back to article Bank had no firewall license, intrusion or phishing protection – guess the rest

An Indian bank that did not have a valid firewall license, had not employed phishing protection, lacked an intrusion detection system and eschewed use of any intrusion prevention system has, shockingly, been compromised by criminals who made off with millions of rupees. The unfortunate institution is called the Andra Pradesh …

  1. ShadowSystems Silver badge

    What I don't understand...

    If you have Root access to the bank internals & can run unchecked through their digital vaults, why limit yourself to making a few withdrawls at various ATM's?

    It's like you've got access to the entire cookie jar, but ignoring the cookies in favour of the crumbs in the bottom.

    1. katrinab Silver badge
      Paris Hilton

      Re: What I don't understand...

      Because they want to hold their cash in a way that isn't traceable back to the bank.

      1. ShadowSystems Silver badge

        At KatrinaB...

        I could accept that except for the fact that most ATM's have a security camera that records the person using the device. The bank will know which accounts were given the money, which ATM's were used to withdraw said funds, & be able to hand the security footage over to the authorities.

        Even if the person in the footage is obscured, the account holder is known & will be brought in for questioning. If they can't provide a plausible excuse for the person in the video *not* being them, they'll be on the hook for "receiving stolen property" at the least or the bank heist itself.

        *Hands you a pint to hold against your forehead to help with the headache I've just caused*

        Drink up with my apologies for my train of thought often causing good ideas to derail harder than a roller coaster jumping the track at the bottom of the first steep hill. =-j

        1. yetanotheraoc Silver badge

          Re: At KatrinaB...

          "the account holder is known"

          The electronic transfers were from the real accounts. The ATM withdrawals were from the fake accounts.

        2. Emir Al Weeq

          Re: At KatrinaB...

          "Even if the person in the footage is obscured, the account holder is known & will be brought in for questioning. If they can't provide a plausible excuse for the person in the video *not* being them, they'll be on the hook"

          Ah yes, the old guilty-until-proven-innocent approach.

          1. Loyal Commenter Silver badge

            Re: At KatrinaB...

            Ah yes, Mr Fakebankaccount, of 123 Anystreet, Sampleton, I see from our records that despite your associated photo ID being that of Adolf Hitler, a man not matching your description was seen running off with some stolen cash...

            It's not even a case of "guilty until proven innocent"; as I understand it, the crooks created accounts in the banks systems, transferred cash to them, then withdrew it from cash machines. There was never any real identity associated with those accounts.

        3. Danny 14

          Re: At KatrinaB...

          here kid. go to that atm. withdraw 400, 100is yours. Then go to that atm, withdraw 400, 100 ia yours. Talk about it and we hack your arms off.

    2. Coastal cutie

      Re: What I don't understand...

      The ATMs were just the last stage of getting hold of the $1M+ that they'd stolen, providing nicely untraceable funds once withdrawn

      1. ShadowSystems Silver badge

        At Coastal Cutie...

        Please see my reply to KatrinaB above. The ATM wouldn't be the anonymous extraction point you envision.

        The ATM has a security camera, the footage goes to the cops, the account holder of the account accessed to pull the funds will be known & reported to the cops, & that kind of blows the anonimity out of the water. =-/

        *Hands you a pint to help with the headache*

        Sorry for being a buzzkill, it's a side effect of my Dried Frog Pills. =-J

        1. Ian Johnston Silver badge

          Re: At Coastal Cutie...

          Good job that (a) Blu-Tak or the Indian equivalent doesn't stick to cameras and (b) nobody had the sort of access to the bank which might have allowed accounts to be opened with fake details, ready to receive the illicit transfers.

        2. Phil Kingston

          Re: At Coastal Cutie...

          Many many ATMs have no camera. And who knows how long the ones that do retain images for. And easy enough to work around all that "hey kid, you can keep x rupees if you use this card and withdraw 10x rupees from that ATM over there for me". Heck, even if the kid runs off with all of it, not his loss.

