Forgot your password?
typodupeerror
Security Crime The Almighty Buck News

Three Banks Lose Millions After Wire Transfer Switches Hacked 179

Posted by Soulskill
from the we're-all-choked-up,-really dept.
mask.of.sanity writes "Criminals have stolen millions from three unnamed U.S. banks by launching slow and stealthy denial of service attacks as a distraction before attacking wire payment switches. The switches manage and execute wire transfers and could have coughed up much more cash should the attackers have pressed on. RSA researcher Limor Kessem said, 'The service portal is down, the bank is losing money and reliability, and the security team is juggling the priorities of what to fix first. That's when the switch attack – which is very rare because those systems are not easily compromised [and require] high-privilege level in a more advanced persistent threat style case – takes place.'"
This discussion has been archived. No new comments can be posted.

Three Banks Lose Millions After Wire Transfer Switches Hacked

Comments Filter:
  • Smart Criminals (Score:5, Insightful)

    by Fluffeh (1273756) on Wednesday August 21, 2013 @02:15AM (#44627467)

    I like stories like this. If something is done really well and in a clever way (whether it was really being naughty or not) the effort, cleverness and ingenuity should indeed have its merits praised. Slashdot should have more stories like this: Hey, they did a bad thing, but look at just how WELL they did it.

    • I immediately thought of Daniel Ocean when I read TFS.
    • Re:Smart Criminals (Score:5, Insightful)

      by ls671 (1122017) on Wednesday August 21, 2013 @03:17AM (#44627689) Homepage

      Where do you think those US banks are going to take the money to make it up? In their customer pockets maybe? It's like insurance fraud, shoplifting etc. The end consumer ends up paying for that. We might think; well they already make enough money so, good for them but don't let that fool you. They are going to make up for that to keep investors happy and their stock healthy.

      Worse, they may have insurance coverage and insurance companies may raise premium for all banks making sure everybody pays for it.

      Sure, it looks nice as a hacker movie scenario although...

      • Re:Smart Criminals (Score:4, Insightful)

        by geekymachoman (1261484) on Wednesday August 21, 2013 @06:30AM (#44628509)

        End consumer (commoners) always end up paying, one way or another, in all situations. Nothing new there.

        Sometimes I think that instead of being a obedient sheep, waking up early, working 10 hours and generally being exploited while barely having enough for comfortable "life", I should turn to let's say.. victimless crime*.
        I know this is frowned upon by society, but only because those in power are propagating idea that we should be obedient.. so they can keep all the f money and have less competition.
        The banks are criminals, the politicians are criminals, the religious leaders are criminals, insurance companies, pharmaceutical companies, governments, etc. In modern world, they just upped it to a new, modern level. It's not corruption same as in 3rd world country, but it still exist just behind the curtains and/or through loopholes they made for themselves.

        I know people that acquired wealth by pillaging (literally), smuggling cigarettes and guns. Now they are respected businessmen that have legal businesses, and are hiring you to work 10 hours a day for them while they propagate the idea that doing anything "illegal" is bad. Exactly the same as those mentioned above are doing.
        It's all just to keep you in check and under control. Every each one of them are full of it.

        (*) = As a programmer, that would be let's say hacking wordpress sites and selling them to someone or using them to make a profit. System Administrators should be happy. This creates jobs for them.

        • End consumer (commoners) always end up paying, one way or another, in all situations. Nothing new there.

          Sometimes I think that instead of being a obedient sheep, waking up early, working 10 hours and generally being exploited while barely having enough for comfortable "life", I should turn to let's say.. victimless crime*.

          (*) = As a programmer, that would be let's say hacking wordpress sites and selling them to someone or using them to make a profit.

          If you're working a middle class job in western society and you are healthy, your greatest burden is probably deciding what you want to eat for dinner. The standard of living you enjoy is higher than what most people have endured since humans began walking the earth. Your life or the life of someone you love has probably been saved at least once by the pharmaceutical companies you rail against.

          And on what planet is "hacking wordpress sites and selling them to someone or using them to make a profit" a vict

        • by cusco (717999)
          You might find Catherine Austin Fitts' 3-part essay "NarcoDollars for Beginners" on the NarcoNews.com web site interesting. (It has been copied without attribution to other web sites as 'NarcoDollars for Dummies'.) She lays out in pretty undeniable logic why and how **ALL** of the large fortunes in the US today are involved in the drug trade one way or another, some of the ways that money is laundered and the effects it has on our economy and our communities, and some of the mechanisms that our politician
      • What's worse is those new fees they attach to recover those lost funds, will be ongoing long after the funds have been recovered from our pockets. It's Corporate Rape against the populous.

      • Re:Smart Criminals (Score:4, Interesting)

        by Hatta (162192) on Wednesday August 21, 2013 @08:59AM (#44629469) Journal

        If the banks had a way to extract more money from us, wouldn't they already be doing it? Why would they wait until they were hacked and lost money to raise prices, if they thought it would increase their income?

