
Bank Hackers Steal Millions via Malware - youlweb
http://www.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html
======
topkai22
While this is an astonishingly large criminal heist, we should look at this
from a business perspective. The largest take from a single bank sounds to be
around $10M. The first russian bank I could find in Wikipedia, Alfa-Bank, had
a net income in 2010 of $550M, meaning that if they were the ones hacked they
would have lost about 2% of their annual PROFIT. What would be the capital,
operational, and efficiency cost of a major security overhaul be? Probably
more than $10M. Moving to a new system like qubes or even a more standard
desktop Linux variant could very well terrorize me more than the losses from
hacking.

Lots of industries just live with a certain degree of loss- retail in
particular sees about 1.8% of inventory lost due to "shrinkage", the polite
term for shoplifting and employee theft. While stores will take steps to
reduce their loss, they can't be extravagant or they will lose customers (I
stopped shopping at a drug store that put deodorant behind plexiglass) or cost
more than the problem (rfid trackers on every candybar.)

Given that perspective I think we as technical professionals need to be a
little more restrained in our recommendations. Enterprise decision makers are
very receptive right now to projects involving security due to hacks like this
and Sony, but we as technical professionals still have to speak to the whole
of their concerns.

~~~
tracker1
Doing nothing is always a valid business option... not usually a wise one, but
always a valid one.

~~~
topkai22
Agreed, I'm not saying these bank CIOs should do nothing, just trying to point
out the break even point between security and other factors can come sooner
than we as technical people might assume.

------
chubot
So what defenses should an organization employ to prevent these types of
attacks?

From this non-technical article, it looks like they penetrated employees'
computers and used their credentials, which makes sense because it's probably
the weakest link.

It reminds me the philosophy/motivation behind Qubes OS [1]: there is no
server security without client security.

What are banks running on employee computers these days? I'm guessing Windows.
Do they have anything beyond what typical corporate IT does to Windows
machines (install virus checkers, auto updates, most users don't have root)?

Clearly that's not sufficient. It sounds like you want some kind of strict
compartmentalization like Qubes. There's probably no reason that an e-mail
client like Outlook needs to share any state with whatever app they used to
manage accounts. Besides perhaps sharing a clipboard for cutting and pasting a
tiny amount of info.

The machines probably need secure boot and attestation of the root file system
state too. It's pretty bad that in this attack and I think in the Anthem case
that attackers were inside their network for such a long period without
detection.

I also remember a DEFCON talk where a penetration tester said the hardest site
he ever worked on was where they had a strict "star" network topology. None of
the computers in the enterprise could talk to each other or even see each
other. All communication had to be proxied through a central hub, which would
audit all the connections.

Do any banks do that now? Is there any reason they couldn't in practice? I
imagine that there isn't really a need for two tellers in the same office to
be sharing files directly with each other. Let alone tellers in different
offices. I've never worked at a bank do I have no idea what their networks are
like. Possibly there would be some uptime concerns with a centralized system
like that.

I'm just brainstorming and wondering if anyone has direct work-related
experience.

[1] [https://qubes-os.org/](https://qubes-os.org/)

~~~
aidos
It's just staggering.

I know it's silly to think that banks would be better than anyone else, but
good lord, malware running on machines capable of transferring millions of
dollars that's able to send out video feeds from the network without anyone
noticing?! Your various IT/Security teams should be absolutely ashamed. And
then the banks don't even have to stand up and admit their incompetence
publicly; that's a total disgrace.

That's the state of corporate security I guess. I've dealt with corporate IT
departments over the years where they put these "processes" in place to
mitigate these security issues but it's all a load of rubbish. Filling in
forms to tick boxes so that everyone can go home happy pretending there's
security going on, when really their network is a leaky sieve.

At one point I saw a release by a 3rd party supplier to a large corporate
system that included privilege escalation, blatantly, at the start of a T-SQL
script. It was done because the IT department refused to carry out the action
on request via the official channel but it was work that needed to be done to
complete a project. The 3rd party knew the admins would just be running
scripts as SA so they escalated their own account to do what they needed to do
later.

I know it's silly to be so frustrated about it, but we've all dealt with
crappy banking systems for years, with totally insane security measures;
meanwhile hackers can just walk away with millions using a bit of malware.

