The unscrupulous activities
of daredevil hackers who have made Automated Teller Machines (ATMs) easy
targets in recent times pose a lot of danger to banks across the
country, reports Ibrahim Apekhade Yusuf
In every age and time, technological
advancement has always been a double-edged sword-offering one solution
at a time as well as introducing, if you may, problem(s) with it. This
is sadly the case of the Automated Teller Machines (ATM) which has
become a nightmare of sort to banks across the globe because of the
myriads of attacks by cyber fraudsters.
When ATM first came into the scene few
years ago, they were generally thought to be impregnable but events have
since proved otherwise as they have come under ferocious attacks in the
past and it does appear that this ugly trend will continue for much
longer.
Last week, the news media was awash with
reports of some syndicate who invaded some banks’ ATMs across Lagos
metropolis and other cities across the country, destroying several ATM
facilities and subsequently made away with undisclosed cash in the
process.
Commenting on this development, Richard
Aloysius, a staff of a new generation bank, said this is certainly bad
news for banks. “For banks and depositors alike, this is obviously not
cheery news and for the growing level of unbanked population, such sad
news would further serve to make them a lot more disinterested in owning
bank accounts whether now or in the future.”
Echoing similar sentiments in a chat
with a cross-section of security experts in Lagos, they told The Nation
that cyber crimes, especially ATM-related frauds, were rampant these
days and should be curbed before it further escalates.
While adducing reasons for the upsurge
in ATM-related fraud, Andrew Ojei, an ICT expert in Ikeja, said ATMs
have become easy targets because they are thought to be easy way of
breaking into banks’ vaults these days, whether in Nigeria or abroad.
“ATM frauds are not peculiar to Nigeria.
It’s even much worse overseas, especially judging by the spate of
attacks and burglary in the last few weeks,” Ojei observed.
Ojei, who recalled that he once
consulted for a new generation bank to build their ICT infrastructure,
said not many banks are investing enough in the area of ICT security, a
development, he said, is counterproductive.
Particularly disheartening, Ojei noted,
is the several unreported cases of ATM-related frauds in the country.
“Most of the banks affected have been maintaining a rather mute
indifference,” he said somewhat regrettably.
“You have a situation where some of the
banks deliberately compromise their ICT security and this is usually to
the detriment of the bank on the long run because if hackers come
calling mostly unannounced, such a bank would be a mince meat for them,
no more no less,” he said matter-of-factly.
In the view of Bambgoye Dehinde, a
Microsoft certified expert, he is worried that the outlook is really
gloomy for the country where inertia has assumed a national culture of
some sort.
“Unlike what other advanced countries
are doing and will continue to do to nip the activities of these
hydra-monsters in check, we in Nigeria, it does appear, are not doing
enough in that regard and this is of serious concern.”
CBN directive on ATM security
Perhaps, this is why the apex bank had
in March last year ordered all Deposit Money Banks to install
anti-skimming devices on their ATMs on or before June 1, 2014, following
the alarming rate of ATM-related frauds across the country.
The CBN had warned at the time that
failure to do so would attract severe penalties as it would invoke
appropriate sanctions for non-compliance in line with the regulations
guiding ATM security.
The directive was contained in a
circular dated March 5, 2014, which read in part, “The CBN has observed
with satisfaction the growth in the adoption of ATMs by Nigerians as one
of the channels of e-payment. The bank is, therefore, committed to
ensuring that the deployment and management of ATMs are in line with
global best practices.
“However, we have observed with dismay
the upward increase in the number of ATM-related frauds in the banking
system. This development does not portend good news for the industry and
requires urgent steps to curb the abuse.
“Consequently, in addition to the
existing guidelines on card-related frauds and in order to guard against
card-skimming at ATM channels across the country, all DMBs are hereby
mandated to comply with the provisions of Section 3.2 ATM operations and
Section 3.4 ATM security of the Standards and Guidelines on ATM
operations in Nigeria, and also install risk-mitigating devices on their
ATM terminals on or before June 1, 2014.”
However, when The Nation placed a call
to Ibrahim Muazu, spokesman of the apex bank, to ascertain the degree of
compliance with the CBN directive on security precautions against
ATM-related frauds at the bank, he neither returned his calls nor
responded to the text messages.
A staff of the CBN who asked not to be
named, as he was not authorised to speak on behalf of the CBN, however,
volunteered that a lot was being done by the CBN to whip erring banks
into order.
Nigeria not alone
Worrisome as ATM hacking is to Nigerians, it is equally a very troubling phenomenon abroad.
Only last month, a gang of computer
hackers was believed to have stolen tens of millions of pounds from UK
banks by ordering ATM machines to dispense cash at pre-determined times –
even without a bank card. It is unknown which banks have been targeted,
and the scale of losses to British banks has not been disclosed.
The computer scam was so sophisticated
that the gang, known as Carbanak, was apparently able to order ATM
machines to dispense cash at pre-determined times – even without a bank
card.
The massive theft was part of a bold
£650million raid, meticulously orchestrated over the past two years, on
more than 100 financial institutions around the world.
