Joker in the Pack: If Financial Systems Were Hacked

Posted by

Joker in the Pack: If Financial Systems Were Hacked
Recent attacks give a glimpse of the sort of cyber-assault that could bring the world economy to a halt. Better defences are needed
Jun 16 2016
<http://worldif.economist.com/article/12136/joker-pack>

THIS May Anonymous, a network of activists, briefly hacked into Greece’s central bank and warned in a YouTube message that: “Olympus will fall…This marks the start of a 30-day campaign against central-bank sites across the world.” The warning struck a raw nerve.

The financial system is little more than a set of promises between people and institutions. If these are no longer believed the whole house of cards will collapse and people will take their money and run. That happened in 2008 because of bad credit decisions; but the same could unfold via a sophisticated cyber-attack. Processes designed to make banking safer have created new vulnerabilities: large amounts of money flow through certain key bits of infrastructure. If such systemic institutions were compromised, a panic similar to those in 2008 could quickly spread.

Cyber-attacks are rapidly growing, and financial services are a favoured target of thieves and people intent on causing chaos. The rise in attacks on individual banks, mostly to steal money or information or to shut down the system for the hell of it (often using so-called denial-of-service attacks), is worrying enough. But two recent attacks signal a move from simple “Bonnie and Clyde” crimes to a new “Ocean’s Eleven” sophistication.

In 2013 a raid by the Carbanak gang, named after the malware it used, was discovered when its “mules” were seen picking up cash that was apparently being randomly dispensed by ATMs in Kiev (a ruse known as ATM jackpotting, whereby criminals hack into a bank’s PCs and then send direct commands to the ATMs). The extent of the assault only gradually became clear: the final bill could be high. The largest sums were stolen by hacking into bank systems and manipulating account balances. For example, an account with $1,000 would be credited with an extra $9,000, then $9,000 would swiftly be transferred to an offshore account; the account holder would still have $1,000, so was unlikely to notice or panic. This messing with the numbers showed a new ability and ambition among cyber-criminals.

The second attack unfolded over a few days in February, when hackers stole $81m from the Central Bank of Bangladesh’s account at the Federal Reserve in New York, in a shockingly ambitious heist. More worrying than its scale was the fact that the raiders hijacked bank personnel’s access to SWIFT, a highly secure (or so it was thought) messaging system that connects 11,000 financial institutions and sends around 25m messages a day, helping to settle billions of dollars-worth of transactions. They then sent 35 false payment orders from Bangladesh Bank, via SWIFT, to the central bank’s account at the Fed.

Experts think it likely that several more such efforts remain to be discovered. A similar, smaller, one has come to light in which hackers tried to take $1m from a bank in Vietnam, in December. Banks are now looking at limiting the number of people who can access SWIFT, and SWIFT itself has raised the possibility of suspending banks with weak security controls.

These heists give a glimpse of what could lie ahead. Armageddon for banks could take the form of an attack prepared over several months and then carried out over a day or two of mayhem. In this scenario, the motive would be to cause maximum instability, something that worries regulators more than simple theft.

[snip]