Last week’s significant Internet-related news remains significant, and will remain so far into the future, but you sure wouldn’t know it looking at the reactions of politicians, news wonks and the general public. The big news? Since the end of 2013, an Internet-based organized crime cartel called the “Carbanak Gang” has stolen up to $1 billion from online banks.
Does that surprise you? It should. Does it shock you? It should, but it seems years of too much “hacker bad guy” news causes many eyes to glaze over and ears to go deaf every time a new “security breach” is announced. A million credit card accounts stolen here, 10 million passwords stolen there, the President forms a new commission, Congress holds hearings and things never seem to get better. Shock and concern have given way to apathy and avoidance.
What makes the $1 billion Carbanak heist different, though, is that the money was stolen directly from the banks, rather than bank customer accounts. Internet thieves have stolen many millions of dollars over the years, usually by tricking bank customers into giving up account names and passwords, either directly or by installing malware designed to steal them. This time around, the bad guys are targeting bank networks and, more specifically, bank employees. They’ve learned that bank employees can be tricked, too, but now, instead of giving up the password to a single account, the employee is giving up access to the entire vault.
Using classic phony email tactics, the bad guys learned the names of bank employees and their email addresses, things easily learned, usually from the bank’s website. A specially-made email sporting official logos, lingo and employee names was then sent, and, if all went according to plan (which things all too often did), the employee would be tricked into clicking on a link in the email. This action installed a virus on the bank employee’s computer, giving the bad guys backdoor access to the bank’s entire network.
The crooks would then lurk around the network for weeks, even months, learning the banks internal network and workflow. They would carefully study which employees were responsible for performing certain duties, and at what time of day. When the time was right, the crooks would mimic the actions of those employees, changing figures and balances, causing online transfers of large sums of money, and even causing ATM machines to spit out mountains of cash at predetermined times, to be hauled away in duffel bags by “mules” who were standing by.
Response from the banking community has been lukewarm at best. Some bankers have been quietly quoted as saying that it’s cheaper to simply pay for theft losses rather than implement stronger security controls. This seems to sit well with banking customers, whose losses are often covered by FDIC and other insurance plans. Even so, it should be noted that the FDIC protects depositors from losses only if hacking led to a bank failure. Realize also that, while consumers enjoy legal protections against unauthorized online transactions, businesses both great and small are not protected in this way.