Access Risk Management Blog | Courion
What comes to mind when you think of a bank robbery? Is it a couple of thugs dressed in black with ski masks handing a bank teller a handwritten note, or is it a Bonnie and Clyde couple holding a bank president hostage with tommy guns and a nearby getaway car?
It’s unlikely that the first image your mind conjures is that of a global network of hackers executing a coordinated plan that includes withdrawals totaling more than $45 million from ATMs in 27 countries, but increasingly, the face of crime is hidden in the digits of the data all around us in our everyday lives.
On May 9th, the U.S. Attorney’s Office in Brooklyn, New York went public with details on an international bank heist executed, for the most part, virtually. It’s easy to assume that the decision to publish such specifics were a publicity ploy to showcase the success of our government, hard at work, but consider instead the possibility that the U.S. Attorney’s office hoped to make a point about how we might better protect our companies from similar cyber security threats.
Here, then, is the detail provided by the U.S. Attorney’s Office, by way of the Associated Press:
Phase 1: Card processor network intrusion. Using malware, hackers breached the worldwide processors for Rakbank in the United Arab Emirates and the Bank of Muscat in Oman.
Phase 2: The criminals override security protocols and hunt for the prepaid debit card systems and delete limits on the accounts. It takes months to penetrate the systems, prosecutors said.
Phase 3: Access codes are created. Data is loaded onto any plastic card with a magnetic stripe — an old hotel key card or an expired credit card would do as long as it carried the account data and correct access codes.
Phase 4: Cells around the globe fan out and begin to make repeated cash machine withdrawals. In New York City alone, 750 transactions were made in two hours and 25 minutes from 140 different ATMs totaling $400,000, prosecutors said.
Phase 5: Hackers maintain unauthorized access to the banks to monitor the cashout, keeping withdrawals rolling until the breach is discovered and the systems shut down.
Phase 6: Cash is laundered and organizers are paid.
Like so many hacking attempts, the hackers gained initial access by using malware, and from there, overrode security protocols and began looking for opportunities to exploit the system. They created new access codes where needed. What is most alarming is that while it took the hackers months to penetrate, the banks’ security systems and staff remained unaware of the security protocols being changed and access rights escalated.
At Courion, we believe that most Identity and Access Management systems available today leave enterprises similarly exposed and vulnerable between the time of provisioning and certification. In fact, many IAM solutions may not be equipped with the context needed to identify access rights that have been escalated or security controls that have been overridden, because this kind of information is buried in a big data haystack.
That’s why we feel it is important to arm CISOs with Identity and Access Intelligence (IAI) tools such as Access Insight that apply analytics to the big data problem of billions of identity and access relationships, so they can keep a constant vigil on vulnerabilities and reduce risks before they become financially damaging data breaches.
It’s clear that the hackers may have tested their belief that they were operating undetected, since the December 22 withdrawals around the world totaled $5 million, but when no alarms sounded, they more than redoubled their efforts eight weeks later on February 19th by withdrawing $40 million at ATMs around the world in just one day.
Luckily, these modern day bank robbers were detected by government officials on guard, watching for their next move.
Do you have the tools needed to keep watch, or would you know where to look?