ATM hackers on the rampage

•Suspected ATM hackers being rounded up by Chinese security agents

The unscrupulous activities of daredevil hackers who have made Automated Teller Machines (ATMs) easy targets in recent times pose a lot of danger to banks across the country, reports Ibrahim Apekhade Yusuf

In every age and time, technological advancement has always been a double-edged sword-offering one solution at a time as well as introducing, if you may, problem(s) with it. This is sadly the case of the Automated Teller Machines (ATM) which has become a nightmare of sort to banks across the globe because of the myriads of attacks by cyber fraudsters.

When ATM first came into the scene few years ago, they were generally thought to be impregnable but events have since proved otherwise as they have come under ferocious attacks in the past and it does appear that this ugly trend will continue for much longer.

Last week, the news media was awash with reports of some syndicate who invaded some banks’ ATMs across Lagos metropolis and other cities across the country, destroying several ATM facilities and subsequently made away with undisclosed cash in the process.

Commenting on this development, Richard Aloysius, a staff of a new generation bank, said this is certainly bad news for banks. “For banks and depositors alike, this is obviously not cheery news and for the growing level of unbanked population, such sad news would further serve to make them a lot more disinterested in owning bank accounts whether now or in the future.”

Echoing similar sentiments in a chat with a cross-section of security experts in Lagos, they told The Nation that cyber crimes, especially ATM-related frauds, were rampant these days and should be curbed before it further escalates.

While adducing reasons for the upsurge in ATM-related fraud, Andrew Ojei, an ICT expert in Ikeja, said ATMs have become easy targets because they are thought to be easy way of breaking into banks’ vaults these days, whether in Nigeria or abroad.

“ATM frauds are not peculiar to Nigeria. It’s even much worse overseas, especially judging by the spate of attacks and burglary in the last few weeks,” Ojei observed.

Ojei, who recalled that he once consulted for a new generation bank to build their ICT infrastructure, said not many banks are investing enough in the area of ICT security, a development, he said, is counterproductive.

Particularly disheartening, Ojei noted, is the several unreported cases of ATM-related frauds in the country. “Most of the banks affected have been maintaining a rather mute indifference,” he said somewhat regrettably.

“You have a situation where some of the banks deliberately compromise their ICT security and this is usually to the detriment of the bank on the long run because if hackers come calling mostly unannounced, such a bank would be a mince meat for them, no more no less,” he said matter-of-factly.

In the view of Bambgoye Dehinde, a Microsoft certified expert, he is worried that the outlook is really gloomy for the country where inertia has assumed a national culture of some sort.

“Unlike what other advanced countries are doing and will continue to do to nip the activities of these hydra-monsters in check, we in Nigeria, it does appear, are not doing enough in that regard and this is of serious concern.”

CBN directive on ATM security

Perhaps, this is why the apex bank had in March last year ordered all Deposit Money Banks to install anti-skimming devices on their ATMs on or before June 1, 2014, following the alarming rate of ATM-related frauds across the country.

The CBN had warned at the time that failure to do so would attract severe penalties as it would invoke appropriate sanctions for non-compliance in line with the regulations guiding ATM security.

The directive was contained in a circular dated March 5, 2014, which read in part, “The CBN has observed with satisfaction the growth in the adoption of ATMs by Nigerians as one of the channels of e-payment. The bank is, therefore, committed to ensuring that the deployment and management of ATMs are in line with global best practices.

“However, we have observed with dismay the upward increase in the number of ATM-related frauds in the banking system. This development does not portend good news for the industry and requires urgent steps to curb the abuse.

“Consequently, in addition to the existing guidelines on card-related frauds and in order to guard against card-skimming at ATM channels across the country, all DMBs are hereby mandated to comply with the provisions of Section 3.2 ATM operations and Section 3.4 ATM security of the Standards and Guidelines on ATM operations in Nigeria, and also install risk-mitigating devices on their ATM terminals on or before June 1, 2014.”

However, when The Nation placed a call to Ibrahim Muazu, spokesman of the apex bank, to ascertain the degree of compliance with the CBN directive on security precautions against ATM-related frauds at the bank, he neither returned his calls nor responded to the text messages.

A staff of the CBN who asked not to be named, as he was not authorised to speak on behalf of the CBN, however, volunteered that a lot was being done by the CBN to whip erring banks into order.

Nigeria not alone

Worrisome as ATM hacking is to Nigerians, it is equally a very troubling phenomenon abroad.

Only last month, a gang of computer hackers was believed to have stolen tens of millions of pounds from UK banks by ordering ATM machines to dispense cash at pre-determined times – even without a bank card. It is unknown which banks have been targeted, and the scale of losses to British banks has not been disclosed.

The computer scam was so sophisticated that the gang, known as Carbanak, was apparently able to order ATM machines to dispense cash at pre-determined times – even without a bank card.

