How to hack a bank
Pulling off the perfect bank heist takes precision and planning, with soft targets ripe for the picking.
Everyone wants to retire young, rich, and... well, rich. But you need money for that. And lots of it. And no one ever got rich alone. It takes networks, planning, patience and commitment, oodles of guts and a little luck. There's no such thing as a get-rich-quick reality. Unless, of course, you steal it... and more importantly, get away with it.
Any "operation" is just that - an operation. There has to be a team of committed role-players, and a tailored timeframe and checklist to secure success. There have been loads of reports of large hack-ops in the press lately. What caught my eye (and imagination) was the spate of recent SWIFT network breaches, where cyber thieves alleviated banks of billions of dollars.
These included banks such as Bank of Bangalesh, Bank of Ecuador, Industrial & Commercial Bank of China, Bank of Tokyo Mitsubishi, UniCredit, Australia & New Zealand Banking Group, United Overseas Bank of Singapore, South Korea's Kookmin Bank, and Japan's Mizuho Bank.
The perfect bank job
Below are some plausible steps that cyber crims could take in order to pull off the perfect bank heist - without ever needing a tommy or breaking a sweat - and getting away scot-free.
Step1: Scout for a soft target
The ripe victim has large collections of data pools. These data pools are accessible via RDP or even VPN. The target will also have a large 'network' of disparate systems - nice and complex and nearly impossible to manage or govern. Minimal evidence of control mechanisms, like dashboards, and signs of legacy processes, technology and security practice. The ideal locations have lax cyber security policy frameworks, money-laundering regulations, and other exploit-easy factors like non-extradition agreements, unsecured border controls, etc. Things like that!
Step 2: Obtain an 'inside-man' (whether he knows it or not)
Once a viable target is identified, it's time to gain entry to the network. Social engineering is the process of extracting confidential information from individuals without them knowing it. It's the systematic and sometimes psychological process of relieving people of passwords or other personal information, so one can use that information to fuel further fraudulent activity. There are loads of techniques, like phishing, spoofing, malware and 'Web-bots'. E-mail and social media are the most vulnerable points of entry into a person's life and networks. A company is most at risk due to its people and their online behaviour. The fact is that most people are untrained when it comes to secure e-mail and social media practice.
Step 3: Get the tech
There are tons of freely downloadable malware programs to choose from. But, in the case of the SWIFT hacks, it seems a custom piece of malware was developed and systematically deployed in sniper-like effort. These examples imply an intrinsic understanding of the targeted banking and SWIFT platforms and systems, processes and underlying technology at a coding, processing and governance level. These attacks were highly orchestrated. Little was left to chance, and every step, down to escape and the automated removal of activity logs, was carefully put into action.
Step 4: Go-time
The term 'hack' is actually misleading, as it implies a quick, 'bubble-gum' approach to solving problems. The SWIFT attacks are highly sophisticated, targeted attacks, absolutely customised to perform a very specific range of crafted tasks.
Cyber thieves alleviated banks of billions of dollars.
Successful attacks systematically map out weaknesses in systems, processes, technology, people, routines, and then exploit. One could theorise that a multifaceted approach is best - multiple aligned tech attacks, targeting interrelated people, processes and systems. Be on the lookout for some 'red herrings' that create misinformation and misdirection - further increasing the chances for a successful score.
Step 5: Get away with it
This is the tricky part. Finding fellow nostras who can assist with laundering the spoils, and 'getting it disappeared' is new territory for law-abiding guys like me. I personally wouldn't know where to start looking for those 'contacts', save for asking the local pawnshop owner if he 'knows a guy'...
Step 6: Enjoy picking out your custom super-yacht
Ah, the deep blue yonder. And how nice it must be to enjoy sailing abroad, soaking up the sights and sounds of the brisk breeze on sharp, crisp sails. It sure beats swimming with the fishes if all goes wrong.
Billion-dollar Bangladesh hack: SWIFT software hacked, no firewalls, $10 switches. Peter Bright - Apr 26, 2016. Date accessed: 23 May 2016
The Hacker News Online: Ecuador bank hacked - $12 million stolen in third attack on SWIFT system. 20 May 2016, Swati Khandelwal. Date accessed: 23 May 2016
"US banks scrutinise SWIFT security after hacks: reports". By Jim Finkle, Reuters. Wed, 18 May 2016. Date Accessed: 30 May 2016
SWIFT tells banks to share information on hacks. Reuters. Friday, 20 May 2016. Date accessed: 31 May 2016
Swift: fraudulent messages sent over international bank transfer system. Author unknown. Date accessed: 31 May 2016
Jared van Ast is the founder and MD of 10dot Cloud Security. He is frustrated with diluted value propositions, and he loves to do things properly. He is suspicious by nature and habitually pragmatic. Focused on network security, 10dot works to lock-up business networks and help them grow. With over 15 yearsâ experience in the IT and ISP sectors, Van Ast is hell-bent on enabling companies to focus on core business.