PaySpace Magazine has listed the most significant recent cyber attacks on banks, as well as expert advice on how to protect yourself from such a phenomenon as the cyber attack
Multiple banks have significantly improved the quality of work and the convenience of customer service due to technology development. More and more financial institutions are trying to keep up to date, using blockchain, issuing their own cryptocurrencies, replacing branches with convenient mobile applications, and investing in the development of advanced ATMs, which are endowed with biometrics and special features (for example, some of them can offer you the withdrawal of funds without a card, just using a smartphone), etc. However, along with the active introduction of technology, banks also nowadays face a new type of crime – cyber attacks. Modern fraudsters can rob a bank while being a thousand miles away, and can implement their criminal plans without breaking locks. All they need today is to hack a server or password.
Major recent cyber attacks
100M bank cards data theft. The hack of the security system of the largest American bank Capital One was one of the most outrageous incidents that occurred this year. As a result, credit card details of 100M Americans and 6M Canadians were stolen, as well as 140,000 social security numbers and 80,000 bank accounts, registered in 2016 – 2018.
Later, the US prosecutor’s office reported that hackers had also stolen data from 30 organizations.
Attack on the major EU bank. Last month, the European Central Bank (ECB) announced that cybercriminals had hacked an external server of the Bank Integrated Reporting Dictionary (BIRD) site. As a result, the attackers could have email addresses, names and positions of 481 subscribers to the BIRD service. The central bank immediately suspended the site after detecting a vulnerability, which was found during a regular check. According to the ECB, neither the internal systems of the agency nor the important market information was affected by hackers’ actions.
Withdrawing millions in funds to front accounts. In 2018, hackers stole hundreds of millions of pesos from Mexican banks. Fraudsters were able to take possession of money thanks to attacks on the local inter-bank messaging network SPEI. Criminals sent fake applications for the transfer of funds from the accounts of several Mexican banks, including the country’s leading financial institution Banorte. Then, the attackers transferred funds to fake accounts opened with third-party banks. Thus, the criminals managed to withdraw more than 300 million pesos ($15.4 million) from bank accounts.
The tale of how hackers stole data of almost half the residents of the US. In September 2017, as a result of a cyber attack, hackers gained access to confidential data of 143M Americans. Given that the US population at that time was about 320M people, you can say that 44% of the country’s population appeared to be potential victims of a data leak. So, as a result of the Equifax hack, attackers gained access to data such as full names, social security numbers, dates of birth, home addresses, and even driver’s license numbers. Due to the incident, the company was criticized severely, especially taking into account that Equifax kept this silent for more than a month. During this time, three top managers of Equifax managed to sell the company’s shares for a total of $1.8M.
The tale of how to steal a ton of data with just a correctly entered password. In 2014, JPMorgan, a US financial holding company, fell victim to serious data theft. Hackers used an employee’s password to steal information about 76M private accounts and 7M small business accounts. JPMorgan CEO Jamie Dimon later said in a letter to shareholders that cybersecurity could very well be the biggest threat to the US financial system.
The tale of a hack during an interview. In early 2019, it became known that hackers from North Korea gained access to the Chilean ATM network via Skype. For example, attackers were able to download malware to the computer of one of the Redbanc employees in Chile during a fake interview. Redbanc is a Chilean enterprise, which specializes in the ATM infrastructure. Hackers contacted an employee of the institution via Skype after he applied for a job as a developer through LinkedIn and asked him to install a program that supposedly generated an application form. Thus, the scammers enabled the download of malware that allowed hackers to access the victim’s work computer, equipment, and operating system, as well as proxy server settings.
Redbanc representatives said the attack had no effect on the interbank network. The security company Flashpoint believes that the hacker group Lazarus from North Korea was behind the hack.
North Korea is full of hackers
In 2018, North Korean hackers broke into the Banco de Chile information systems with the help of malware and stole more than $10M through the Swift international network. The financial institution had to disconnect more than 9,000 work terminals for a while.
In October 2018, sixteen financial institutions around the world were attacked in the same way. As it became known, fraudsters from North Korea have managed to steal no less than $100M using the Swift international interbank system since 2014.
It is also believed that North Koreans are behind the global attack by the WannaCry ransomware virus in 2017. Kaspersky Lab experts identified the BlueNoroff hacker group associated with Lazarus, thus they found out about it. Lazarus is considered one of the most dangerous threats to financial institutions.
Other cases of fraud
Password sniffing attack. In November 2018, international financial giant HSBC appeared to be the victim of a cyber attack, where stolen credentials were used. As a result of the incident, the attackers managed to steal the names, addresses, and dates of birth of users, as well as account numbers and balances, transaction history and recipient account numbers. It is reported that this attack was based on a software application that scans and records passwords that are used or broadcasted on a computer or network interface. Some combinations were obtained from past data leaks. HSBC offered affected customers a free credit history monitoring and identity theft protection service for one year as compensation.
POS terminal attack. In September 2018, X-Force IRIS (IBM) specialists recorded a malicious campaign aimed at POS terminals in Europe and the United States. The organizer of the attacks was the FIN6 hacker group, which steals payment card data for subsequent sale on clandestine forums. Earlier in 2016, these hackers attacked the POS terminals of retailers and healthcare companies. Then they managed to steal the data of more than 10M payment cards, which were then put up for sale on one of the clandestine markets.
Theft of bank card data of network department stores’ customers. In 2018, information was released about the theft of data from owners of more than 5M debit and credit cards that were used to purchase goods in the American chain stores Saks Fifth Avenue, Saks Off 5th, and Lord & Taylor. According to the trading company Hudson’s Bay Company, which owns these networks, the system of cashless payments was hacked by criminals.