Attacks by the gang, thought to be based
in Russia but with members in Ukraine and China, are feared to be
continuing, despite being investigated by Interpol and international
authorities.
Internet Corporation for Assigned Names
and Numbers (ICANN), the internet regulator that manages the global
top-level domain system (TLDs), last week joined a long list of major
global companies that have been compromised by cyber hackers this year.
The attack affected vital systems belonging to ICANN and accessed the
system that manages the files with data on resolving specific domain
names.
ICANN said it is investigating a recent
intrusion into its systems and believed a “spear phishing” attack was
initiated in late November 2014 involving email messages that were
crafted to appear to come from its own domain being sent to members of
its staff. The attack resulted in the compromise of the email
credentials of several ICANN staff members.
A statement from ICANN said, “In early
December 2014, it discovered that the compromised credentials were used
to access other ICANN systems besides email such as Centralised Zone
Data System (czds.icann.org); ICANN GAC Wiki (gacweb.icann.org); ICANN
Blog (blog.icann.org) and ICANN WHOIS (whois.icann.org) information
portal. No impact was found to either of these systems.”
ICANN joins a long list of global
companies including European Central Bank, CNN, Sony Pictures
Entertainment, eBay, Twitter, Skype, Snap chat, iCloud, Linux OpenSUSE,
Forbes, Tesco, German Aerospace Centre, KT Corp, AOL Mail, Bangalore
City Police, 4Chan, Avast, Israeli defence contractors, Sony Play
station Network, Home depot, Infected ATMs, United States Postal
Services, Drop box, Snapsaved, etc.
Modus operandi
The cyber-criminals would pull off a raid by first gaining entry into a bank employee’s computer.
They did this by sending
authentic-looking emails that unsuspecting recipients then clicked on,
inadvertently infecting the bank’s machines with Carbanak malware – a
technique known as ‘spear phishing’.
Hackers were then able to infiltrate the internal network and track down administrators’ computers for video surveillance.
This allowed them to see and record
everything that happened on the screens of staff who serviced the cash
transfer systems, which meant the fraudsters got to know and could mimic
every last detail of bank clerks’ work.
The cyber-criminals were able to hack
into a bank employee’s computer, allowing them to record everything
happening on-screen and then mimic workers online to transfer money into
dummy accounts.
They used this information to
impersonate bank staff online, in order to electronically transfer tens
of millions of pounds from the bank into dummy accounts.
On average, each robbery took between
two and four months, from infecting the first computer at the bank’s
corporate network to making off with the money. Another method used was
where the criminals would gain access to someone’s account and inflate
the balance many times over before transferring the cash.
The raids, which date back to 2013, were
finally detected by Russian cyber security firm Kaspersky Lab, after a
Ukrainian ATM was found to be giving out notes at random times – when no
one had put in a card or touched a button.
The scale of the crime was global, with
banks in the US, China, Russia and Europe targeted. Security experts are
trying to identify the banks hit but say customers, such as this man,
have not been affected… Security cameras showed how money would be
picked up by customers who appeared to be in the right place at the
right time.
Kaspersky’s principal security
researcher Vicente Diaz said the theft was unusual as it targeted banks
directly, rather than individuals’ bank accounts, and that the hackers
seemed to set their limit to around £10million before moving onto
another bank.
‘In this case, they are not interested in information. They’re only interested in the money,’ Mr Diaz said.
‘They’re flexible and quite aggressive and use any tool they find useful for doing whatever they want to do.’
A spokesman for the firm added: ‘The
Carbanak criminal gang used techniques drawn from the arsenal of
targeted attacks. The plot marks the beginning of a new stage in the
evolution of cyber-criminal activity, where malicious users steal money
directly from banks, and avoid targeting end users.’
The scale of the crime was global, with
banks in the US, China, Russia and Europe targeted, and the attackers
thought to be expanding throughout Asia, the Middle East and Africa.
In one case, an unnamed bank lost
$7.3million (around £4.7million) through ATM fraud. Another financial
institution lost $10million (around £6.5million) after the attackers
exploited its online banking platform.
Kaspersky has not identified the banks
hit by the scam, and is still working with law-enforcement agencies to
investigate the attacks, which the company says are ongoing.
Losses to UK banks have not yet been disclosed, but are thought to run into tens of millions of pounds.
However, as the scam targets institutions rather than individuals, customers’ accounts have not been affected.
Despite the fact the fraud has been
uncovered, it is feared that banks could be hit again, as once installed
the malware can operate almost independently of the gang and is
difficult to detect.
Sergey Golovanov, principal security researcher at Kaspersky Lab, said: ‘It was a very slick and professional cyber-robbery’.
They’re flexible and quite aggressive and use any tool they find useful for doing whatever they want to do.
US authorities are putting an increasing
focus on cyber security in the wake of numerous data breaches of
companies ranging from mass retailers like Target and Home Depot to Sony
Pictures Entertainment and health insurer, Anthem.
The White House wants Congress to
replace the existing patchwork of state laws with a national standard
giving companies 30 days to notify consumers if their personal
information has been compromised.