The massive theft was part of a bold £650million raid, meticulously orchestrated over the past two years, on more than 100 financial institutions around the world.

Attacks by the gang, thought to be based in Russia but with members in Ukraine and China, are feared to be continuing, despite being investigated by Interpol and international authorities.

Internet Corporation for Assigned Names and Numbers (ICANN), the internet regulator that manages the global top-level domain system (TLDs), last week joined a long list of major global companies that have been compromised by cyber hackers this year. The attack affected vital systems belonging to ICANN and accessed the system that manages the files with data on resolving specific domain names.

ICANN said it is investigating a recent intrusion into its systems and believed a “spear phishing” attack was initiated in late November 2014 involving email messages that were crafted to appear to come from its own domain being sent to members of its staff. The attack resulted in the compromise of the email credentials of several ICANN staff members.

A statement from ICANN said, “In early December 2014, it discovered that the compromised credentials were used to access other ICANN systems besides email such as Centralised Zone Data System (czds.icann.org); ICANN GAC Wiki (gacweb.icann.org); ICANN Blog (blog.icann.org) and ICANN WHOIS (whois.icann.org) information portal. No impact was found to either of these systems.”

ICANN joins a long list of global companies including European Central Bank, CNN, Sony Pictures Entertainment, eBay, Twitter, Skype, Snap chat, iCloud, Linux OpenSUSE, Forbes, Tesco, German Aerospace Centre, KT Corp, AOL Mail, Bangalore City Police, 4Chan, Avast, Israeli defence contractors, Sony Play station Network, Home depot, Infected ATMs, United States Postal Services, Drop box, Snapsaved, etc.

Modus operandi

The cyber-criminals would pull off a raid by first gaining entry into a bank employee’s computer.

They did this by sending authentic-looking emails that unsuspecting recipients then clicked on, inadvertently infecting the bank’s machines with Carbanak malware – a technique known as ‘spear phishing’.

Hackers were then able to infiltrate the internal network and track down administrators’ computers for video surveillance.

This allowed them to see and record everything that happened on the screens of staff who serviced the cash transfer systems, which meant the fraudsters got to know and could mimic every last detail of bank clerks’ work.

The cyber-criminals were able to hack into a bank employee’s computer, allowing them to record everything happening on-screen and then mimic workers online to transfer money into dummy accounts.

They used this information to impersonate bank staff online, in order to electronically transfer tens of millions of pounds from the bank into dummy accounts.

On average, each robbery took between two and four months, from infecting the first computer at the bank’s corporate network to making off with the money. Another method used was where the criminals would gain access to someone’s account and inflate the balance many times over before transferring the cash.

The raids, which date back to 2013, were finally detected by Russian cyber security firm Kaspersky Lab, after a Ukrainian ATM was found to be giving out notes at random times – when no one had put in a card or touched a button.

The scale of the crime was global, with banks in the US, China, Russia and Europe targeted. Security experts are trying to identify the banks hit but say customers, such as this man, have not been affected… Security cameras showed how money would be picked up by customers who appeared to be in the right place at the right time.

Kaspersky’s principal security researcher Vicente Diaz said the theft was unusual as it targeted banks directly, rather than individuals’ bank accounts, and that the hackers seemed to set their limit to around £10million before moving onto another bank.

‘In this case, they are not interested in information. They’re only interested in the money,’ Mr Diaz said.

‘They’re flexible and quite aggressive and use any tool they find useful for doing whatever they want to do.’

A spokesman for the firm added: ‘The Carbanak criminal gang used techniques drawn from the arsenal of targeted attacks. The plot marks the beginning of a new stage in the evolution of cyber-criminal activity, where malicious users steal money directly from banks, and avoid targeting end users.’

The scale of the crime was global, with banks in the US, China, Russia and Europe targeted, and the attackers thought to be expanding throughout Asia, the Middle East and Africa.

In one case, an unnamed bank lost $7.3million (around £4.7million) through ATM fraud. Another financial institution lost $10million (around £6.5million) after the attackers exploited its online banking platform.

Kaspersky has not identified the banks hit by the scam, and is still working with law-enforcement agencies to investigate the attacks, which the company says are ongoing.

Losses to UK banks have not yet been disclosed, but are thought to run into tens of millions of pounds.

However, as the scam targets institutions rather than individuals, customers’ accounts have not been affected.

Despite the fact the fraud has been uncovered, it is feared that banks could be hit again, as once installed the malware can operate almost independently of the gang and is difficult to detect.

Sergey Golovanov, principal security researcher at Kaspersky Lab, said: ‘It was a very slick and professional cyber-robbery’.

They’re flexible and quite aggressive and use any tool they find useful for doing whatever they want to do.

US authorities are putting an increasing focus on cyber security in the wake of numerous data breaches of companies ranging from mass retailers like Target and Home Depot to Sony Pictures Entertainment and health insurer, Anthem.

The White House wants Congress to replace the existing patchwork of state laws with a national standard giving companies 30 days to notify consumers if their personal information has been compromised.

