Blog article
See all stories »

Sad Scary State of Bank Security

Who needs guns, threatening notes to rob a bank when you can do it with just your fingertips inside your home?

A hacking ring in the eastern portion of Europe may be the most successful team of bank robbers to date, having purportedly robbed $1 billion from multiple banks. This can only be done by infecting computers with malicious software (malware) and sucking out all the money.

Obviously, these hackers aren’t dumb criminals, but they also play on poor security measures of the banks. Apparently, the success of the hackers’ attack was contingent upon an employee clicking on a malicious link in an e-mail or opening a malment in the e-mail (“malment” = malicious attachment).

And that’s exactly what happened; someone fell for the oldest cyber trick in the book. This could have been prevented by not only having Microsoft updates done on a regular basis and having updated antivirus, but educating employees.

The next step in the chain reaction was the triggering of Carbanak, a virus that installs software that logs keystrokes…figuring out passwords this way. But Carbanak also captured screenshots.

How could banks let something like this happen?

Let’s Dissect this Robbery

The thieves sent out phishing e-mails—those containing malicious links or attachments—that are designed to trick people into clicking on them because the messages look legitimate. The crime ring just sat back and waited, knowing it was only a matter of time before someone clicked on one of their malments.

The keylogging gave the thieves all the information they needed to drain the banks. Boy, they sure broke in easily! All because the banks didn’t keep their devices security updated, leaving an unpatched opening—and perhaps the employee(s) who fell for the ruse were doing banking business on the same device they use for personal use—big huge mistake.

And whose fault is that? The bank’s; we can’t expect the run-of-the-mill employee to have built-in knowledge about how hacking rings work and that it’s a gateway to cyber theft if one mixes business activities and personal activities on the same computer. Learn from their mistakes. Update your devices and don’t click links in emails.



Comments: (1)

A Finextra member
A Finextra member 09 March, 2015, 15:111 like 1 like

To update your device and don't click at attachments is still valid. However, I belive that pushing responsibility to the least cunny and empowered persons in this game is fundamentally wrong for many reasons:

  • There are other ways to get infected and updates only helps against known vulnerabilites. A billion dollar fraud is certainly worth a "zero-day" - a still unknown vulnerability you can buy if you know where the market is.
  • Software providers have license terms that in practice leaves them with very limited responsibility - and hence no incentive to spend extra effort on security
  • Antivirus is dead - according to the anti-virus companies themselves

So what to do? Until producers becomes liable for their buggy solutions you need to look for solutions that can protect the applications that are important to you. Protecting the device from malware is probably a lost battle but adding self-defending capabilities to mobile apps, browsers and desktop applications is probably the way to go.

Now hiring