      • Annnnnnnnd it's gone. [youtube.com]
    • by jovius (974690)

      True, it makes a great read - when nobody is cleverly and ingeniously maimed or killed.

    • by InterGuru (50986)

      Another example of the increasing skill requirements for today's work force. 50 years ago the only skills required to rob a bank was the ability to hold a gun and drive a getaway car. Now - sheesh - you have to know how to break into a high security switch.

      The average guy has no chance to make it nowadays.

      • Makes me glad I am not going to live 300 years in the future. You know what they'll be teaching in high schools then? Shit would probably go way over our heads.

      • by tlhIngan (30335)

        Another example of the increasing skill requirements for today's work force. 50 years ago the only skills required to rob a bank was the ability to hold a gun and drive a getaway car. Now - sheesh - you have to know how to break into a high security switch.

        The average guy has no chance to make it nowadays.

        Not to mention that takes were probably higher in the bad old days as well. Nowadays since it's all numbers in a database, the bank only needs enough cash to cover withdrawals for the day (which aren't tha

    • by coofercat (719737)

      If you're going to go down for something, make sure it's big. In the case of theft, make sure you're stealing several wasted lifetimes worth of money so that you can afford the legal defence, and eventual breaking out of jail. And you can afford to do the same for everyone involved.

      There's no point getting banged up and a criminal record for petty theft.

      I'm with you on this - it might be criminal, and it might be taking money from the banks customers, but it sure is a slick manoeuvre.

    • by gweihir (88907)

      Indeed. And they even were smart enough to not get greedy, the typical downfall of otherwise smart criminals and criminal hackers.

  • stealthy? (Score:5, Informative)

    by phantomfive (622387) on Wednesday August 21, 2013 @02:17AM (#44627473) Journal

    slow and stealthy denial of service attacks

    I don't think a DOS can be stealthy......if it's denying service, are people going to notice?

    • Re: (Score:2, Funny)

      by Anonymous Coward

      If nobody's around when the DOS is being executed, did it really happen?

    • Re:stealthy? (Score:5, Interesting)

      by morcego (260031) on Wednesday August 21, 2013 @02:33AM (#44627519)

      slow and stealthy denial of service attacks

      I don't think a DOS can be stealthy......if it's denying service, are people going to notice?

      A stealthy DOS is when the attack looks like a normal occurrence, and not an attack. It is not the DOS that is stealthy, it is the attack or, rather, the reason for the lack of service.

      It is a very neat thing, actually. Say you have a very long, segmented fence. There are 1000000 segments, and every day 1 of those will break and stay broken for 10 seconds. You can't explore that, because it is random, and you can't try all 1000000 segments in 10 seconds. However, if you can force the dice and make a specific segment tail, you can be there and exploit it, because you know which one and when. To the external observer, however, it was just a normal, run of the mill segment fail.

      It is the same concept. The failure is there, they notice it, but it is done in such a way they don't notice it is an attack.

      • They don't notice the increase (or sharp decrease) in traffic?
        • Woosh.

          No they don't notice that the real attack is different from the previous 'fake' attacks.

        • by higuita (129722)

          what if they are requesting heavy pages? what if they slowly increase the load for several hours/days? you can see a increase, but don't care much, it looks like normal users , a natural increase of traffic ... only after it keep increasing or is sustain for a long period you start to be alert. And even that you may point finger to a deploy made a few minutes/hours/days ago that might have change the site load distribution ( you may test for errors before deploying, but load factor is harder to test, specia

          • Well, if the load isn't heavy enough to deny access (or cause problems), then it's not a DOS. If the load is heavy enough to deny access, then if you think it's normal usage, you will buy more servers
      • by plover (150551)

        A better analogy would be a case of an actual bank burglar. There was a guy (many decades ago) who found a way to set off a specific burglar alarm sensor at a local bank. Every night at 2:00 AM or so he would do whatever it was to trip the alarm, then quickly sneak away. He'd watch the cops arrive, shine their flashlights around, find nothing, then leave. After repeating this pattern for a couple of weeks, the cops stopped showing up after the alarm was tripped. He then broke into the bank.

    • by bactus (101056)

      A DoS should be stealthy if the purpose is to e.g temporarily get a part of the system to accumulate transactions.
      The resulting queue can then be manipulated before stopping the DoS

  • Something (Score:4, Interesting)

    by Impy the Impiuos Imp (442658) on Wednesday August 21, 2013 @02:30AM (#44627509) Journal

    I must be missing something -- did these people transfer it to an account then go withdraw millions in cash quickly? Or did it take months for it to be discovered?