        3. Coen Dijkgraaf

          Re: At Coastal Cutie...

          Except those doing withdrawals from the ATM and overseas transfers my be unsuspecting money mules who would have been recruited and paid a small amount of money for the job. So even if they get arrested, the perpetrators that carried out the heist won't be caught.

        4. FILE_ID.DIZ
          Devil

          Re: At Coastal Cutie...

          Ride a motorbike type ride and be safe and wear a helmet.

          Face fully obscured. And while you're at it, steal someone else's plates or just steal someone else's bike and ta-da.

    3. bombastic bob Silver badge
      Devil

      Re: What I don't understand...

      Maybe they were too cheap to fly to the Caiman Islands (or wherever) to set up an account for a shell company there??

      I would expect wire transfers, cashier's checks, some basic money laundering, and other organized crime techniques may also have been beyond their skill set. It only takes a semi knowledgeable script kiddie to use phishing attacks to set up a RAT trojan...

      which ALSO means (the obvious) that proper bank security SHOULD have prevented this.

      (I hope that no depositors lost their funds, but I expect they did)

      1. katrinab Silver badge

        Re: What I don't understand...

        Wire transfers etc can be traced after the event. That's why they didn't do them.

        1. bombastic bob Silver badge
          Meh

          Re: What I don't understand...

          Assuming that you set up shell companies someplace that's difficult to track you down in, you can assume you will be traced but not care a lot. Caiman Islands is one of those places you can set up this kind of money laundering scheme. It's a typical money laundering technique used by "the big time": crooks. YES, you CAN trace it with difficulty, and if the criminals know what they are doing, they will probably get away with it.

          I mean how do drug cartels and organized crime bosses "get away with it" ? Pretty much "that".

    4. JulieM

      Re: What I don't understand...

      Why don't people who hack into banks' computers start out by purging all the loan and mortgage records?

      1. veti Silver badge

        Re: What I don't understand...

        If the bank goes bust, who are they gonna steal from?

        These people are doing it for their own benefit, not yours.

    5. yetanotheraoc Silver badge

      Re: What I don't understand...

      Because it wasn't a criminal gang in Nigeria but one or a few individuals inside the bank. Rather than maximize the payout, they maximized deception and untraceability. We should ask in particular - who exactly made all those ATM withdrawals?

      1. Wedgie

        Re: What I don't understand...

        Agree, as an ex-bank InfoSec bod, this has insider job all over it. Even if the bank is running a COTS platform, a fair bit of insider knowledge would be required to pull off what has been described.

      2. bombastic bob Silver badge
        Unhappy

        Re: What I don't understand...

        who exactly made all those ATM withdrawals?

        People wearing masks, no doubt. ATMs have cameras but it does little good if you have a mask on.

        1. tip pc Silver badge

          Re: What I don't understand...

          People wearing masks, no doubt. ATMs have cameras but it does little good if you have a mask on.

          Why would people be wearing masks when going to an atm? It’s not like there has been a global respiratory pandemic where people where asked to wear masks is it?

          1. RagBagg

            Re: What I don't understand...

            The fraud and the withdrawals happened around the time when Omicron was raging. A face mask would absolutely have been the best anonymity device as no one would object to it.

            I am sure out of those hundreds of withdrawals most would have got captured on camera (I know they do, we get reports of ATM frauds being stuck due to masks), but a masked face. And as someone suggested, if a bike helmet was placed on the face, a normal occurrence in India - then the CCTV would be useless.

            The bank and its management ought to be convicted... for stupidity!

        2. yetanotheraoc Silver badge

          Re: What I don't understand...

          Agree, but my point was those people were not in Nigeria or UK but were locals. Even if they were simply mules (doubtful), they had to hand off the cash to some other local. "Exactly" didn't mean "by name" but "by role".

  2. sanmigueelbeer Silver badge

    What could possibly go wrong?

