20 July 2018
Robert Siciliano

Identity Theft Expert

Robert Siciliano - IDTheftSecurity.com

749Posts 2,174,196Views 62Comments

Sad Scary State of Bank Security

04 March 2015  |  2404 views  |  1

Who needs guns, threatening notes to rob a bank when you can do it with just your fingertips inside your home?

A hacking ring in the eastern portion of Europe may be the most successful team of bank robbers to date, having purportedly robbed $1 billion from multiple banks. This can only be done by infecting computers with malicious software (malware) and sucking out all the money.

Obviously, these hackers aren’t dumb criminals, but they also play on poor security measures of the banks. Apparently, the success of the hackers’ attack was contingent upon an employee clicking on a malicious link in an e-mail or opening a malment in the e-mail (“malment” = malicious attachment).

And that’s exactly what happened; someone fell for the oldest cyber trick in the book. This could have been prevented by not only having Microsoft updates done on a regular basis and having updated antivirus, but educating employees.

The next step in the chain reaction was the triggering of Carbanak, a virus that installs software that logs keystrokes…figuring out passwords this way. But Carbanak also captured screenshots.

How could banks let something like this happen?

Let’s Dissect this Robbery

The thieves sent out phishing e-mails—those containing malicious links or attachments—that are designed to trick people into clicking on them because the messages look legitimate. The crime ring just sat back and waited, knowing it was only a matter of time before someone clicked on one of their malments.

The keylogging gave the thieves all the information they needed to drain the banks. Boy, they sure broke in easily! All because the banks didn’t keep their devices security updated, leaving an unpatched opening—and perhaps the employee(s) who fell for the ruse were doing banking business on the same device they use for personal use—big huge mistake.

And whose fault is that? The bank’s; we can’t expect the run-of-the-mill employee to have built-in knowledge about how hacking rings work and that it’s a gateway to cyber theft if one mixes business activities and personal activities on the same computer. Learn from their mistakes. Update your devices and don’t click links in emails.

 

a member-uploaded image TagsSecurity

Comments: (1)

A Finextra member
A Finextra member 09 March, 2015, 15:11

To update your device and don't click at attachments is still valid. However, I belive that pushing responsibility to the least cunny and empowered persons in this game is fundamentally wrong for many reasons:

  • There are other ways to get infected and updates only helps against known vulnerabilites. A billion dollar fraud is certainly worth a "zero-day" - a still unknown vulnerability you can buy if you know where the market is.
  • Software providers have license terms that in practice leaves them with very limited responsibility - and hence no incentive to spend extra effort on security
  • Antivirus is dead - according to the anti-virus companies themselves

So what to do? Until producers becomes liable for their buggy solutions you need to look for solutions that can protect the applications that are important to you. Protecting the device from malware is probably a lost battle but adding self-defending capabilities to mobile apps, browsers and desktop applications is probably the way to go.

1 thumb up! 1 thumb up!
Comment on this story (membership required)

Latest posts from Robert

Are Your Employees Putting Your Company at Risk? Here’s How to Find Out!

18 May 2018  |  6370 views  |  0 comments | recomends Recommends 0 TagsSecurity

10 Internet Security Myths that Small Businesses Should Be Aware Of

11 May 2018  |  1804 views  |  0 comments | recomends Recommends 0 TagsSecurity

Mobile Phone Numbers Are as Sensitive as Your Social Security Number

19 April 2018  |  3578 views  |  0 comments | recomends Recommends 0 TagsSecurity

The Term Identity Theft Protection is Often a Lie

06 April 2018  |  7725 views  |  0 comments | recomends Recommends 0 TagsSecurity

Use a Password Manager Or You WILL Get Hacked

19 March 2018  |  4154 views  |  0 comments | recomends Recommends 0 TagsSecurity

Robert's profile

job title Security Analyst
location Boston
member since 2010
Summary profile See full profile »
Security analyst, published author, television news correspondent. Deliver presentations throughout the United States, Canada and internationally on identity theft protection and personal security....

Robert's expertise

Member since 2009
739 posts62 comments

Who's commenting on Robert's posts