    I can't conceive of any other way that would insulate against a reversal, no matter how many accounts and banks around the world they forwarded it to. Even Swiss banks go along with obvious criminality investigations nowadays.

    • You assume that banks have full referential integrity. I.e. Every transaction must have a source and destination account, and both accounts can be verified from their server.
      If they don't then you just say it got sent to another bank where they can't verify the destination, then send another transaction to a different bank for the same value.

      Or if you really want to cause hell, just change numbers. Make money appear from nowhere or make it vanish.
      You can't stop the world's banking networks and replay each t

    • Re: (Score:3, Interesting)

      by jxander (2605655)

      You assume the banks actually WANT to catch the criminals. They'll just use this as an excuse to fleece their customers. "We're now adding a $1/month anti-wire-payment-switching fee to all accounts." Add a little spin, and the cost is there to protect YOU, Mr or Mrs Customer ... and there you have it. The millions stolen will be reimbursed in short order. After that, it's pure profit.

      • They'll just use this as an excuse to fleece their customers. "We're now adding a $1/month anti-wire-payment-switching fee to all accounts."

        But first, they need to collect from the insurance companies.
        And then they need a government subsidy to help protect their infrastructure in the future
        Next, they'll re-negotiate costs with their partners who failed to protect them ("Why are we paying you so much? If you want to keep us as your customers then we need to talk price. Oh, no need to actually fix anything;

      • I'm pretty sure the banks are pretty good at catching criminals. They just don't tend to do with them what we would expect...
    • by jonbryce (703250)

      They transfer the funds to money mules who then transfer it to them using Western Union or similar. It is the money mules who end up losing out when the fraud is discovered. The transfer to them gets reversed, leaving an overdrawn account, but withdrawing the money as cash to take to a Western Union shop isn't a reversible transaction.

  • ..will just use this as an excuse to hold your money even longer. Thanks Obama.

  • by dutchwhizzman (817898) on Wednesday August 21, 2013 @03:09AM (#44627649)
    You can put authorization codes in transactions, but if they aren't digitally signed, you can alter them in transit. Maybe banks should start exchanging signing keys and not transfer authorization codes?
  • by PerformanceDude (1798324) on Wednesday August 21, 2013 @03:11AM (#44627671)
    These attacks are actually a little too easy to effectuate. The drive to outsource to third world countries and lack of training for local staff means that they are all a prime target for a social engineering attacks. It does not take a lot of organised resources to then create the requisite diversion for the often overwhelmed security staff and you have a big win in the pipeline. Of course it requires some skill, but nothing more than a course or two at Blackhat USA will give you. If you also have the benefits of the funds of a large Russian crime syndicate and the personal "motivation" that flows from that, along with an almost zero risk of prosecution due to jurisdictions - hell - why wouldn't you go for it?

    The bottom line is that we need to harden up our defences more and more. We may even have to disconnect essential financial infrastructure from the internet and bring it back onto a completely private network that it costs a substantial amount of money to join and be authenticated to. It should come with the proviso that any device connecting to it, could also not be connected to the internet or an unknown intranet device at the same time. This would not be bulletproof, but it would substantially reduce the risk.

    • by b4upoo (166390)

      Perhaps a 24 hour hold on all transfers would take care of much of the problem. By having a built in delay any institution could judge normal traffic by running software designed to notice unusual transfers. It is rather like a credit card situation. Many card holders are very consistent if shopping close to home exclusively. So why not have software that red flags when a person suddenly seems to be hundreds of miles away and have stores carefully check IDs or get a phone conversation with the card

    • Did you really just use the word effectuate?
  • by MobSwatter (2884921) on Wednesday August 21, 2013 @03:21AM (#44627703)
    Crooks robbing crooks...
  • You be amazed (Score:5, Interesting)

    by LordWabbit2 (2440804) on Wednesday August 21, 2013 @03:21AM (#44627705)
    You would be amazed - or maybe shocked - to see some of the banking systems out there. I have worked for several financial institutions and their systems are usually very very old legacy crap stuck together with bubble gum and faith. One place was dealing with 70% of the countries financial messaging and they were not using transactions, if there was a problem (and there often was) messages were lost. Asked if I could change it to use transactions, couple lines here, couple lines there.
    NO.
    Why?
    Cost to test would involve the entire country and would cost millions.
    OK.
    So they are still losing messages.
    • by game kid (805301)

      Too big to fai^Wrepair.

    • by neurovish (315867)

      You would be amazed - or maybe shocked - to see some of the banking systems out there. I have worked for several financial institutions and their systems are usually very very old legacy crap stuck together with bubble gum and faith. One place was dealing with 70% of the countries financial messaging and they were not using transactions, if there was a problem (and there often was) messages were lost. Asked if I could change it to use transactions, couple lines here, couple lines there.
      NO.
      Why?
      Cost to test would involve the entire country and would cost millions.
      OK.
      So they are still losing messages.