    An Indian bank that did not have a valid firewall license, had not employed phishing protection, lacked an intrusion detection system and eschewed use of any intrusion prevention system

    A bank without a valid license -- What could possibly go wrong?

    1. b0llchit Silver badge
      Coat

      Re: What could possibly go wrong?

      They get robbed?

      1. LDS Silver badge

        Re: What could possibly go wrong?

        Probably the bank executives and managers didn't want to get caught while doing some additional money on their own....

    2. Anonymous Coward
      Anonymous Coward

      Re: What could possibly go wrong?

      They never seem to rob sperm banks though,

      1. richdin

        Re: What could possibly go wrong?

        More fun making deposits rather than withdrawals...

    3. RagBagg

      Re: What could possibly go wrong?

      The bank license was valid, they simply used pirate software. They also had a license for Stupidity.

      1. John Brown (no body) Silver badge
        Coat

        Re: What could possibly go wrong?

        No. Licenced stupidity is regulated to fixed levels. This was pure unlicensed stupidly which has no bounds.

    4. Cliffwilliams44 Bronze badge

      Re: What could possibly go wrong?

      For a country with so many people that work in the IT industry this is just so foolish. I understand the monitory concern but there are so many open source firewalls that they could have stood up some generic box with one of these.

      All the rest is just stupid management stuff. Don't implement standard security protocols because it is too intrusive to the users.

  3. Potemkine! Silver badge

    IT is a cost center isn't it?

    As long as bean counters will see IT as something too expensive whatever it's used for, such nonsense will occur.

    Too many times shareholders want more and more year after year, and are willing to put a lot of pressure on 'support' services to increase the profit: those get what they deserve, losses and bad press.

    1. Anonymous Coward
      Anonymous Coward

      Re: IT is a cost center isn't it?

      A thousand times this. My support department has been gutted from 26 people running 24/7/365 to 3. The cracks started showing a long time ago and there are people in management positions who ask why we haven't done X.

      Well boss, could it be because you fired everyone and that there are more managers above me than people in my department?

      1. tatatata
        Trollface

        Re: IT is a cost center isn't it?

        24/7/365. So 1 day down every 4 years?

    2. Flywheel Silver badge
      Joke

      Re: IT is a cost center isn't it?

      put a lot of pressure on 'support' services to increase the profit

      Maybe they should've outsourced it?

      1. TRT Silver badge

        Re: IT is a cost center isn't it?

        They did but the bloody call centre was in England.

    3. Anonymous Coward
      Anonymous Coward

      Re: IT is a cost center isn't it?

      IT has and always will be seen as a dirty, money swallowing black hole by those at the top. "Computers right? They just look after themselves, why do we need all these people with all these skills? What the hell do we need to pay for more kit? We only just some 6 months ago!"

      If you're lucky enough to have a young'ish CEO who sees the real value of technology and how to use it productivey to increase the company worth, then you're already winning big time. If on the other hand you have some old fart ( ex-Bean counter usually ) at the top who cannot see why you need to keep pace with tech and pay for skilled workers, then I strongly advise you get out and find a company with a young'ish CEO who sees the real...you get the idea!

      1. Anonymous Coward
        Anonymous Coward

        Not necessarily young-ish CEOS...

        Overall corporate culture is the thing to look for.

        I work for a tech company with a gray-haired CEO who absolutely gets it. I won't argue against the notion that older CEOs are statistically less likely to be tech-savvy, but then I work for an individual and not a statistic.

        I've also worked for a gray-haired CEO who was an absolute abusive nightmare and never made a mistake he couldn't blame on someone else. I left that place - best thing I've done in years, second only to landing my present job.

        There ARE workplaces out there where the PHB pays attention to the BOFH, everyone is working toward the same goals, priorities are based on rational discusion, everyone really IS valued, and no one is abused. They won't be Fortune 500 companies, and probably not publicly-traded on the stock market, but they do exist. Seek them out.

        Posting as anon because I value opsec and there are evil people out there.

