In a memorable scene from the film Butch Cassidy and the Sundance Kid, there are two notorious outlaws (classically played by Paul Newman and Robert Redford), who are trying to escape capture after their latest bank heist but are doggedly pursued by an unshakeable lawman who is determined to bring them to justice, no matter the cost. As they are pursued on horseback throughout the US West, and eventually South America, they keep asking about their pursuers, “who are those guys?”, as if it was inconceivable that anyone would go to such great lengths to stop two people from stealing such trivial amounts of money in such a lonesome and hostile place.
Bank robbing is an age-old crime. While many times glorified in literature and film, it still remains a nasty business, and, when the costs are added up, causes consumers greatly in the end (remember, the banks pass their losses on to us). Today, bank thefts are done digitally and with a lot more finesse and stealth than in days-gone-by, yet it still costs everyone dearly, and most bank thefts we don’t even hear about as it’s a daily occurrence.
As reported in InsuranceJournal, Cyber-attacks cost financial-services firms more to address than any other industry, and the rate of breaches in the industry has tripled over the past five years, according to a report from Accenture and the Ponemon Institute.
Their “Cost of Cyber Crime Study,” looks closely at the costs that financial services companies suffer when responding to cyber crime incidents, and then applies a costing methodology that allows year-over-year comparisons. It found that,
the average cost of cyber crime for financial services companies globally has increased by more than 40 percent over the past three years, from $12.97 million USD per firm in 2014 to $18.28 million USD in 2017 — significantly higher than the average cost of $11.7 million USD per firm across all industries included in the study. The analysis focuses on the direct costs of the incidents and does not include the longer-term costs of remediation.
The annual economic cost of cyber crime, as reported below, is now estimated at north of $1 trillion, a multiple of 2017’s record-year aggregate cost of approximately $300 billion from natural disasters.
The following is a summary of banking crime statistics, culled from a recent report from Positive Technologies, a leading global provider of enterprise security solutions for vulnerability and compliance management. The company is also expert in the fields of incident and threat analysis, and application protection. Their report highlights the banking theft examples, penetration testing results and security analysis of information systems for banks over the past three years.
The Wild West of Online Bank Robbing
Why do they do it? Put simply, it’s lucrative and relatively low risk in terms of detection. This is inspiring even more criminals to "go online." While some groups break up or are caught by the cyber-police, newer groups turn up with more sophisticated attack techniques to take their place.
Turns out that these criminals quickly adapt to the changing environment. They are constantly monitoring for the latest weaknesses and pounce on them much faster than security officials can patch in updates.
On underground web forums, anyone can freely purchase software to conduct an attack (with detailed "how to" instructions), as well as make the acquaintance of unscrupulous bank employees and money launderers. If properly prepared, an attacker with minimal technical knowledge can steal millions of dollars by penetrating a bank network, although it might seem that such networks should be protected quite well.
Banking Theft Examples:
While the typical bank’s network perimeter is strictly guarded, these findings show that in 100 percent of cases examined by Positive Technologies, the penetration testers were able to gain full control over a bank’s network infrastructure. At more than half of the tested banks (58 percent), attackers got in via unauthorized access to financial applications. And at 25 percent of the banks, penetration testers were able to compromise the workstations used for ATM management. Below are some examples of the latest cyber-banking crimes with links to the specifics of the cyber-gangsters, their crime and how they did it:
- Theft of $100 million - in early 2017, there was a surge of attacks targeting card processing in Eastern Europe.
- Theft of $60 million - in the fall of 2017, intruders attacked the Far Eastern International Bank in Taiwan by making transfers to accounts in Cambodia, Sri Lanka, and the US.
- Theft of $4 million - while banks in Nepal were closed for holidays, criminals used SWIFT to withdraw money. The banks were able to track transactions and recover a significant portion of the stolen funds only due to timely response.
- Theft of $1.5 million - in early December 2017, public sources began to mention the MoneyTaker gang, which had attacked financial institutions in Russia and in the United States for a year and a half. Criminals attacked card processing and inter-bank transfer systems, with thefts averaging $500,000 in the US and RUB 72 million (~$1.26 million) in Russia.
