Over two days in the winter of 2013, in 27 different countries, an international crime ring stole more than $45 million from two different banks without ever stepping foot inside a branch.
In a tightly coordinated effort, a small team of hackers penetrated the bank systems and artificially raised the withdrawal limit on prepaid debit cards that hadn’t been issued to customers yet. They then stole the magnetic encoding data used to create the magnetic stripe on the back of the cards, and sent that data to their partners in crime who were waiting to receive them at various locations around the world.
Using simple, cheap encoding machines and used plastic cards, those teams wrote the account data to the stripes. At prearranged dates and times, they used the cards in various ATMs to withdraw the daily limits.
After twelve hours and more than 40,000 separate withdrawals, they had cleaned out those accounts.
Ultimately, all but one of the perpetrators were caught. But this didn’t dissuade other cyberthieves.
In another cyberheist that took place in early 2016, hackers almost got away with $1 billion, potentially the biggest bank heist in history. They were only foiled when one of the perpetrator’s heavy accent and challenge speaking English when attempting to make the fraudulent transfer drew attention and alerted the New York Federal Reserve. The hackers still managed to collect $80 million, and have never been identified.
Big time heists like this cause financial cybersecurity experts to wake up in the middle of the night in a cold sweat. The stakes are enormous and the stability of the world economy depends on master’s-educated cybersecurity auditors, engineers, analysts and administrators in the financial services industry.
Hacking Is All About the Money, and the Financial Sector is Where It’s At
According to a June 2016 article from Bloomberg News, the Federal Reserve suffered more than 50 breaches of its systems between 2011 and 2015. And the Fed isn’t alone. A report from PricewaterhouseCoopers indicates that the financial sector is the most popular target for cybercriminals. The report also suggested that even the Fed has been underreporting the number of attacks.
Criminals want money and banks are the place to get it. Once upon a time, they drilled through vault doors or held up tellers with shotguns. Today, they limber up their fingers and come in across the Internet, crafting fraudulent transfer requests or stealing account information to make direct withdrawals.
For cybersecurity teams in financial services, this leads to a fight that happens across many fronts. Hackers have a lot of options for penetrating bank security:
- Spearphishing attacks that target bank employees with e-mails containing malware
- Social engineering attempts to circumvent security controls through persuasion and lies
- Directed attacks against vulnerable banking systems
- Third-party attacks, where trusted partners with less secure systems are penetrated and used as an avenue in corporate systems
- Customer targeting, where hackers pose as the bank to convince customers to hand over account credentials
Each of these different types of attack require different countermeasures, from education to system hardening to encryption and mitigation efforts.
Building Walls Gives Way to Digging Trenches for “Defense in Depth” at Financial Institutions
After suffering so many spectacular failures of perimeter security in the past few years, financial services information security is shifting away from building bigger and stronger walls around systems to providing a defense-in-depth that forces attackers to confront layers of security before getting to the important data.
Recognizing that customers will continue to want easy access to their assets and information, and that partnership arrangements with other institutions are the way of the future, banks are looking for ways to insert new security measures at every step. For consumers, this means new chip cards and token-based authentication schemes. Inside corporate systems, it means an increased use of encryption and need-based access controls.
Bank regulators are pushing for an industry requirement to appoint a Chief Information Security Officer for every institution. More stringent password requirements may be coming soon. And in 2015, Congress passed the Cybersecurity Sharing Information Act, which encourages financial institutions to pool their information about new and ongoing attacks, to spread the word and prevent copycat crimes.
But information security experts have to walk a fine line. People want convenient, fast access to their account information, and need the ability to withdraw or transfer money rapidly. Two-factor authentication, stricter adherence to identification rules, and tougher password requirements all find pushback from customers. Cybersecurity teams in the banking industry have the difficult job ahead of them of finding secure methods of providing customer services without opening the door to thieves.
Beyond the Banks: Hackers Are Going After Investment and Trading Firms Now
As banks become harder targets, hackers are drifting over to other victims in the financial services sector. A 2015 article in the IB Times described a scam run on a small commodities trading firm located in Omaha, Nebraska. An employee of the firm received an e-mail with his boss’ signature—although not from his boss’ regular address. The e-mail initiated a bogus correspondence supposedly arranging for the firm to acquire a Chinese company. Convincing e-mails and even phone calls followed over the course of a month, ultimately leading to a wire transfer of $17 million.
Only there was no Chinese firm. The calls and messages, later traced to Israel, Paris, and Moscow, were all fraudulent. The money went into a Chinese bank where the scammers collected it and disappeared.
Smaller financial services firms are particularly at risk for cybercrime. With small IT departments – or in some cases only part-time, external IT consultants – security often falls low on the list of priorities. But even larger brokerage firms are sometimes targeted.
In testimony in 2010, assistant F.B.I. Director Gordon Snow described a tactic in which scammers targeted a victim’s brokerage account by initiating telephone transfers while simultaneously jamming the victim’s phones to prevent the firm from completing call-back verification.
As is often the case, these scenarios involve almost no electronic skullduggery whatsoever; no sophisticated firewall or virus scanner would have prevented them. Instead, they were failings of process and procedure. Much of the work of financial sector cybersecurity staff is in devising confirmation and verification procedures that cannot be gamed.