      2. Brett Weaver

        Re: IT is a cost center isn't it?

        .. So the age of the CEO is the main thing eh? That's the sort of shallow, muddy thinking I have come to expect from young people ...

        1. Cliffwilliams44 Bronze badge

          Re: IT is a cost center isn't it?

          Forgive them, for they know not what they do!

      3. tip pc Silver badge

        Re: IT is a cost center isn't it?

        If on the other hand you have some old fart ( ex-Bean counter usually ) at the top who cannot see why you need to keep pace with tech and pay for skilled workers, then I strongly advise you get out and find a company with a young'ish CEO who sees the real...you get the idea!

        I agree with the bean counter argument but not the grey hair thing.

        You should appreciate some of the history of computing.

        Did you know that the first computer used for commercial business applications was for a company that makes tea, running its first test programs in 1949.

        While the engineers who did the work where nut grey beards, the board who allowed the overall investigation, research, commissioning etc to happen almost definitely where.

        They where pioneers of their time, no one else was running computers for business programs so they literally had to build their own.

        What business today does something as left field as that? That’s like some tiny business that sells books deciding it’s going to create a huge intercontinental distribution system to sell other peoples stuff & then deciding to build huge datacenters all around the globe and then let other companies run their own programmes in their dc’s. From books to logistics to cloud computing is quite a leap but yes Geoff wasn’t a grey beard, but then he didn’t start by creating logistics, he built upon what already existed by working with the established logistical giants.

      4. Cliffwilliams44 Bronze badge

        Re: IT is a cost center isn't it?

        We used to have to fight tooth and nail to get anything security wise implemented or paid for in my company. Then one of our competitors got hit with Ransomware, which also hit some their subcontractors (Construction industry) through poorly implemented VPN security. It was amazing how fast all of our security initiatives were budgeted and fast tracked! We even have a dedicated Security team now,

    4. Cederic Silver badge

      Re: IT is a cost center isn't it?

      Most bankers these days fully recognise that they're running an IT business.

      The data merely happens to represent a highly tradeable commodity.

    5. Danny 14

      Re: IT is a cost center isn't it?

      pfsense, snort and pfblocker are free though, thats what makes no sense.

      1. John Brown (no body) Silver badge

        Re: IT is a cost center isn't it?

        Probably because if it's free, then it must be shite. Or the business has to take full responsibility and can't blame the vendor (and pay for people to set it up and maintain it). At least that's the logic I expect is used at board level.

  4. An_Old_Dog Bronze badge
    FAIL

    Root Causes

    Greed: The Board of Directors would not authorize funds for up-to-date software licenses and software support.

    Executive Arrogance: "What are the chances we'll get hit? Anyway, I'll get a bonus and/or promotion for cutting costs, and be in a different job by the time it does happen, if ever."

    Possible* Bank IT Incompetence: There are open source, free-as-in-beer firewalls available. Why didn't bank IT deploy one if they couldn't get funds to maintain their commercial firewall?

    *They may have suggested, and denied this option by their management.

    This sort of thing will continue until the people responsible do serious jail time, and office politics ensures anyone found 'officially responsible' will be lower-level types only, and not actual directors.

    1. Zippy´s Sausage Factory
      Facepalm

      Re: Root Causes

      I remember once a colleague telling me about suggesting something open source to their manager:

      "So, how much does it cost?"

      "It's free"

      "Ok, but who sets it up for us, what consultancy?"

      "We can do it ourselves"

      "But what if it goes wrong, who do we sue?"

      "We don't."

      "This sounds like pirate software to me, I'm not approving it. And if you suggest anything like this again, it'll be a written warning."

      1. Doctor Syntax Silver badge

        Re: Root Causes

        "But what if it goes wrong, who do we sue?"

        The correct response at this point would be:

        "Do we sue Microsoft, Oracle or any other supplier?"

        1. Steve Hersey

          Re: Root Causes

          My personal response would be to reach for the D-ring and exit the plane stage right.

