Bank Hackers Steal Millions via Malware

While this is an astonishingly large criminal heist, we should look at this from a business perspective. The largest take from a single bank sounds to be around $10M. The first russian bank I could find in Wikipedia, Alfa-Bank, had a net income in 2010 of $550M, meaning that if they were the ones hacked they would have lost about 2% of their annual PROFIT. What would be the capital, operational, and efficiency cost of a major security overhaul be? Probably more than $10M. Moving to a new system like qubes or even a more standard desktop Linux variant could very well terrorize me more than the losses from hacking.<p>Lots of industries just live with a certain degree of loss- retail in particular sees about 1.8% of inventory lost due to &quot;shrinkage&quot;, the polite term for shoplifting and employee theft. While stores will take steps to reduce their loss, they can&#x27;t be extravagant or they will lose customers (I stopped shopping at a drug store that put deodorant behind plexiglass) or cost more than the problem (rfid trackers on every candybar.)<p>Given that perspective I think we as technical professionals need to be a little more restrained in our recommendations. Enterprise decision makers are very receptive right now to projects involving security due to hacks like this and Sony, but we as technical professionals still have to speak to the whole of their concerns.

So what defenses should an organization employ to prevent these types of attacks?<p>From this non-technical article, it looks like they penetrated employees&#x27; computers and used their credentials, which makes sense because it&#x27;s probably the weakest link.<p>It reminds me the philosophy&#x2F;motivation behind Qubes OS [1]: there is no server security without client security.<p>What are banks running on employee computers these days? I&#x27;m guessing Windows. Do they have anything beyond what typical corporate IT does to Windows machines (install virus checkers, auto updates, most users don&#x27;t have root)?<p>Clearly that&#x27;s not sufficient. It sounds like you want some kind of strict compartmentalization like Qubes. There&#x27;s probably no reason that an e-mail client like Outlook needs to share any state with whatever app they used to manage accounts. Besides perhaps sharing a clipboard for cutting and pasting a tiny amount of info.<p>The machines probably need secure boot and attestation of the root file system state too. It&#x27;s pretty bad that in this attack and I think in the Anthem case that attackers were inside their network for such a long period without detection.<p>I also remember a DEFCON talk where a penetration tester said the hardest site he ever worked on was where they had a strict &quot;star&quot; network topology. None of the computers in the enterprise could talk to each other or even see each other. All communication had to be proxied through a central hub, which would audit all the connections.<p>Do any banks do that now? Is there any reason they couldn&#x27;t in practice? I imagine that there isn&#x27;t really a need for two tellers in the same office to be sharing files directly with each other. Let alone tellers in different offices. I&#x27;ve never worked at a bank do I have no idea what their networks are like. Possibly there would be some uptime concerns with a centralized system like that.<p>I&#x27;m just brainstorming and wondering if anyone has direct work-related experience.<p>[1] <a href="https://qubes-os.org/" rel="nofollow">https:&#x2F;&#x2F;qubes-os.org&#x2F;</a>

I laugh whenever someone tells me that they never buy anything over the internet. Their reasoning is that they&#x27;re afraid of hackers going after online transactions. It seems to me that most of the serious security problems reside in the places that keep your money or access to your money, such as banks, credit cards, or even businesses such as Anthem, etc.<p>Another problem that I&#x27;ve seen from banks is that they all use Microsoft Windows for most of their employees. That&#x27;s got to be the worst OS in terms of security. Not saying that you can&#x27;t break into other systems, but it is so much easier under Windows.

The scope of this is pretty stunning, but if you&#x27;re going to make a billion dollars you can probably invest 100M or so in developing an organization that can pull it off.<p>I wonder when we&#x27;ll see the equivalent of VC money in these sorts of enterprises.

Is that really a Weyland-Yutani T-shirt?<p><a href="http://alienanthology.wikia.com/wiki/Weyland-Yutani" rel="nofollow">http:&#x2F;&#x2F;alienanthology.wikia.com&#x2F;wiki&#x2F;Weyland-Yutani</a>

So who ends up footing the bill? Does the bank just write it off as a cost of doing business? Also aren&#x27;t financial transactions reversible among banks?