~~~
dredmorbius
A key differentiator for banks vs. many other service providers is that
_financial transfers can be reversed._ Releases of _information_ however
_cannot be._

So where a bank has a risk of an unauthorized financial transaction, there are
multiple options to claw that back (or to shift the risk to other parties,
notably merchants).

A disclosure, though, of _account information_ is a different case, and here
the results can be damaging to the banks and their customers. One instance I'm
generally aware of is an increasing number of disclosures pertaining to
offshore banking, many uncovered by the the ICIJ (International Consortium of
Investigative Journalists: [http://www.icij.org/](http://www.icij.org/)) and
the _Guardian_. Again, the case involves banks, but it's rather more difficult
to reverse transactions when it's your client list and balances, or
communications, which have spilled.

Many revealed by insiders, as it turns out.

~~~
vanzard
> financial transfers can be reversed.

Not this time: hackers withdrew some of the money from ATMs.

~~~
ams6110
The total amount of cash and the per-withdrawal limits in an ATM limits the
loss there. You can't steal millions of dollars from an ATM.

~~~
tedivm
These guys stole $45 million from ATMs-
[http://www.nytimes.com/2013/05/10/nyregion/eight-charged-
in-...](http://www.nytimes.com/2013/05/10/nyregion/eight-charged-
in-45-million-global-cyber-bank-thefts.html?pagewanted=all)

~~~
ams6110
_On Feb. 19, cashing crews were in place at A.T.M. 's across Manhattan and in
two dozen other countries ... Starting at 3 p.m., the crews made 36,000
transactions and withdrew about $40 million from machines in the various
countries in about 10 hours_

I stand corrected. That's quite impressive and amazing that they had that many
people involved and nobody tipped it off.

------
aceperry
I laugh whenever someone tells me that they never buy anything over the
internet. Their reasoning is that they're afraid of hackers going after online
transactions. It seems to me that most of the serious security problems reside
in the places that keep your money or access to your money, such as banks,
credit cards, or even businesses such as Anthem, etc.

Another problem that I've seen from banks is that they all use Microsoft
Windows for most of their employees. That's got to be the worst OS in terms of
security. Not saying that you can't break into other systems, but it is so
much easier under Windows.

~~~
niels_olson
> they all use Microsoft Windows for most of their employees. That's got to be
> the worst OS in terms of security.

Well, it's good enough for the Department of Defense, so it must be good
enough for us, right?

No one ever got fired for buying Microsoft.

~~~
omeid2
Yet NSA developed Selinux. So there is that.

------
ChuckMcM
The scope of this is pretty stunning, but if you're going to make a billion
dollars you can probably invest 100M or so in developing an organization that
can pull it off.

I wonder when we'll see the equivalent of VC money in these sorts of
enterprises.

~~~
navait
It really only makes sense for organized crime to manage this within their own
ranks. You already have trustworthy people, and people with the relevant
skills and connections. How would you know if the "startup" you're funding
isn't undercover police? If an upstart appears, just "convince" them to share
in the profits.

~~~
hawkice
I'm going to be a little pedantic, but since this is an article about security
(and your point is also about security, of a marginally different type):

> You already have trustworthy people, and people with the relevant skills and
> connections.

In security, there is a distinction between 'trustworthy' and 'trusted'.
Organized crime definitely has trusted personnel, but, 'trustworthy'... maybe
not.

------
sehugg
Is that really a Weyland-Yutani T-shirt?

[http://alienanthology.wikia.com/wiki/Weyland-
Yutani](http://alienanthology.wikia.com/wiki/Weyland-Yutani)

~~~
dmnd
First thing I noticed. Amazon has them: [http://smile.amazon.com/Weyland-
Yutani-Corporation-Building-...](http://smile.amazon.com/Weyland-Yutani-
Corporation-Building-Vintage-T-Shirt/dp/B0064ORD7O?sa-no-redirect=1)

------
supster
So who ends up footing the bill? Does the bank just write it off as a cost of
doing business? Also aren't financial transactions reversible among banks?