- Theft of $100 thousand – also in December 2017, reports surfaced about the first successful SWIFT attack on a Russian bank. The victim of the hacking attack was Globex, a subsidiary of VEB. The suspect is the Cobalt hacker gang, which specializes in cyber-attacks on banks.
Who Are Those Guys?
Some of the most active cyber-criminal gangs in the past three years are:
The findings obtained by Positive Technologies’ experts in penetration testing illustrate the planning methodology for attacks and the vulnerabilities the above gangs exploited and are most common at banks… and which of them make attacks possible. Basically, attackers stick to five main stages of attack planning:
- Survey and preparation.
- Penetration into the internal network.
- Developing the attack and gaining a foothold in the network.
- Compromising banking systems and stealing funds.
- Concealing traces.
For the initial stage, Survey and preparation, the attacker collects the following information about the bank:
- Information about network perimeter systems and software,
- employee details (including email addresses, telephones, positions, and names),
- names of partners and contractors, as well as their systems and employees,
- business processes, and
- examples of preparatory actions.
The attackers then use that information to:
- Develop or adapt malicious software for the software and OS versions used in the bank.
- Prepare phishing emails,
- set up infrastructure (including domain registration, server rental, and purchase of exploits),
- prepare the infrastructure for money laundering and cash withdrawal,
- search for money mules and
- test the infrastructure and malicious software.
Details regarding the other stages and how the attackers exploit the found weaknesses are also detailed in the report and you can read them at your leisure.
Deeper Penetration Test Findings
- 100% of banks, were found to have vulnerabilities in web applications, insufficient network security, and server configuration flaws.
- At 58% of banks there were found deficiencies in user account and password management.
- At 22% of banks, experts successfully breached the network perimeter in external penetration testing.
- 75% of banks are vulnerable to social engineering attacks.
- At 100% of banks, full control over infrastructure was obtained.
- At 58% of banks, experts obtained access to banking systems.
What specifically were the weaknesses that made it possible for more than half of the banks tested to have their banking systems penetrated?
- Insufficient protection against recovery of credentials from OS memory.
- Dictionary passwords.
- Sensitive data stored in cleartext.
- SQL injection.
- Use of reversible coding.
- Credentials stored in application source code.
- Reuse of credentials for multiple resources.
- Insufficient protection of root account.
Network Perimeter Vulnerabilities
As the report gets deeper, “the main vulnerabilities and flaws in security mechanisms common on the bank network perimeter can be divided into four categories: vulnerabilities in web applications, insufficient network security, server configuration flaws, and deficiencies in user account and password management software. On average, an attacker who has penetrated the bank's internal network needs to only exploit those four flaws to gain access to the banks' electronic crown jewels,” according to the report.
The report concludes with four points:
- Remember that if an attack is detected and stopped in time, intruders can be thwarted. Preventing losses is possible at any stage as long as appropriate protective measures are taken.
- Email attachments should be checked in an isolated environment (sandbox), instead of relying solely on endpoint antivirus solutions.
- It is critical to configure notifications from protection systems and react to notifications immediately.
- Security events must be monitored by an internal or external security operations center (SOC) with use of security information and event management (SIEM) solutions, which significantly facilitate and improve processing of information security events.
The overall suggestion from the report by Positive Technologies is one of awareness, transparency and cooperation between bank CISO’s, security services and bank officials, stating:
For more information on thwarting the bank robbers of the cyber age, we recommend these articles in our technical blog series:
Cybercrime is continuing to evolve and advance quickly, making it crucial that instead of hiding incidents, banks pool their knowledge by sharing information on industry attacks, learning more about relevant indicators of compromise, and helping to spread awareness throughout the industry.
- Strong Authentication is Key for the Financial Industry.
- How Top Industries Are Preparing For Evolving Cybersecurity Threats.
- The Threat of Social Engineering.
- How to Spot a Phishing Website.
- Next-Generation Mobile Banking Security Enhancements by AI.
- Digital Signatures in the Financial Services Landscape.