Timelines of major cyber attacks worldwide

Timelines of major cyber attacks showed that on January 1, 2014, Skype’s Twitter account, Facebook page and blogs were hacked into to protest the NSA surveillance resulting in the leak of contact information of its outgoing CEO, Steve Ballmer.

On January 2, hackers going by the name Snapchat DB posted usernames and phone numbers of 4.6 million Snapchat users.

On January 7, hackers going by the name H4x0r HuSsy hacked into the official forums of Linux distro OpenSUSE defacing it and compromising account details of 79,500 registered users. Again, on January 24, Syrian Electronic Army attacked many accounts belonging to CNN such as CNN’s Facebook page and Twitter account, along with several CNN Blogs; January 26 saw hackers defacing 2,618 Indian websites; February 2, computer networks of three major medical device makers were breached by suspected China-based hackers and February 14, websites of Forbes and Tesco and email accounts were.

Tesco stated that around 2,200 of its accounts were compromised. March 6, KT Corp, South Korea’s largest telecom service provider, was breached by hackers who accessed bank details, employment information and home addresses of around 16 million customers.

April 15, Germany’s Aerospace centre based in Cologne was attacked by hackers. The Trojans were so advanced that they would self destruct if detected. April 15, eBay said that hackers raided its network, accessing some 145 million users’ records, leaking names, email addresses, home addresses, phone numbers and date of birth.

April 19, Pakistani hackers attacked BJP websites of Bihar and LK Advani’s personal website and that of the Bangalore City Police. April 22, AOL Mail was hacked into and genuine user accounts were used to send spam messages. Around 50 million users were urged to change their passwords. April 30, 4chan, the image-based message board was hacked into. The hacker had gained access to the administrative functions due to software vulnerability.

On May 25, Avast’s security forum was hacked into, culminating in the release of details such as hashed passwords, usernames and email addresses of about 400,000 people. June 10, names, addresses, social security numbers of Twitter staff members were leaked on the internet. On June 11, Twitter was overrun by a worm, which makes users tweet a self-propagating code. Due to this 84,700 users tweet the same message at the same time, thereby reaching a millions of followers.

June 16, Evernote’s forum was hacked and company sent an email to around 164,600 members to change their passwords. Compromised data comprises profile details, password hashes, email addresses and birth dates. July 24, European Central Bank website hacked and personal information of employees and customers stolen. Hacker claimed to have a database of 20,000 email addresses, telephone numbers, and addresses of people who had registered for an ECB conference.

July 28, Israeli defence contractors responsible for the ‘Iron Dome’ missile shield, were hacked. The targets namely Elisra Group, Israel Aerospace Industries and Rafael Advanced Defence Systems were attacked and sensitive security documents pertaining to the Iron Dome were robbed. July 30, Tor Project, which allows one to surf anonymously protecting your location as well as browsing habits, was hacked.

August 24, hackers going by the name Lizard Squad hack into Sony’s PlayStation Network using DDoS attacks making the plane carrying Sony Online Entertainment president John Smedley to be diverted after posting through their twitter account that the American Airlines flight had explosives on board.

August 31, the iCloud accounts of several Hollywood celebs were hacked and nude photographs were released online. It first appeared on image-message board 4han and was later propagated via Reddit communities. September 2, US departmental store Home Depot payment systems were compromised by hackers across 2,200 stores in the US and Canada compromising 56 million debit and credit cards details.

October 7, Popular cloud sharing service, Dropbox, was attacked by hackers, who exploited third-party apps resulting in close to seven million accounts being compromised. October 9, Snapsaved, a third party application that lets users save Snapchat images and videos, was hacked leading to a 13GB dump of stolen images and videos surfacing online.

November 10, hackers exposed personal details including names, addresses and social security numbers of 600,000 USPS employees along with high profile customers. November 24, 2014, Sony Pictures Entertainment was hacked by the hacker group Guardians of Peace exposing personal details of film celebs and staff.

Coming nearer home, report had it that the ICT security network of some banks in Nigeria were attacked by some hackers but not much later heard of the banks as the affected banks maintained sealed lips for fear of raising anguish of its customers who might get panicky.

Interpol to the rescue

Meanwhile, Sanjay Virmani, director of the Interpol Digital Crime Centre, said: ‘These attacks again underline the fact that criminals will exploit any vulnerability in any system,” adding that “the scale of the crime was global.”

The Financial Services Information Sharing and Analysis Centre, a non-profit organisation that alerts banks about hacking activity, said in a statement that its members received a briefing about the report in January.

“We cannot comment on individual actions our members have taken, but on the balance we believe our members are taking appropriate actions to prevent and detect these kinds of attacks and minimise any effects on their customers,” the organisation said.

“The report that Russian banks were the primary victims of these attacks may be a significant change in targeting strategy by Russian-speaking cyber-criminals.”