Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Crime Security The Almighty Buck

Bank Hackers Steal Millions Via Malware 131

An anonymous reader writes: When cybersecurity firm Kaspersky Lab was called in to investigate ATMs that had begun dispensing cash without input from users, they expected to find a simple problem. Instead, they found the ATMs were just the tip of the iceberg. The bank's internal computer systems were completely compromised, and in addition to the slow but steady siphoning of funds through physical machines, a criminal group was quietly transferring millions of dollars into foreign bank accounts. A report set to be published on Monday shows the attack extended to over 100 banks in 30 nations.

"Kaspersky Lab says it has seen evidence of $300 million in theft from clients, and believes the total could be triple that. But that projection is impossible to verify because the thefts were limited to $10 million a transaction, though some banks were hit several times. In many cases the hauls were more modest, presumably to avoid setting off alarms." Kaspersky Lab is unable to name the banks involved because of non-disclosure agreements, and no banks have come forward to acknowledge the breach. "The silence around the investigation appears motivated in part by the reluctance of banks to concede that their systems were so easily penetrated, and in part by the fact that the attacks appear to be continuing."
This discussion has been archived. No new comments can be posted.

Bank Hackers Steal Millions Via Malware

Comments Filter:
  • Comment removed (Score:4, Insightful)

    by account_deleted ( 4530225 ) on Saturday February 14, 2015 @07:18PM (#49057333)
    Comment removed based on user account deletion
    • "Why stop at one?" asked the Federal Reserve.
      • Robbing is a legal concept, the federal reserve has never robbed.

      • :-) Don't you mean the IMF?

        • Re: (Score:2, Troll)

          by blue trane ( 110704 )

          True! The IMF has the power to create money too but it doesn't, instead imposing draconian austerity measures on countries that don't work. The IMF is a killer, robbing countless Greeks of their lives.

        • By all means include them, if you can catch Dominique Strauss-Kahn in a moment when clad.
    • by ColdWetDog ( 752185 ) on Saturday February 14, 2015 @07:24PM (#49057353) Homepage

      Second best way is to impersonate the person that owns one. Sounds like what these guys did. However, according to TFA they were very patient and methodical, leading up to the assertion that they were 'cybercriminals' rather than state actors. Of course, the last time this weird dichotomy came up, the attackers were state actors because they were so patient and thus weren't plain ol criminals.

      Sounds a bit clueless to me. Given the level of information we get from fine articles such as this, I have to wonder just what, if anything at all, really happened.

      Best thing about the article is Sergey Golovanov's T-shirt.

      • Comment removed based on user account deletion
      • ...Of course, the last time this weird dichotomy came up, the attackers were state actors because they were so patient and thus weren't plain ol criminals....Sounds a bit clueless to me.

        That's because according to all the rabid wannabe economists here on slashdot, if you're a government, you don't need to break into a bank to steal money. In the Sony break-in, there was no actual money to be stolen. Those Hollywood accountants are really good ;-)

    • Comment removed based on user account deletion
    • Comment removed (Score:5, Interesting)

      by account_deleted ( 4530225 ) on Saturday February 14, 2015 @07:32PM (#49057371)
      Comment removed based on user account deletion
  • by Anonymous Coward

    Bitcoin Unaffected.

    Buh buh buht... uhhh... yeah... Damn. Bitcoin Unaffacted. That's all I can say.

    • by beelsebob ( 529313 ) on Saturday February 14, 2015 @07:28PM (#49057365)

      Right, because no one has ever stolen bitcoin by hacking into a computer and emptying accounts... oh wait...

    • If this happened to bitcoin, people would have lost money. Thanks to insurance, no bank customer was robbed.

      • that depends. I know at most banks it will say things like "garenteed up to 100K or something along those lines. I would hope if one had more money than the limit, they would spread it to different accounts but no, people could lose real money over this
  • by Okian Warrior ( 537106 ) on Saturday February 14, 2015 @07:26PM (#49057361) Homepage Journal

    The theory behind "not naming banks" is that if named, people would leave the bank and go to another one.

