fewer data breaches. Fintech startups can also make security mistakes in many different ways, and hackers only need to exploit one. Money, data, and assets could all be gone in a second.
And once a bank is hacked, problems escalate fast. Loss of customer confidence can “lead to a run on deposits”, warns the Monetary Authority of Singapore (MAS), the country’s central bank. Massive cash withdrawals destabilise the bank, leading to its potential collapse and negative effects on the wider financial system. MAS argues that, in such a situation, authorities should temporary close the market to stop economic panic from spreading in the country. And if needed, the central bank should consider providing commercial financial institutions with the money needed to survive a liquidity crunch.
One of the greatest cyber-heists in history
Hackers have been targeting banks for decades, but one of the biggest cyber-thefts happened in 2016. It all started when unsuspecting employees of the Bangladesh Central Bank (BCB) downloaded malware from a phishing email. It enabled criminals to access the bank’s network and move through the system, eventually overtaking computers that were authorised to communicate with SWIFT, a global inter-bank messaging platform that facilitates international funds transfers. And on February 5, 2016, the hackers started their operation.
They manipulated BCB’s systems to send a number of SWIFT messages to the New York branch of the US Federal Reserve (New York Fed), ordering it to transfer $951 million to various accounts in the Philippines and Sri Lanka. Usually, BCB’s employees would have been made aware of the transfers through an order sent to their printers from the New York Fed, but the hackers planted malware that disabled the bank’s printers. Around $81 million was already transferred when Deutsche Bank, a routing bank for a $20 million transfer, reached out to BCB because of a spelling mistake. Namely, criminals wrote “fandation” instead of “foundation”, and the German institution wanted to clarify how to proceed in this case. That made BCB aware of the heist, and it reached out to the New York Fed to stop the transfers. And although it managed to prevent hundreds of millions of dollars from being stolen, the hackers ended up with more than $80 million that were quickly withdrawn and laundered through casinos in Manila and in many other ways. The Bangladesh Central Bank blames North Korean hackers for pulling off this operation.
Mexican banks lost more than $20 million
In January 2018, a group of hackers suspected to be working for Lazarus, a North Korean state-sponsored group, tried to steal $110 million from the Mexican bank Bancomext. Although they were unsuccessful, the country witnessed another major attack just a few months later. The still unidentified group of cyber criminals managed to breach into the internal servers of several Mexican banks and SPEI, the domestic money transfer platform run by Banco de México, the country’s central bank. Once inside, the attackers moved quickly to exploit lax security protocols and compromised employee credentials.
They initiated hundreds of transfers from nonexistent sources to pseudonymous accounts and manipulated the payment system to ensure that the receiving banks accept those payments. The transactions were usually small, in the range of a few hundred or thousand dollars, making them less suspicious. Then, hundreds of individuals, or ‘mules’, that received the money made multiple cash withdrawals, which resulted in roughly $15 to $20 million being siphoned from Mexican banks.
Hackers deployed a 'smokescreen' to camouflage their real plan
And as more banks improve their cyber-defence, hackers are turning to creative tactics. In the case of the hacking of the Bank of Chile, for instance, they initially planted a virus that prompted the bank to shut down more than 9,000 computers in hundreds of branches to protect its customers. But the virus was just a smokescreen.
While the security team was busy investigating the infected devices, the hackers used the bank’s access to SWIFT to initiate a number of fraudulent wire transfers to accounts in Hong Kong. They funnelled more than $10 million before the bank finally noticed and blocked the transactions. The money was never recovered, and Microsoft, which carried out a forensic analysis of the attack, claims that the criminals were likely from Eastern Europe or Asia.
Even two-layer security can be breached
To prevent hackers from taking over bank accounts or stealing sensitive data, banks and many other companies use two-factor authentication technology. The idea is that even if intruders know the password, they can’t access the account or approve payments without an SMS code sent via text messages to the user's phone. Such a system is surely better than using only a password, but hackers have still found a workaround. They managed to intercept codes sent to customers of the UK-based Metro Bank by exploiting flaws in protocols that telecoms use to route calls and SMS messages. The attack targeted other British banks as well, although only a small number of customers was affected and no money was lost.
ATM infrastructure under attack
Banks in India were less fortunate than their British counterparts, as in 2018, they lost millions of dollars to cyber-attacks. Hackers were particularly eager to target ATM infrastructure, and in one such case, they planted malware on Cosmos Bank’s ATM servers to steal customers' card information. Then, they used this data to clone bank cards and distribute them to criminals in 28 countries. In the first phase of the attack, mules made 15,000 ATM cash withdrawals in a seven hour period, draining the bank of around $11.4 million. In the next phase, the hackers initiated a fraudulent SWIFT transaction that moved $1.93 million to accounts in Hong Kong. And although the Indian bank claimed that account holders’ money is safe, it had to suspend online banking operations in the wake of this attack.
Another increasingly used hacking method is ATM jackpotting. It involves criminals physically connecting their laptops to ATMs and installing malicious software that causes the machine to spit out cash. Thieves sometimes even use endoscopes to look inside machines to find a place to insert a computer cable. And in Nairobi, the capital city of Kenya, criminals used jackpotting to steal more than $100,000 from four ATMs in just one day. Although this method is more risky for hackers, as they have to potentially expose themselves to surveillance cameras, the lure of big profit is too great for them to ignore this opportunity.
Collaboration is the key to fighting cybercrime
Banks invest hundreds of millions of dollars to improve security and fight digital threats. That spending might be perceived as a cost, but it’s also a potential revenue source, as other industries could use the security solutions championed by financial institutions. However, fighting cyber criminals can’t be done by any bank alone. Adrian Nish and Saher Naumaan, threat intelligence analysts, point out that “Law enforcement, banks, and other members of the community must work together to identify the most serious threat groups and disrupt or deter them from attacking the financial system.” And instead of a passive mode in which banks react only when an attack happens, they need to adopt a proactive mindset and continuously improve security systems. The stakes are too high for anyone to be complacent, as the threat landscape is continuously evolving.
Staying vigilant in an era of constant attacks
A stable banking sector is a prerequisite for global economic growth. Banks, foreign exchange platforms, and stock markets all have a role to play in connecting the buyers and sellers of various products and services. Hackers are a danger to that system, as their global reach and digital weapons can undermine the stability of markets and major companies. And cyber-thieves aren’t going anywhere just yet. If prevented from exploiting credit cards, for instance, they turn to hacking some other asset, forcing banks to constantly remain vigilant. Supported by powerful state actors, criminals will attempt to manipulate the financial system in their favour. It’s up to legitimate companies to prevent that from happening and work with authorities to ensure that the opportunities offered by the latest technologies outweigh the risks.
This article was originally published in 2019 on Richard van Hooijdonk’s blog.