Three hacks that broke the bank
Academy · 4 October 2018Anna Koutras · Rob Braileanu
When you think about a bank heist, cartoon-like images of armed robbers come to mind, but the reality couldn’t be any more different. Crime as we know it has changed and as the world became more digital, so did crime.
But don’t think for a second that we’re talking about the lone bedroom hacker, trying to get hold of your passwords. Cybercrime today is organised in crime syndicates, spanning across countries and continents, all relying on the power of technology and the internet to carry out heists.
And while cloning cards is still very much a threat, it almost feels like a scene from a ‘90s movie - that’s how quickly the landscape has changed. With ever more sophisticated ways to steal money, ‘gangs’ are now more professional and more adept at copying legitimate business structures, in order to maximise their results.
The financial industry is without a doubt one of the biggest targets for hackers today. Firstly because many banks still rely on legacy IT systems, which make them easy targets to begin with and secondly, it's because of the huge potential profits to criminal gangs.
And with little in the way of high-tech protection, several banks have already fallen victim to attacks. So, without pointing (too m)any fingers, let’s look at three of the most creative hacks that cyber-criminals use to gain access into the some of the world’s biggest financial institutions:
Hack #1: Angler Phishing Scam
The Angler Phishing scam targets banks and their customers via social media. It takes its name from the anglerfish that entices its prey with a glowing lure and then attacks! Much in the same way, fraudsters create fake social media accounts, posing as customer support agents in order to trick customers into divulging their confidential and sensitive information.
It’s even been reported that hackers have hijacked real conversations customers were having with genuine support staff, whereby they redirected them to fake support pages. The fraudster accounts and fake support pages look strikingly similar to the real social media profiles and login pages banks would use - but there the hackers wait - grabbing data when their victims enter their passwords, bank account details or any other sensitive information.
"This method of phishing is highly effective because your customers are already expecting a response from your brand. Unfortunately, Angler Phishing is part of a broader trend in social media fraud," said Proofpoint researchers. Most worryingly, according to Proofpoint is that social media phishing campaigns have had a 150% rise since 2016.
One top tip to remember is that all legitimate social media accounts belonging to banks should have the ‘blue tick’ which means that they’ve been verified as the real account and not an impostor! So make sure you look out for Revolut’s blue tick when following us on Twitter, Facebook and Instagram. And remember, we’ll never ask you for sensitive information such as your PIN numbers.
Hack #2: The “largely avoidable” bank hack
In November 2016, Tesco’s banking arm was breached in a cyber attack that affected 8261 customers. While security experts are still debating how the attack may have happened, it’s been claimed that hackers spotted weaknesses in the bank’s defence system months before the actual attack took place.
What's more, the attack took place over a weekend - a time when banks are generally known to react slower to online threats. Despite the bank having been warned about the cracks in it's security perimeter, it either simply wasn’t capable of dealing with a cyber-attack of this magnitude or it just didn’t foresee the potential scale of such an attack.
Just this week, the Financial Conduct Authority (FCA) fined Tesco’s Bank £16.4 million as it deemed the hack “largely avoidable.” Their report found that fraudsters managed to use what are thought to be genuine Tesco Bank card numbers, to make thousands of contactless transactions.
Hack #3: The SWIFT heist
Whether the criminals target employee or customer details, gain information about software and network perimeters, or discover information about business processes - their main goal is to gain a foothold in the network in order to steal funds and conceal any trace of how they did it.
SWIFT, the Brussels based interbank messaging system is used to facilitate the transfer of billions of dollars per day between more than 11, 000 financial institutions over 200 countries. It’s easy to see why criminals would flag it as a lucrative target.
In Nepal, criminals managed to use SWIFT to withdraw up to 4 million USD while the banks were closed for the holidays. The hack reportedly targeted the bank's Nostro accounts at Standard Chartered New York and Mashreq bank New York. Nostro accounts are used to facilitate foreign exchange transactions and trades between different banks. Fortunately they acted quickly and managed to trace a large amount of the funds.
Moving forwards
With countless other banks having lost money at the hands of highly organised criminal gangs - it’s evident that this problem isn’t going away anytime soon.
Rather than hiding incidents, banks need to be transparent so that they can learn from their mistakes, share knowledge and information about industry attacks, to create a greater awareness within the industry. Reports urge that working together is the only way to fight back against criminals who are advancing so quickly. Banks need to be aware of vulnerabilities in their web applications, increase network security, address server configuration flaws and react to problems with user account and password management software.
Ultimately the new ‘bank robbers’ aren’t drilling holes in sealed vaults anymore - hacking technology and social engineering are the weapons of choice these days. They’re the criminals you don’t even see until the money has already been taken and if banks are going to try and beat them at their own game, they’ve got to be smarter, faster and more transparent with each other than they’ve ever been.