          "Who do we sue if this goes wrong?" is that rere thing, an actually stupid question.

          The RIGHT question is: "Will we be better off if we do this, or if we don't? Is this the best option, or is there a better one?"

          Planning for whom to sue in case of failure is planning for failure.

          1. John Brown (no body) Silver badge

            Re: Root Causes

            But you always need a Plan 9 for user-space! That's not planning for failure, it's a plan of last resort. The cold, dead dregs of the company need something for the lawyers to hang onto. Just ask SCO :-)

      2. Anonymous Coward
        Anonymous Coward

        Re: Root Causes

        Have on more than one occasion had to explain to people that using an open source software platform to store health research data does not mean making that data publicly available....

        1. Anonymous Coward
          Anonymous Coward

          Re: Root Causes

          You as well?? I wonder how common this is?

        2. T. F. M. Reader Silver badge

          Re: Root Causes

          Have on more than one occasion had to explain to people that using an open source software platform to store health research data does not mean making that data publicly available....

          How successful have you been so far in getting this message through? Asking for a friend...

      3. Cliffwilliams44 Bronze badge

        Re: Root Causes

        Another aspect of this is you have all these "Security Consultants"* that will tell management that "Open Source is a terrible security risk!" So they can sell the expensive kit they support and make big bucks on.

        I've had to counter this with "How many eyes are on their code? Can we see their code? How motivated are they to publicize the fact their software has a security flaw?" "With open source there are 100's or even 1000's of people looking at the code, we can download the code and examine it ourselves, No ones ego or corporate reputation is resting on the quality of the code! There is no motivation to hide vulnerabilities until they are fixed."

        It was harder to win this argument in the past but Open Source it is getting more an more acceptable.

        *I don't mean to disparage all security consultants, there are some that are excellent! But there are others that are just fear mongering con-men!

        1. Aitor 1 Silver badge

          Re: Root Causes

          Badly done os is a risk. But everything in life has risks.

          Look at springshell, etc.

    2. bombastic bob Silver badge
      Meh

      Re: Root Causes

      may just have been cluelessness coupled with being cheap

      1. W.S.Gosset Silver badge

        Re: Root Causes

        That was my thoughts, too.

  5. Pascal Monett Silver badge

    the Andra Pradesh Mahesh Co-Operative Urban Bank

    Is going to quickly learn about networks, intrusion detection systems and that the cost of a proper firewall license means it can continue doing business.

    Some people have to learn the hard way.

    1. Dan 55 Silver badge

      Re: the Andra Pradesh Mahesh Co-Operative Urban Bank

      They're supposed to learn the hard way at audits, not by losing a tonne of money.

      So the regional/national regulator seems remiss in their work as well.

      1. Anonymous Coward
        Anonymous Coward

        Re: the Andra Pradesh Mahesh Co-Operative Urban Bank

        Oh I've seen this by the bucket load.

        4 successive failed audits. Each time the company pleaded and said they were working on resolving the issues (they were not). The funniest thing was one particular auditor I met on the first 2 audits joined the company some time after the last audit. I ran into him by chance, and he was complaining that, several years on, NONE of the recommendations he'd made had been implemented.

        I just laughed. I reminded him of the times in the audit interviews where I commented that I had tried (unsuccessfully) to get the issues addressed (all documented, with meeting minutes) and been ignored.

      2. Cliffwilliams44 Bronze badge

        Re: the Andra Pradesh Mahesh Co-Operative Urban Bank

        As long as the entity paying for the auditors is the entity getting audited the audit is useless. I've seen this time and again.

        I've also see that IT audits are performed by 20 something employees of large accounting consulting firms like Deloitte. They are absolutely clueless regarding IT security and only operate from a list of items given to them. Again, the audit is absolutely useless.

      3. Missing Semicolon Silver badge

        Re: the Andra Pradesh Mahesh Co-Operative Urban Bank

        You think the customers that had their accounts pilfered will get refunds?