The tale of the theft of banking data through taxi apps. In the summer of 2017, Kaspersky Lab announced that experts had discovered a new version of the Faketoken Android Trojan virus, which steals the banking information of users of taxi mobile applications. Due to the fact that such applications store financial data of users, criminals easily gained access to bank cards. Malware tracked the applications and imposed phishing windows on them (similar to the original app windows) in order to steal bank card data.
ATM attack. In the first half of 2017, there was an increase in the number of cases of a popular type of ATM hacking – blackbox attacks (when fraudsters connect devices to ATMs and force them to “spit out” money) in Europe. 114 ATM hacks of this type were recorded in 11 countries of the continent within six months, which is 300% more than in the same period last year. The losses were estimated by experts at €1.5M.
It is worth noting that in the summer of 2018, the creation of ATM malware was called the most expensive hacker service on the DarkNet.
Generally, according to the report of Positive Technologies, presented at the end of last year, most ATMs of some of the largest global manufacturers are vulnerable to hacker attacks and can be cracked in a matter of minutes. So, during tests of machines from NCR, Diebold Nixdorf, and GRGBanking, it was found that 69% of them were vulnerable to the previously mentioned blackbox attacks. According to experts, it is necessary to improve the physical protection of ATMs, as well as introduce the registration of security incidents in order to reduce the risk of an attack and accelerate the response to the threat. Also, it is worthwhile to conduct a regular analysis of the safety of ATMs as a preventive measure.
Multi-card for withdrawal of embezzled funds. In January 2019, the U.S. Secret Service reported that scammers began using the Fuze Card multi-card in order to store several stolen credit cards on one card. Fuze Card is able to contain information about 30 payment cards. Thus, the user can see the data on registered cards, and then select the one necessary for payment. This technology allows criminals to withdraw money from stolen cards with one card, which takes suspicion off them.
Consequences of attacks
In 2016, according to a study by comparethemarket.com, 12% of Britons closed their credit or debit cards due to cyber fraud. So, in just a couple of months, the number of consumers who closed their payment cards increased from 4.5M to 5.5M.
Cyber fraud is a huge problem for banks, since, according to statistics, almost every fourth client who has lost money due to hacking has changed their bank (or is going to do this).
According to The New York Times, large financial companies are forced to withstand hundreds of thousands of cyberattacks every day. For example, MasterCard fights 460,000 intrusion attempts every day, which is 70% more than a year ago.
Most often, a single vulnerability is enough for hackers to successfully crack the system. In some cases, hackers use “weak” passwords or send fake emails with malware that help them break into the network. In other cases, they scan software that has not been updated, therefore it doesn’t have the latest security bug fixes.
According to Privacy Rights Clearinghouse, since 2005, more than 11B data records have been disclosed during an information leak. In particular, the data of clients of the Equifax credit bureau and the financial company First American Corporation, Yahoo email accounts, and even federal employment records were compromised.
For many decades, security costs in most industries were perceived as superfluous. However, banks have always been an exception, spending a lot of money on security and conducting complex security manipulations. For example, MasterCard has a windowless bunker in its data center in Missouri, where a team of security experts works. Citigroup operates three cybersecurity centers – in Budapest, New York, and Singapore, which provide 24/7 security. JPMorgan Chase spends almost $600M a year on security.
According to a study by IBM Security and the Ponemon Institute, the average cost of hacking a security system in the US in recent years has risen to $8.2M. However, even this amount is nothing compared to losses incurred by institutions as a result of attacks, especially when it comes to collective lawsuits and fines by regulatory authorities. Thus, the Equifax credit bureau has had to spend about $650M or even more to resolve most of the claims related to the hack of the company in 2017, which affected data of 147M people. Capital One Bank, for example, claimed that it plans to spend at least $100M this year to recover the damage from the attack they faced.
How to counteract the attack
Reuven Harrison, the co-founder of Tufin (Israeli information security policy company), has given some tips on how financial institutions can protect themselves from cyber attacks:
- Network segmentation. This method helps to limit hacker access to areas of a compromised network. For example, if a criminal gets access to an employee’s computer, he will not have access to the bank’s common system. However, it should be noted that network segmentation requires constant updates and configurations.
- A clearly defined security policy is an operational action plan for any banking IT group to maintain adaptive security architecture. This is what helps professionals quickly determine the best way to protect the network. In addition, the security policy must take into account all regulatory and corporate compliance requirements, as well as ways to apply timely bug fixes.
- Compliance with security policy. A company may have a security policy, but it is vital to put it into practice. Organisations must constantly monitor their network for configuration changes and ensure that these changes are approved and consistent with the policy. This is a joint work, which involves network operations, security operations, and CIO (Chief Information Officer).
Gil Hecht, a founder and CEO of Continuity Software (IT security company), has highlighted several important principles for counteracting cybercrime:
- Identify the most important/critical business data.
- Clearly define sustainability requirements for each data type. For example, what will a team do in case of loss of a part of transactions and how long it will take to recover damage.
- Set up a system that provides the required level of protection. For example, copying data to write once, read many (WORM) storage devices ensures that the data cannot be deleted or corrupted. Such WORM devices must be protected by credentials that are not accessible to anyone from the “normal” (operational) part of the business (it is more about security officers, security department, etc). A hardware security key in a physical safe is a good example of a reliable key. Backing up and restoring data is the right way to protect the information, but it is better to use a transaction log that is written synchronously to the same WORM storage devices as well.
- Constantly check whether the requirements for restoring the system are correctly implemented and whether they are implemented by all the involved parties. Check for updates, modifications, and corrections that occur in the information infrastructure of your enterprise (cloud, physical, hybrid, outdated, virtual, and SaaS) after each change.
According to the expert, these principles have reduced the amount of company downtime by more than 83%, as well as guaranteed timely data/system recovery in those rare cases when the system or data has been compromised.