Why were internal banking admin systems connected to the public Internet? Two isolated networks should be the minimum.

Well, at least this one was technically challenging. My favourite bank robbery happened in London a couple of years ago and it used social engineering 3G modems and KVMs. More info here:<a href="http://arstechnica.com/tech-policy/2014/04/bank-robbers-use-kvm-switch-and-3g-router-to-steal-money/" rel="nofollow">http:&#x2F;&#x2F;arstechnica.com&#x2F;tech-policy&#x2F;2014&#x2F;04&#x2F;bank-robbers-use-...</a><p>Now, I feel a discussion like this one would be the perfect place for me to introduce myself and... try to sell my services but I think I&#x27;m too late to the party so I&#x27;ll keep it short.<p>Banks are the archetype of the company that suffers through technology. They make huge investments in IT year on year, but often they end up buying overly complex solutions from 1MM consultancy companies that never get fully implemented and, worse, cause high levels of frustration that then backfire onto projects that could actually make a difference.<p>With every department (or vertical or region) running their own IT, many of the core functions being outsourced offshore, and innovation (ie: BYOD, Shadow IT) being ignored, some pretty serious gaps are opened in the way security is handled despite best intentions, processes or even regulatory compliance we end up with local desktop machines having direct and unrestricted access to sensitive systems _and_ the internet.<p>Of course, all this is very nice but at the end of the day if someone can just walk in to your office to &quot;fix your computer&quot; and no one bothers to check their credentials... there&#x27;s only so much one can do for you.

&gt; But the largest sums were stolen by hacking into a bank’s accounting systems and briefly manipulating account balances. Using the access gained by impersonating the banking officers, the criminals first would inflate a balance — for example, an account with $1,000 would be altered to show $10,000. Then $9,000 would be transferred outside the bank. The actual account holder would not suspect a problem, and it would take the bank some time to figure out what had happened.<p>Sounds like a badly designed system. Usually a bookkeeping system should only accept additions and subtractions, not have direct access to the amount number. Those additions and subtractions should be versionned. It might take a lot of resource and computing power to track that many accounts, but in my opinions, if google, the NSA and amazon have big datacenters, banks should too. I don&#x27;t think they really have the proper infrastructure to secure something so important like account balance. I even think the government should invest money in securing those systems and places, since it&#x27;s a nerve of the economy.<p>So either use up to date computing methods, or hire more accountant and use paper instead.

&quot;But the largest sums were stolen by hacking into a bank’s accounting systems and briefly manipulating account balances. Using the access gained by impersonating the banking officers, the criminals first would inflate a balance — for example, an account with $1,000 would be altered to show $10,000. Then $9,000 would be transferred outside the bank. The actual account holder would not suspect a problem, and it would take the bank some time to figure out what had happened.&quot;<p>A naive thought...if they leave with the exact amount of money (left) in the bank, should it be seen as just &quot;illegal inflation&quot;, rather than seeing it as a theft. Someone made a gain but nobody made a loss in any case. Banks have always created more liquidity officially through loans, except that it is legal.

Imagine the black market value of the corporate knowledge these hackers now possess. &quot;Just get me in, I&#x27;ll take care of the rest.&quot;

Brian Krebs had an interesting follow up to this story -- <a href="https://krebsonsecurity.com/2015/02/the-great-bank-heist-or-death-by-1000-cuts/" rel="nofollow">https:&#x2F;&#x2F;krebsonsecurity.com&#x2F;2015&#x2F;02&#x2F;the-great-bank-heist-or-...</a>

So, we should definitely continue encouraging a Windows* monoculture in corporate IT, right?<p>(the point is &quot;monoculture&quot;, not Windows, per se. Though it is sort of the icing on the cake.)

Given the amount of money stolen, I wonder if bribing an insider was involved. That wouldn&#x27;t be surprising to me, given that most of this was in Russia.

Just conjecture: <a href="http://en.wikipedia.org/wiki/Pass_the_hash" rel="nofollow">http:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Pass_the_hash</a>

The way of the future right here.

I don&#x27;t see how Jamie Dimon&#x27;s , presidential , POTUS cufflink&#x27;s didn&#x27;t scare the hackers away .