      How much do the lost messages cost the company?

    • Re:You be amazed (Score:5, Interesting)

      by cusco (717999) <brian DOT bixby AT gmail DOT com> on Wednesday August 21, 2013 @11:59AM (#44631991)
      Even the internal staffing standards are ridiculous. I worked as a minimum wage Kelly Services temp for a time and ended up with a five month assignment to the trust department of a fairly large midwestern bank while the regular admin was on maternity leave. Two weeks after I started one of the trust managers gave me a list of several million dollars of checks to write as they were dissolving a large trust. I objected, "Rod, I'm just a temp. Are you sure I can do this?" Sure enough, not only did I have permissions to write checks and do transfers of over a million dollars, but the other admin decided to go to lunch and leave me alone in the office while I did it. And here we had closed our bank account in Peru just a few months earlier . . .

      I had an instructor for Windows Server Security whose day job was doing pen tests of financial institutions. When they would arrive on a site and set up in a conference room he would unpack their equipment while his partner would get on the phone calling branch offices. "Hello, this is George, the new guy on the HelpDesk. I need to make some changes on the network equipment in your office, but I don't have the login details and my coworkers are at a benefits meeting. Since your branch manager has sufficient permissions can I ask a really big favor and get his login info?" In two years of pen testing he never failed to acquire branch manager credentials from at least one office by the time the equipment was even unpacked and set up.
  • Why has there not been any information as to which banks were involved. That's kind of important. regardless if this directly impacts a customer or not I would like to know if it was my bank...
    • You can feel confident that your bank is also running a lousy, hackable system as well. Most banks do.
  • by WindBourne (631190) on Wednesday August 21, 2013 @03:46AM (#44627817) Journal
    These banks run the crappiest OS and security systems. Then when they are cracked, they do not want it known who they are, BUT, we taxpayers will be on the hook for these idiots that refused to run secured systems.

    You would think that at this time, that they would be smart enough to limit the internet's transactions, to being slower than what it takes to process the security issues.
  • Bait and ... hit the switch ... lights out
  • No matter what happens, some one else faces the consequences, when it comes to these banks. There is bad security, bad implementation, total lack of understanding of how their systems could be breached. They will fire a few techies, for poor security. But the bigwigs drawing big salary, even their bonus would not be touched. May be they will get more bonus for taking a firm stand and firing these techies who show up to work in jeans and ear rings.

    Even when they lie through their teeth to sell junk as gold to others they don't end up in jail. We all will pay, through more bank fees, more insurance costs, more taxes to bail them out. And they will dance all the way to their own private bank.

  • I hate when an article eludes to a point but never actually provides the full disclosure details.

    Which three US banks?

  • by bill_mcgonigle (4333) * on Wednesday August 21, 2013 @09:23AM (#44629761) Homepage Journal

    I happened to be at a bank yesterday, inquiring about a bank transfer. Turns out it was cheaper for me to get a bank check and overnight it than it would be to do a bank transfer, and the bank transfer wasn't even guaranteed to be complete within 24 hours.

    The young teller thought the system was as odd as I did ("hey, I just work here") and was more interested in asking me about nuclear transmutation in star formation than banking (my strange little world...) but I have to assume that when the banks are 20 years behind Western Union and Walmart that their systems are too. I wouldn't expect 20 year old systems to be robust against attack and it would surprise me if they put much effort into otherwise defending them.

    • by asylumx (881307)
      It's faster for me to write my wife a check and have her deposit it via her mobile phone than it is for me to do a direct transfer from my account to hers. Sad, isn't it? The first takes about a day for the money to clear, the second takes upwards of five days.
    • FWIW if you have a local branch of their bank near you, then you can go deposit a check in their account for free. That's usually the best way to transfer money, I've found.
      • Cool tip, thanks. Not relevant in this case, but we do have a few national banks in the area and it might come up again.

    • by cusco (717999)
      We mail a debit card for our account to my in-laws in Peru. Doing an international bank transfer used to cost $30 (probably more now), took 4 days to 4 weeks (twice they sent it to a branch in the wrong city, once to the wrong country), and $10 + 1% to withdraw there. Didn't matter if it was $100 or $5000. A cash machine withdrawal for up to $500 costs us $2 here plus $1.50 there, and as many as three withdrawals can be done in a day.
  • Sounds like some crooks watched the old 80's movie Prime Risk. Except they probably didn't use an Atari 800/810 combo for hacking.
  • by nuckfuts (690967) on Wednesday August 21, 2013 @03:22PM (#44634609)
    When money is stolen like this, it must be transferred to an account somewhere. Why is it not a simple matter to trace where the funds were transferred to and go after them?

"I have more information in one place than anybody in the world." -- Jerry Pournelle, an absurd notion, apparently about the BIX BBS

Working...