Kaspersky report game changing bank heist worth hundreds of millions
Tomorrow the NY Times will publish more details on the full Kaspersky report that covers an infiltration of Banks’ that is a game changer. It does so because the approach demonstrates sophistication and understanding of banks that goes way beyond IT. Security is no longer username and password issue. This goes to the core of Banks business processes.
Hundreds of banks have been infiltrated, mostly Russian but including American, European and Chinese – 23 countries in total, and hundreds or thousands of bank IP addresses.
Here is why this is important. Whenever 99% of lay people hear about hacking and customers data or money being stolen, the going assumption is that the bad guy, perhaps some teenager in a Birmingham or Kiev bedroom is somehow guessing your online banking password and stealing some money from your account. If we think that through that apporach is not just very hard, but of limited utility. The bad guys needs to do things like have a credit card and pay it off, or P2P money to himself. Hard work and small potatoes.
Financial crime has evolved. It is run by organised crime and their approach is something I wanted to focus on here. The Kaspersky report coming out tomorrow is going to highligh this approach that is high level summarised in the pic from the NYT on Sunday.
The new approach involves patience. Social Engineering supplemented by patience. Patience is easy when organised crime is involved because their other activities provide the cash flow to allow them time to develop the big job which is what happened here. Social engineering covers a host of activities from phone and email to gaining employment at a bank. Read the wikipedia piece to see how broad that definition is. The objective is to embed malware on a computer which provides a window for the bad guys into the banks. This can provide them access to usernames, passwords, and the latest danger, business processes. The very words ‘business process’ makes most people including bankers eyes glaze over. Read on.
The NYT article indicates that the Kapersky report covers the bad guys learning the business processes for SWIFT and General Ledger by watching the screens of bank employees as they process accounting entries and send millions of dollars around the world. While the report also covers theft of millions in this job through ATM’s these buiness processes are the big new ones.
The biggest new advance in the perpretators approach in this instance to me at least, is how they infiltrated the Banks’ General Ledger and probably (my guess) sub ledgers. They manipulated account balances and liability balances. This was not picked up by the banks who apparently only verified such things periodically every 12 hours. In the interim this allowed the bad guys to send large amounts to their own bank accounts at JP Morgan and Agricultural Bank of China and go completely undetected.
Side note: what efforts were made at those two banks to perform AML and other customer screening during the account opening process in the names of the bad guys? This should be the subject of intense scrutiny but not for the usual ‘find someone to blame reason’. No it is not to penalise those banks’, but rather to point out the current new account screening approach is always looking backwards and can never predict tomorrow problem. Time for Banks to learn from El Al and how they avoid terrorism. I digress.
The Banks did not know that their customers account balances were manipulated and that money which basically did not exist was transferred out to the two banks mentioned.
I am certain the background to this crime will be even larger than the few anecdotes I picked up here, but rest assured this one is a game changer.
By the way, the amount stolen is in the range of $300 million to $900 million. They are just not sure. Thats close to 1 billion dollars. That is worth a lot of patience.
I searched for other reporting on this new Kapersky report, but they all point back to the same Kaspersky marketing campaign, so we have to wait for more on this.
Edit. Hackernews has some additional reporting, including this pic which validates what we know so far. Note the red arrow at the bottom indicating access to an admin computer that truly was the key to the kingdom by allowing staff mimicking. Also not the “inflating account balances” in box three on the right. Hackernews also notes that the banks involved cover 23 countries and in the range of hundreds or maybe thousands of bank IP addresses.