~~~
vitd
> Also aren't financial transactions reversible among banks?

Maybe, but when they steal from ATMs, there's no other bank involved in that
transaction.

------
walterbell
Why were internal banking admin systems connected to the public Internet? Two
isolated networks should be the minimum.

~~~
linuxydave
While I've never worked in banking/financial environments I do know of people
who have; they often had two workstations (one for the 'public' network, the
other for the systems) and weren't allowed to use software like Synergy to
share the keyboard and mouse. I guess not every company does stuff like that,
though.

~~~
patcheudor
It's nearly impossible to isolate banking system networks these days. As an
example, ATMs run transactions through public networks. Customers access their
accounts via public networks, etc. Further, network isolation as a primary
control fails time and time again.

It's best to focus on the end points and beef up security there. Focus primary
security controls on the application and not the perimeter. One of my biggest
frustrations as a security professional is walking into an environment where
systems which must be highly secure are accessed via simple username &
password. All banking applications at a minimum should require x.509 client
auth for employees utilizing a private-key stored on a device which is not
permanently attached to the system. Monitoring solutions should then be in
place to track authentication actions and provide that visibility to security
staff and the employee's themselves. That's a pretty basic first step and one
I rarely see in practice. Next, rather than isolating networks, start paying
attention to the traffic on the networks & limit transactions to known good
entities. After that organizations need to consider their customer environment
security and how they may be inadvertently compromising it. It's amazing how
many times I've gone to a public facing banking portal and spotted third-party
JavaScript loaded within the same origin context of an authentication form.
One bank I looked at awhile back actually had an advertisement from a third-
party ad network on a page where they asked for credentials! That's pretty
much asking for their customers and thus their accounts to be compromised.

~~~
Spearchucker
" _It 's best to focus on the end points and beef up security there_"

Not the way I'd do it. Defence in depth means securing _everything_. Starting
with the perimeter, working inwards to individual apps - on both clients and
servers. _Every_ resource needs to be secured. That means spending cash, and
the amount of cash that should be spent should be proportionate to the value
of the asset being protected. If you have a server application or service, put
an application firewall in front of it, so that both internal and external
access goes through it. Don't just write a threat model, document the threat
tree. Don't trust your employees, your software, hardware or building
security. And don't trust the bosses either.

It's analogous to having a bodyguard. If you're in the bedroom and leave your
bodyguard in the kitchen for a private conversation, the bodyguard and his big
six gun are going to be of absolutely zero use when ninjas come crashing
through the bedroom window.

~~~
lifeisstillgood
To run with your analogy a bit I occassionally see CEO types with
"bodyguards". Because the kidnapping attempt is theoretical and not happened
for ten years the bodyguard is carrying the luggage or opening the doors or
answering the phone.

The analogy is fairly clear - you can spend the money on security in depth.
But humans tend to use those in segments for other things eventually. Banks
hav been around long enough that all their bodyguards are now bellboys.

------
ukigumo
Well, at least this one was technically challenging. My favourite bank robbery
happened in London a couple of years ago and it used social engineering 3G
modems and KVMs. More info here:[http://arstechnica.com/tech-
policy/2014/04/bank-robbers-use-...](http://arstechnica.com/tech-
policy/2014/04/bank-robbers-use-kvm-switch-and-3g-router-to-steal-money/)

Now, I feel a discussion like this one would be the perfect place for me to
introduce myself and... try to sell my services but I think I'm too late to
the party so I'll keep it short.

Banks are the archetype of the company that suffers through technology. They
make huge investments in IT year on year, but often they end up buying overly
complex solutions from 1MM consultancy companies that never get fully
implemented and, worse, cause high levels of frustration that then backfire
onto projects that could actually make a difference.

