It is probably the cyber fraud of the decade. Combining ingenuity, cyber planning, cross boarder coordination, ATM and credit card, it has left all bank CEO’s rethinking their strategy. Why are executives always operating behind the cyber criminals? Why are CEO’s having a false sense of security only to find out later that the assurances from their own internal IT security experts were fake? Welcome to technology.
The cyber criminals stole an estimated US $45 million by hacking into a database of prepaid debit cards. According to prosecution, the cyber criminals exploited security weaknesses at banks in United Arab Emirates and Oman.
According to BBC, this is a case of laptops not guns. “The defendants and their co-conspirators participated in a massive 21st Century bank heist that reached across the internet and stretched around the globe,” Loretta Lynch, US Attorney for the Eastern District of New York, said in a statement. “In the place of guns and masks, this cyber crime organisation used laptops and the internet.”
It was reported on CNN that the cyber criminals hacked computer systems to steal data on prepaid debit cards. This will an ingenious fraud where by the criminals first preload the cards with money instead of linking them to a bank account, as it is the case normally.
This scheme was operated like the way the new chip and pin cards are used, whereby, the holder preloads the card with cash. In Uganda, UBA provides that service and is very secure. All you do, is to deposit or loan your card with money, and alas, you can go and withdraw it from any VISA ATM or use the credit to buy online merchandise.
It is reported the cyber criminals cancelled the withdrawal limits and distributed information to accomplices or cashers i.e. people paid to go to a physical ATM to withdraw the money. It is said that, within a space of just 10 hours, over US $40 million had been withdrawn! This fraud is almost a replica of my recent cyber fraud I investigated in a Uganda bank where fraudsters inserted a Trojan in the bank’s live database. The Trojan would then change the customer’s signature and photo into that preset ones of the fraudster. During lunch time, 1pm – 2pm, over US $400,000 had been withdrawn. The fraudsters timed when back-end staff had gone for lunch to affect the fraud at all the bank’s branches country-wide.
This case highlights the need for tough security measures by financial institutions. As I have always said, the scale and size of cyber crime is global and no system or financial institution is safe, as any system can be hacked, as long as there is hacker value. It is easy to cause denial of service to most on-line systems. The only reason why many systems are still on is the lack of motivation for the would-be hackers’ world over.
The general self denial by the bank executives, and the lack of board awareness of the scale of the cyber fraud problem is the main cause of concern.
In the April 2013 alone, over six banks in Uganda and three in Kenya have reported cyber related fraud incidents, and the problem is on the rise. Most of these crimes are common – lapses in basic security at the financial institution, lack of user awareness training about basic computer security, hacking into the on-line banking application, exploitation of the man-in-the-middle attacks and exploitation of backdoors by the system implementers.
It is strongly encouraged for financial institutions, and indeed, all organizations that have their core processes automated to undertake independent penetration testing on a continuous basis at least every quarter, as the cost and scale of cyber crime is very perverse and can be catastrophic. Cyber defense and security is no longer a mandate of the company’s internal security team. It needs independent assurance from external experts to ensure there is on-going external assurance of the robustness of the systems.
Many of the CEO’s of yesteryears are still out of touch with today’s new risks and security challenges. They want to think for them they are un-hackable. That is the big mistake.
As banks rely on automation for their core banking application which is indeed mission critical, they must reconsider their priorities. Investing in security and training is paramount to ensure depositors’ money is safe. It is no longer about having big and heavy safes alone. It is about having the best cyber defense professionals.
Click here to read more on BBC website, http://www.bbc.co.uk/news/world-us-canada-22470299