        Only the important ones.

    2. WanderingHaggis

      Re: the Andra Pradesh Mahesh Co-Operative Urban Bank

      It's a shame for the account holder who loose their savings though. Was the bank insured -- would an insurer honour such a fail?

      1. Doctor Syntax Silver badge

        Re: the Andra Pradesh Mahesh Co-Operative Urban Bank

        Why the downvotes other than "loose" instead of "lose"? It's the account holders who were the victims. They weren't in a position to know their bank was so lax.

        1. Dabooka Silver badge

          Re: the Andra Pradesh Mahesh Co-Operative Urban Bank

          I cannot be sure as to the reason but possibly because the individuals accounts getting rinsed would not be the ones paying the price; any losses would have to be made good by the ban.

          Or it could be Loose vs lose. Who knows!

          1. John Brown (no body) Silver badge

            Re: the Andra Pradesh Mahesh Co-Operative Urban Bank

            Maybe, maybe not. Anyone know the laws and regulations on Banking in India? Specifically in relation to a co-operative? The account holders may well be shareholders which might affect any payouts.

  6. Anonymous Coward
    Anonymous Coward

    Maybe they should have outsourced their IT...

    ... to the massive talent pool of IT in India I hear so much about.

    1. Doctor Syntax Silver badge

      Re: Maybe they should have outsourced their IT...

      "massive talent pool of IT in India"

      It sounds as if the Hyderabad police have more of it than the bank.

    2. Zippy´s Sausage Factory

      Re: Maybe they should have outsourced their IT...

      It's almost as if that would cost money, and costing money would impact the executive bonuses and that would be a Bad Thing.

    3. John Brown (no body) Silver badge

      Re: Maybe they should have outsourced their IT...

      It's an interesting thought. If you run a business in India, with the local market rates, how do you beat the completion on price? Where do you off-shore your outsourcing? Malaya? Philippines? Tuvalu?

  7. Doctor Syntax Silver badge

    Unfortunate.

    "The unfortunate institution"

    It's not the bank that's unfortunate, it's their customers. The bank got exactly what it deserved, the customers didn't.

  8. sanmigueelbeer Silver badge

    Hello Andra Pradesh Mahesh Co-Operative Urban Bank? My name is Jake and I am calling from Microsoft.

    1. Anonymous Coward
      Anonymous Coward

      I came here for the comments and I was not dissapointed.

      Cheers, I LOL'd at that!

    2. doesnothingwell

      Whenever Jake calls me about "a problem with my computer", he is from Windows.

      1. Cliffwilliams44 Bronze badge

        And that is "Jake" with a Nigerian accent!

  9. VoiceOfTruth

    Licence costs

    -> The latter is not uncommon because enterprise software is often priced to western standards, and users in less prosperous nations who find the cost prohibitive roll the dice on unsupported and/or out of date code.

    This is completely true. Every time I read about x billion $ being lost due to 'software piracy', consider for a moment that if the cost of Adobe here in the UK is expensive, how much more expensive it is in, say, India. Adobe has no chance whatsoever of persuading a lot of people there to part with a huge amount of their income just to have the pleasures of Photoshop. So there is 'software piracy'.

    1. Anonymous Coward
      Anonymous Coward

      Re: Licence costs

      Or The Gimp…

    2. Cliffwilliams44 Bronze badge

      Re: Licence costs

      Adobe has made more money "because" of pirated copies of PhotoShop then they have ever lost because of Piracy. All those college students that used a pirated copy of PhotoShop in college and then when they got a job insisted that they have PhotoShop so their employer purchased it!

      I have no sympathy for Adobe, ever!

      Creative Cloud is am expensive pile of stinking dung and I wish I could extricate it from our enterprise!

      1. John Brown (no body) Silver badge

        Re: Licence costs

        Likewise Microsoft with both Windows and Office.

