Three Banks Lose Millions After Wire Transfer Switches Hacked 179
mask.of.sanity writes "Criminals have stolen millions from three unnamed U.S. banks by launching slow and stealthy denial of service attacks as a distraction before attacking wire payment switches. The switches manage and execute wire transfers and could have coughed up much more cash should the attackers have pressed on. RSA researcher Limor Kessem said, 'The service portal is down, the bank is losing money and reliability, and the security team is juggling the priorities of what to fix first. That's when the switch attack – which is very rare because those systems are not easily compromised [and require] high-privilege level in a more advanced persistent threat style case – takes place.'"
Something (Score:4, Interesting)
I must be missing something -- did these people transfer it to an account then go withdraw millions in cash quickly? Or did it take months for it to be discovered?
I can't conceive of any other way that would insulate against a reversal, no matter how many accounts and banks around the world they forwarded it to. Even Swiss banks go along with obvious criminality investigations nowadays.
Re:stealthy? (Score:5, Interesting)
slow and stealthy denial of service attacks
I don't think a DOS can be stealthy......if it's denying service, are people going to notice?
A stealthy DOS is when the attack looks like a normal occurrence, and not an attack. It is not the DOS that is stealthy, it is the attack or, rather, the reason for the lack of service.
It is a very neat thing, actually. Say you have a very long, segmented fence. There are 1000000 segments, and every day 1 of those will break and stay broken for 10 seconds. You can't explore that, because it is random, and you can't try all 1000000 segments in 10 seconds. However, if you can force the dice and make a specific segment tail, you can be there and exploit it, because you know which one and when. To the external observer, however, it was just a normal, run of the mill segment fail.
It is the same concept. The failure is there, they notice it, but it is done in such a way they don't notice it is an attack.
Unsigned transactions? (Score:4, Interesting)
A little too easy - sadly (Score:5, Interesting)
The bottom line is that we need to harden up our defences more and more. We may even have to disconnect essential financial infrastructure from the internet and bring it back onto a completely private network that it costs a substantial amount of money to join and be authenticated to. It should come with the proviso that any device connecting to it, could also not be connected to the internet or an unknown intranet device at the same time. This would not be bulletproof, but it would substantially reduce the risk.
You be amazed (Score:5, Interesting)
NO.
Why?
Cost to test would involve the entire country and would cost millions.
OK.
So they are still losing messages.
Re:Something (Score:3, Interesting)
You assume the banks actually WANT to catch the criminals. They'll just use this as an excuse to fleece their customers. "We're now adding a $1/month anti-wire-payment-switching fee to all accounts." Add a little spin, and the cost is there to protect YOU, Mr or Mrs Customer ... and there you have it. The millions stolen will be reimbursed in short order. After that, it's pure profit.
Re:Smart Criminals (Score:4, Interesting)
If the banks had a way to extract more money from us, wouldn't they already be doing it? Why would they wait until they were hacked and lost money to raise prices, if they thought it would increase their income?
Re:You be amazed (Score:5, Interesting)
I had an instructor for Windows Server Security whose day job was doing pen tests of financial institutions. When they would arrive on a site and set up in a conference room he would unpack their equipment while his partner would get on the phone calling branch offices. "Hello, this is George, the new guy on the HelpDesk. I need to make some changes on the network equipment in your office, but I don't have the login details and my coworkers are at a benefits meeting. Since your branch manager has sufficient permissions can I ask a really big favor and get his login info?" In two years of pen testing he never failed to acquire branch manager credentials from at least one office by the time the equipment was even unpacked and set up.