With every department (or vertical or region) running their own IT, many of
the core functions being outsourced offshore, and innovation (ie: BYOD, Shadow
IT) being ignored, some pretty serious gaps are opened in the way security is
handled despite best intentions, processes or even regulatory compliance we
end up with local desktop machines having direct and unrestricted access to
sensitive systems _and_ the internet.

Of course, all this is very nice but at the end of the day if someone can just
walk in to your office to "fix your computer" and no one bothers to check
their credentials... there's only so much one can do for you.

------
jokoon
> But the largest sums were stolen by hacking into a bank’s accounting systems
> and briefly manipulating account balances. Using the access gained by
> impersonating the banking officers, the criminals first would inflate a
> balance — for example, an account with $1,000 would be altered to show
> $10,000. Then $9,000 would be transferred outside the bank. The actual
> account holder would not suspect a problem, and it would take the bank some
> time to figure out what had happened.

Sounds like a badly designed system. Usually a bookkeeping system should only
accept additions and subtractions, not have direct access to the amount
number. Those additions and subtractions should be versionned. It might take a
lot of resource and computing power to track that many accounts, but in my
opinions, if google, the NSA and amazon have big datacenters, banks should
too. I don't think they really have the proper infrastructure to secure
something so important like account balance. I even think the government
should invest money in securing those systems and places, since it's a nerve
of the economy.

So either use up to date computing methods, or hire more accountant and use
paper instead.

~~~
ukigumo
This is actually a very good point. If only there was a system of public
ledger for fiat currency :-)

~~~
jokoon
stop it right there with bitcoin. there are advantages to centralization.

~~~
ukigumo
Yes there are, I'm not advocating for a one solution fits all.

------
kirvyteo
"But the largest sums were stolen by hacking into a bank’s accounting systems
and briefly manipulating account balances. Using the access gained by
impersonating the banking officers, the criminals first would inflate a
balance — for example, an account with $1,000 would be altered to show
$10,000. Then $9,000 would be transferred outside the bank. The actual account
holder would not suspect a problem, and it would take the bank some time to
figure out what had happened."

A naive thought...if they leave with the exact amount of money (left) in the
bank, should it be seen as just "illegal inflation", rather than seeing it as
a theft. Someone made a gain but nobody made a loss in any case. Banks have
always created more liquidity officially through loans, except that it is
legal.

~~~
joemi
As far as I understand it, the money that was transferred out did not come
from nowhere... Ultimately it was the bank's money.

Edit: Meant to also mention also that the whole making-it-look-like-an-
account-had-more-money concept was about making the fact that they were taking
the bank's money harder to notice. It was not actually creating money that did
not exist before.

~~~
justincormack
Not sure, double entry bookkeeping is apparently not baked in everywhere, if
you can increase an account balance it might not be picked up. If this is
creating money, well thats another question.

~~~
niels_olson
Yes, that's absolutely fascinating. The banks wouldn't catch on until up to 10
hours later. Is it possible they're only validating their database every 10
hours?! Shouldn't the database reject the transaction instantaneously?

------
niels_olson
Imagine the black market value of the corporate knowledge these hackers now
possess. "Just get me in, I'll take care of the rest."

------
danielayoub
Brian Krebs had an interesting follow up to this story --
[https://krebsonsecurity.com/2015/02/the-great-bank-heist-
or-...](https://krebsonsecurity.com/2015/02/the-great-bank-heist-or-death-
by-1000-cuts/)

------
niels_olson
So, we should definitely continue encouraging a Windows* monoculture in
corporate IT, right?

(the point is "monoculture", not Windows, per se. Though it is sort of the
icing on the cake.)

------
TwoBit
Given the amount of money stolen, I wonder if bribing an insider was involved.
That wouldn't be surprising to me, given that most of this was in Russia.

------
BIair
Just conjecture:
[http://en.wikipedia.org/wiki/Pass_the_hash](http://en.wikipedia.org/wiki/Pass_the_hash)

------
zschleien
The way of the future right here.

------
taivare
I don't see how Jamie Dimon's , presidential , POTUS cufflink's didn't scare
the hackers away .

~~~
linuxydave
Huh?