    Why are banks allowed to do this? This completely negates the "vote with your wallet" power that the public should have.

    • Why are banks allowed to do this?

      Because the customers let them. They are welcome to withdraw their money on mere suspicion. We already know that the big banks are criminal organizations, yet nobody is closing their accounts. Too inconvenient for one thing. So, here we are.

    • Bank of America? (Score:5, Interesting)

      by Etherwalk ( 681268 ) on Saturday February 14, 2015 @08:30PM (#49057563)

      The theory behind "not naming banks" is that if named, people would leave the bank and go to another one.

      Why are banks allowed to do this? This completely negates the "vote with your wallet" power that the public should have.

      Because they signed a nondisclosure agreement, and because people are afraid of defamation lawsuits.

      It is worth noting that Bank of America just had a five-day IT outage/upgrade/etc... during which their credit card interfaces had limited data, etc... It may be unrelated, but... it was for *five days*.

      It may well be unrelated--credit cards v. bank accounts and all that--but it may not be. That's a *really* long time to do the public part of upgrading a system.

      Anyway, it's all insured (don't read the stuff about losing your online banking password too closely), and you can always sue if they tried not to cover you, so it's not worth a run on any banks unless they start losing a lot more. At least they're paying attention.

    • For the answer on why we don't reveal this information read up on the 1929 bank failures [history.com]. For the tl;dr crowd: There's a very good reason that we don't say which banks are having problems because they get ran out of business quickly (often within hours) and everyone that didn't make it in time looses their money. It happened in 1929 in the U.S. and it destroyed our economy for a decade.

      • For the answer on why we don't reveal this information read up on the 1929 bank failures [history.com]. For the tl;dr crowd: There's a very good reason that we don't say which banks are having problems because they get ran out of business quickly (often within hours) and everyone that didn't make it in time looses their money. It happened in 1929 in the U.S. and it destroyed our economy for a decade.

        Are you saying people would actually lose money if their bank went under? That there's no FDIC (Federal Deposit Insurance Corporation) or other safeguards? Are you saying that the federal reserve wouldn't overnight a truckload of cash if there was a run on the bank?

        Are you saying that banks can do a slip-shod job, have no repercussions, and this is a *good* thing?

        Just as GM can lose business by making a faulty ignition switch, banks should lose business when they lose the public trust.

        Banks SHOULD lose busi

        • You do realize who picks up the tab when the FDIC has to bail out a bank right? The answer is you and me. I agree the banks should be punished for bad behavior but, history has taught us that standard capitalist repercussions are bad for the economy as a whole and different solutions to the problem need to be used.

    • by vm146j2 ( 233075 )

      yes. does this help people who believe stuff like "you can vote with your wallet" understand that they are working with a flawed model of the world? sadly, no.

  • by rmdingler ( 1955220 ) on Saturday February 14, 2015 @07:27PM (#49057363) Journal
    Is it likely that defenses employed by banks (and other market segments) will need to be downgraded to hacker-resistant in the same vein that things are now fire-resistant instead of fireproof?

    It became clear to me years ago that I could only make something fool-resistant, since as soon as I imagined foolproof had been achieved, they kept making a better fool.

    My takeaway: The most devilishly clever security system, devised by the most gifted programmers, in a scenario where money was no object, can still be compromised because of the human user element in the implementation of the system.

    • The most devilishly clever security system, devised by the most gifted programmers, in a scenario where money was no object, can still be compromised because of the human user element in the implementation of the system.

      Banks don't have any of that shit. That's the problem.

    • Re: (Score:3, Interesting)

      by Opportunist ( 166417 )

      Yes, it is possible to create a hack proof system. Is it economically feasible? That's the real question here.

      And here even the old metric of risk assessment goes out the window. No, seriously. We're talking about a mission crippling threat (or, in simple terms, "if it happens, we're fucked"), something that usually is required to protect against. For the obvious reason, if it happens, we're done for. Like a rocket engine on a space ship, you want one that DOES work no matter what because if it for some odd

    • by Livius ( 318358 )

      ...because of the human...

