Corporate bank accounts robbed of millions by Bonnie and Clyde hackers
By Andrew Conte
Published: Saturday, Nov. 2, 2013, 9:20 p.m.
The bank robbers drove around New York City for more than 10 hours, collecting some $2.4 million — from ATM machines. They posed for selfies with the cash.
But the real theft took place earlier, 7,800 miles away in India. Hackers cracked into a financial outsourcing company there, resetting software to allow unlimited withdrawals and clearing the way for robbers to withdraw $40 million from ATMs worldwide.
Because of the financial industry's global electronic networks, even the most secure institutions are as strong only as their weakest international computer links. More than a decade since many banks started moving call centers and information technology operations overseas, experts express serious security concerns.
A tech-savvy Bonnie or Clyde can log into a bank's computer systems from a distant country where the chances of getting caught are remote.
“They're stealing hundreds of millions of dollars,” said Shirley Inscoe, senior analyst for Aite Group, a Boston-based financial technology company.
Computer criminals this year will take a half-billion dollars from corporate bank accounts, Aite estimates, with malware designed to steal passcodes and massive denial-of-service attacks to distract IT workers.
Cybersecurity experts are more concerned about terrorists who probe the same channels with the goal of crippling financial markets.
RSA, a cybersecurity company in Bedford, Mass., reports it blocked Russian-speaking hackers from a theft last year targeting 30 U.S. banks by recruiting 100 so-called botmasters controlling thousands of corrupted computers to overwhelm financial systems, all at once or during a natural disaster or other crisis.
“If I was sitting in some Middle Eastern country trying to figure this out, I would wait for some natural event like a Superstorm Sandy, and then do it and cause some real chaos,” said Chip Tsantes, head of information security in Ernst & Young's Financial Services Office in Washington.
Banks generally have the ability to stop a sudden, massive attack and restore customer accounts, but they remain susceptible to attackers who infiltrate below detection limits, said Shane Shook, chief knowledge officer of Cylance, a cybersecurity company in Irvine, Calif.
A patient enemy might conduct surveillance while mapping paths for a so-called “logic bomb” that would quickly wipe out bank records. Or hackers could employ the so-called “Superman III effect” — named for the villain's actions in the 1983 blockbuster movie — stealing amounts so small that they go undetected, but making many transactions that add up.
In that way, stolen money becomes a weapon, Shook said.
“The global financial market is networked in ways that no other industry is,” he said. “Because of that, there's a very real risk, or danger at least, of terrorist activity dramatically impacting economic stability.”
Most large financial firms have been battle-tested by waves of recent computer attacks, said Karl Schimmeck, vice president of financial services operations for the Securities Industry and Financial Markets Association in New York. Hackers linked to Iran overwhelmed online services at large banks such as PNC during the past year.
“The financial services industry is a big part of the U.S. economy and ... we almost become a proxy target for the United States in general,” Schimmeck said. “If a country would want to do something, they would do it against us.”
India's track record
Global outliers have toughened up their online defenses, too, experts say. India is seeking recognition from the European Union as a “data-secure nation,” and its financial contractors have worked with the government to minimize security breaches, said Aprajita Saxena, a spokeswoman for the National Association of Software and Services Companies in New Delhi.
“The Indian government has always been at the forefront of implementing and ensuring stringent security measures with regards to the data and cybersecurity,” she said.
Yet thefts at ATM machines in February were among several recent incidents involving Indian financial outsourcers.
British regulators are investigating whether a Royal Bank of Scotland worker in India inadvertently cut off customer access to online bank accounts last summer. New York state banking regulators and U.S. senators have questioned outsourcing to India.
Financial crime training in India needs to improve and employee turnover “presents a high financial crime risk,” the U.K.'s Financial Conduct Authority warned this year.
BNY Mellon, which has a large Pittsburgh presence, employs more than 8,000 in India, and its Pershing subsidiary bills itself as the world's largest outsourcing provider. Spokesman Ron Gruendl said BNY Mellon has not outsourced its operations; it added 75 IT positions this year to the 1,225 in Pittsburgh and added 870 tech workers internationally.
The public has few tools for assessing the danger to banks because the institutions typically keep breaches as quiet as possible.
Consumers found out about the ATM heists only when the U.S. Attorney's Office in Manhattan announced the arrest of seven low-level members of the enterprise in May. German authorities revealed the next day they had arrested two Dutch suspects earlier.
So far, everyone else linked to a hacking operation that involved 36,000 ATM transactions across 24 countries remains at large.
Overseas escapes and lack of jurisdiction or cooperation are common problems in bringing hackers to justice, cyber-sleuths said.
When New Jersey federal prosecutors announced charges in June in a case against eight people for hacking into bank computers to steal $15 million, the ringleaders in Ukraine remained at large.
Response ‘not sufficient'
U.S. companies that outsource work must absorb that contractor's security practices — even if they are lax and beyond its control, Verizon warns in its annual Data Breach Investigations Report. Almost all data breaches come from the outside, involve computer hacking and take weeks or longer for the victims to discover, it says.
The fog around a bank computer attack can be dense within a victimized company where administrators rarely grasp the scope of the problem, said Paul Kaminski, chair of the Pentagon's Defense Science Board and a senior advisor to the Director of National Intelligence. He continues to warn that critical industries, including banks, remain unprepared to defend themselves from hackers.
“The more time I spend on this, the more concerned I am about the problem,” Kaminski told the Trib. “The rate of response by our nation is not sufficient to deal with the scope of the problem.”
From the inside, banks shift strategies to respond to different types of computer attacks. The Federal Reserve and five other U.S. financial regulators formed a cybersecurity working group in June.
Until recently, banks focused primarily on theft prevention. That problem continues to grow; Aite predicts losses from corporate bank accounts will double over five years to $800 million in 2016. Unlike individual accounts, corporate accounts are not typically insured.
Crime is only one threat, said Tsantes with Ernst & Young, which warns that bank attacks are occurring more frequently and becoming more refined.
Some foreign countries try stealing business secrets; others are bent on destruction. Hacktivists look for trophies — such as a CEO's email account — to cause embarrassment.
Low-level hackers suffered recent setbacks. Federal authorities made multiple arrests, charging people with conducting computer attacks on behalf of the group Anonymous and black-market operators on the secret Web called Tor, for The Onion Router.
The Tribune-Review reported as part of this “Cyber Rattling” series in June about criminals operating freely and anonymously online, trafficking in not only drugs but stolen bank information and basic hacking tools.
Since the FBI last month apprehended the man behind the best-known illegal drug market, Silk Road, many other hidden websites offering illegal goods have been dismantled.
Tsantes and other experts say sophisticated computer attackers are lurking.
“The ability of the threat actors to change tactics as the bank puts in countermeasures … has increased dramatically,” Tsantes said. “The sophistication of these attacks and the velocity of attacks has increased.”
Show commenting policy
TribLive commenting policy
You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.
We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.
While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.
We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers.
We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.
We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.
We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.
We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.
- South Fayette parents express dissatisfaction with handling of bullying
- South Fayette mother wants case against bullied son to be dropped
- Obama hopes to replicate CCAC job training efforts across United States
- Legal experts question prosecuting South Fayette boy for recording bullies
- Would-be drillers quizzed by Allegheny County Council committee
- District attorney’s office takes paperwork from Wilkinsburg Middle School
- Crisis nursery in Larimer will fill a need, founders believe
- Moon school hiring under fire
- Ex-detective picked for Pittsburgh’s Citizen Police Review Board
- Leader guided changes at Robert Morris
- Foundations team to make offer for August Wilson Center