Timelines of major cyber attacks worldwide
Timelines of major cyber attacks showed
that on January 1, 2014, Skype’s Twitter account, Facebook page and
blogs were hacked into to protest the NSA surveillance resulting in the
leak of contact information of its outgoing CEO, Steve Ballmer.
On January 2, hackers going by the name Snapchat DB posted usernames and phone numbers of 4.6 million Snapchat users.
On January 7, hackers going by the name
H4x0r HuSsy hacked into the official forums of Linux distro OpenSUSE
defacing it and compromising account details of 79,500 registered users.
Again, on January 24, Syrian Electronic Army attacked many accounts
belonging to CNN such as CNN’s Facebook page and Twitter account, along
with several CNN Blogs; January 26 saw hackers defacing 2,618 Indian
websites; February 2, computer networks of three major medical device
makers were breached by suspected China-based hackers and February 14,
websites of Forbes and Tesco and email accounts were.
Tesco stated that around 2,200 of its
accounts were compromised. March 6, KT Corp, South Korea’s largest
telecom service provider, was breached by hackers who accessed bank
details, employment information and home addresses of around 16 million
customers.
April 15, Germany’s Aerospace centre
based in Cologne was attacked by hackers. The Trojans were so advanced
that they would self destruct if detected. April 15, eBay said that
hackers raided its network, accessing some 145 million users’ records,
leaking names, email addresses, home addresses, phone numbers and date
of birth.
April 19, Pakistani hackers attacked BJP
websites of Bihar and LK Advani’s personal website and that of the
Bangalore City Police. April 22, AOL Mail was hacked into and genuine
user accounts were used to send spam messages. Around 50 million users
were urged to change their passwords. April 30, 4chan, the image-based
message board was hacked into. The hacker had gained access to the
administrative functions due to software vulnerability.
On May 25, Avast’s security forum was
hacked into, culminating in the release of details such as hashed
passwords, usernames and email addresses of about 400,000 people. June
10, names, addresses, social security numbers of Twitter staff members
were leaked on the internet. On June 11, Twitter was overrun by a worm,
which makes users tweet a self-propagating code. Due to this 84,700
users tweet the same message at the same time, thereby reaching a
millions of followers.
June 16, Evernote’s forum was hacked and
company sent an email to around 164,600 members to change their
passwords. Compromised data comprises profile details, password hashes,
email addresses and birth dates. July 24, European Central Bank website
hacked and personal information of employees and customers stolen.
Hacker claimed to have a database of 20,000 email addresses, telephone
numbers, and addresses of people who had registered for an ECB
conference.
July 28, Israeli defence contractors
responsible for the ‘Iron Dome’ missile shield, were hacked. The targets
namely Elisra Group, Israel Aerospace Industries and Rafael Advanced
Defence Systems were attacked and sensitive security documents
pertaining to the Iron Dome were robbed. July 30, Tor Project, which
allows one to surf anonymously protecting your location as well as
browsing habits, was hacked.
August 24, hackers going by the name
Lizard Squad hack into Sony’s PlayStation Network using DDoS attacks
making the plane carrying Sony Online Entertainment president John
Smedley to be diverted after posting through their twitter account that
the American Airlines flight had explosives on board.
August 31, the iCloud accounts of
several Hollywood celebs were hacked and nude photographs were released
online. It first appeared on image-message board 4han and was later
propagated via Reddit communities. September 2, US departmental store
Home Depot payment systems were compromised by hackers across 2,200
stores in the US and Canada compromising 56 million debit and credit
cards details.
October 7, Popular cloud sharing
service, Dropbox, was attacked by hackers, who exploited third-party
apps resulting in close to seven million accounts being compromised.
October 9, Snapsaved, a third party application that lets users save
Snapchat images and videos, was hacked leading to a 13GB dump of stolen
images and videos surfacing online.
November 10, hackers exposed personal
details including names, addresses and social security numbers of
600,000 USPS employees along with high profile customers. November 24,
2014, Sony Pictures Entertainment was hacked by the hacker group
Guardians of Peace exposing personal details of film celebs and staff.
Coming nearer home, report had it that
the ICT security network of some banks in Nigeria were attacked by some
hackers but not much later heard of the banks as the affected banks
maintained sealed lips for fear of raising anguish of its customers who
might get panicky.
Interpol to the rescue
Meanwhile, Sanjay Virmani, director of
the Interpol Digital Crime Centre, said: ‘These attacks again underline
the fact that criminals will exploit any vulnerability in any system,”
adding that “the scale of the crime was global.”
The Financial Services Information
Sharing and Analysis Centre, a non-profit organisation that alerts banks
about hacking activity, said in a statement that its members received a
briefing about the report in January.
“We cannot comment on individual actions
our members have taken, but on the balance we believe our members are
taking appropriate actions to prevent and detect these kinds of attacks
and minimise any effects on their customers,” the organisation said.
“The report that Russian banks were the
primary victims of these attacks may be a significant change in
targeting strategy by Russian-speaking cyber-criminals.”