      But we're talking about banks.

  • by grnbrg ( 140964 ) <slashdot.grnbrg@org> on Saturday February 14, 2015 @07:28PM (#49057367)

    ..... Wait, what?

    Oh. Nevermind then.

    • dollars in a bank can be insured, how's that bitcoin insurance industry doing?

      • hmm, you just gave me a business idea. Alt coin insurance.
      • by Canth7 ( 520476 )
        Bitcoin can and is being insured as well. After all, it's no harder to protect Bitcoin private keys than say Verisign's root certificates, which are insured against theft as well. And it's still an unfortunate thing that our banks are so susceptible to hacking and theft. After all, whether through increased costs of private insurance or FDIC, we all pay for the losses that a bank incurs.
        • No, some companies just started offering it. But "bitcoin is insured" is a generally false statement right now.

  • Trace the Transfers? (Score:5, Interesting)

    by chill ( 34294 ) on Saturday February 14, 2015 @07:37PM (#49057387) Journal

    So shouldnt' they be able to trace the transfers to the destination accounts? And continue doing so until the money is withdrawn?

    Hell, even in places like Kazakhstan they don't have pallet loads of $100 bills waiting around for people to withdraw millions in cash. And you don't really walk into a bank ANYWHERE in the world and pull out millions in cash from a newly opened account without tons of ID, paperwork, being on cameras, access to large armored trucks, etc.

    I'm familiar with the concept of mules and blinds, but for a scheme so sophisticated it sounds suspicious to use low level mules to pull out millions in cash. Multiple points of failure/discovery.

    How the hell do they get the actual money OUT?

    • How the hell do they get the actual money OUT?

      Bypass encryption from a Country not beholden to cooperate with the U.S. Sadly, the list is growing.

      Here's the craziest part of the whole story. One of these banks may not have cashed a check I had, made out to me... by my employer ... who rented office space out of the same building, simply because I was one shy of three IDs.

      $Tens of millions U.S. leaves out in the night without any real-time human authentication.

  • Boy what a freaking scam these security firms are engaged in these days. "Gee, we can tell you what happened but that million dollar 'hush' money payout they gave us precludes us from offering any REAL protection to everyone else.
    • Not quite. That particular malware makes it into their database so other customers should be slightly safer.
      I'm not sure how effective this anonymity through obscurity is though, presumably people in Kiev know which bank's ATMs randomly regurgitate cash. It will also have been reported so Ukranian (or Russian) speakers will be able to use Yandex or Google.

  • Most of the malware problem is white listing. Spyware and malware are using government spyware signatures which are white listed by virus scanners. If you run a well-known keylogger and network spyware software it is white listed by virus scanners. Recently the poor quality antivirus product McAfee, was listing network monitoring software ( Surveillance ) by its actual name even when it was in zip format. No other virus scanning products does. No doubt within a few weeks McAfee, will no longer name it. If
    • Although I enjoy a good conspiracy theory as much as the next guy, I can't figure out why McAfee, which is based in the US, and Kaspersky, which is based in Moscow, would work together to conceal each others' government spyware from us via some sort of universal white list. You'd think everybody would have a different white list to serve their own governments' conspiracies.

      Hey...wait a minute...I just realized how naive I've been not to have realized that all world governements actually are conspiring toge

      • by HiThere ( 15173 )

        The thing is, your "one whoppin' good conspiracy!" is correct, except that you included one word too many. You should have said: "Hey...wait a minute...I just realized how naive I've been not to have realized that all world governements actually are conspiring to oppress us. Now that's one whoppin' good conspiracy!" Only the word "together" makes it incorrect. But sometimes some of them cooperate. (OTOH, I do accept that the secrecy is enforced contractually in this case. )

  • by eyepeepackets ( 33477 ) on Saturday February 14, 2015 @08:44PM (#49057615)

    The internet was designed to be amazingly robust, able to successfully get a message through a nuked-out infrastructure -- point A to point Z via any number of non-predetermined intermediate points. It was not designed to be secure because such security wasn't deemed necessary to the completion of the mission of getting a message to point Z from point A regardless the damage inbetween the two points.

    What security it does have has been bolted on after-the-fact much like bolting a wind spoiler onto a Volkswagen Beetle. and with pretty much the same comical effect. "Secure" internet will require some serious redesign at the various hardware and sofware levels before it can be secure.

    An interesting question is whether or not it can be both very robust and very secure at the same time?

    My point being that the warnings about the above were made loud and clear in the mid-1990s when the internet was "discovered" by the citizenry and the commercial interests and yet everyone yelled "Full speed ahead!" and so here we are.

    • by davidwr ( 791652 ) on Saturday February 14, 2015 @09:23PM (#49057751) Homepage Journal

      We can and do use the insecure internet to securely transmit information.

      All to often we do it wrong though. Doing it wrong means we can be fooled.

      Sometimes we do it wrong on a technical level, such as using out of date encryption, fundamentally broken encryption, or worse.

      Sometimes we do it on a human level, such as not occasionally verifying that the account-holder or bank employee is the one and only person who has used his credendials recently using a non-technical means.

      Sometimes we do it wrong in our business practices, such as by not doing frequent-enough random audits and not forseeing that a particular type of attack is worth monitoring for. I will grant some leeway here in that "ridk management" != "risk elimination."

    • Excellent point.

      I grew up with all this shit. I got my first micro computer in 1978 (I was a 33-year old electronics tech) and my first coding gig in 1986.Computers were very easy to hack via floppy disk (the 5 1/4" kind).

      Each computing device has much greater responsibility nowadays, but the security has made NO advances.

      • by Bob_Who ( 926234 )

        Each computing device has much greater responsibility nowadays, but the security has made NO advances.

        Neither has human nature.

      • Each computing device has much greater responsibility nowadays, but the security has made NO advances.

        I've noticed the same problem with cats and mice. No matter what advances the cats make, the mice remain. One can only assume that the mice make advances at about the same rate as the cats.

    • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Saturday February 14, 2015 @09:48PM (#49057849) Homepage Journal

      An interesting question is whether or not it can be both very robust and very secure at the same time?

      You can have a very secure network right now, and have it be very robust, too. You can deny all non-encrypted communications, use certs for all comms, and exercise close control over your certs. You can prevent users from running any unauthorized software, and you can use software without extraneous bullshit, e.g. avoid using Windows as a thin client which is truly a full retard move. But that's a huge PITA, so nearly nobody ever does these things properly, even banks.

      Banks should have to announce to their customers when their networks have been penetrated.

      • by Anonymous Coward

        But why should banks have to announce anything? If I have a factory that gets robbed, I don't have to tell anybody as long as I still deliver the promised goods to my clients. If none of their customers are actually out any money (for more than a few days or hours while they clean up the mess) why does it really matter? It's between the bank, their insurance provider, and possibly the government.

  • Payback is a bitch.

  • Comment removed based on user account deletion
  • ... had been vaccinated at birth.

  • I always though computer operating systems were only capable of being hacked, but thanks slashdot for giving us that technically insightful and informative heads-up ..

    "First, they get physical access to the ATMs and insert a bootable CD [kaspersky.com] to install the malware -- code named Tyupkin by Kaspersky Lab. After they reboot the system, the infected ATM is under their control."

    "The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file [virustotal.com] for the Windows GUI subsystem"
  • "When cybersecurity firm Kaspersky Lab was called in to investigate ATMs that had begun dispensing cash without input from users, they expected to find a simple problem."

    The problem is that Kaspersky wasn't "called in", it's just a dubious PR tactic coupled with a journalist who (surprise, surprise) didn't do any own research. They took a discovery from December, renamed the network, inflated the amounts and spun someone else's work as their own.

    Graham Cluley had a suspicion about the details which looked a

Fast, cheap, good: pick two.

Working...