    3. Anonymous Coward
      Anonymous Coward

      Re: Licence costs

      It's one thing to pirate software because you can't afford it (not saying it's a good thing or a justifiable thing).

      Its another thing to lose over $1M because you were too cheap to license a firewall.

  10. Anonymous Coward
    Anonymous Coward

    no VLANs ????

    "Another technology the bank had chosen not to adopt was virtual LANs, so once the RAT went to work the attackers gained entry to the Bank's systems and were able to roam widely – even in its core banking application."

    Really ???? Even in the 80s, this was unthinkable ! And it's not as they cost anything ! My 50 E 8 ports Netgear switch supports them !

    1. Doctor Syntax Silver badge

      Re: no VLANs ????

      "And it's not as they cost anything"

      But they do. The bank would have to pay somebody who knew what they were doing to set them up. What's more they have to pay somebody to ensure every new box is on the right VLAN.

      1. Cliffwilliams44 Bronze badge

        Re: no VLANs ????

        What is more important is the absolute lack of any user security segmentation. I say this all the time, "Why do some people have the veritable 'Keys to the kingdom'?" No one person should have full access EVERY piece of data your organization has! NO ONE! Not even in IT.

        Yes, I'm a Domain Admin, yes I have access to all the servers ad their data with that account but NO I do not use that account for my daily computer use. Also, I DO NOT have access to our financial data, not with ANY account!

    2. DarkwavePunk

      Re: no VLANs ????

      You'd be surprised. Early 2000s I had a short contract job at a financial institution that had 700+ NT4 desktops on a flat network alongside the servers. With stacked hubs no less. After pointing this out as a "bad idea" many times I was basically told "We know, shut up!". Not exactly sure what they wanted me to do and why I was hired.

      1. BOFH in Training Bronze badge

        Re: no VLANs ????

        Would not have been surprised so that in the event that something bad happens, they can point to the previous contractor (you in this case) as the one who did not do anything about it / advice about it.

        Hope you had everything in emails or some other paper trail in that instance so you can point to that in the event you are blamed.

  11. TRT Silver badge

    It's nice that...

    we have these volunteer honey-trap organisations.

  12. Anonymous Coward
    Anonymous Coward

    Without reading the article

    > Bank had no firewall license, intrusion or phishing protection – guess the rest

    They realised their mistake, paid their licence arrears, put in place a system to prevent recurrence, extensively audited their systems to ensure no intrusion had occurred, write a grovelling apology to their customers and by their quick corrective action managed to avoid being exploited?

    Did I win?

    1. arachnoid2
      IT Angle

      Re: Without reading the article

      No they changed the banks name,moved the customers across and upgraded their home page. Half a days down time job done.

    2. SuperGeek

      Re: Without reading the article

      "They realised their mistake, paid their licence arrears, put in place a system to prevent recurrence, extensively audited their systems to ensure no intrusion had occurred, write a grovelling apology to their customers and by their quick corrective action managed to avoid being exploited?"

      Does Hell freeze over once a blue moon?

  13. Robert 22

    I imagine they were bogus accounts.

  14. russmichaels

    how ironic

    Indians getting scammed/hacked by someone outside of India... quite ironic really....

  15. Ken G Bronze badge
    Holmes

    How many millions of Rupees?

    There's a reason the Crore is a unit of measurement - a million Rupee is about €12K, maybe the loss was less that the cost of the licenses?

    1. jameswyper

      Re: How many millions of Rupees?

      The article mentions a loss of (presumably US) $1 million, so approximately Rs 75 million at today's rate.

  16. Jake Maverick

    Just wait until they do away with paper statements! Something like this happens or there is a solar flare....the real victims/ customers can't even prove they had a bank account with them, never mind what the balance was!

  17. Mister Dubious
    Coat

    Shrinkage

    "Its 45 branches and just under $400 million of deposits make it one of India's smaller banks."

    Even smaller now, it appears.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • Intuit pulls QuickBooks from India, uncomfortably quickly
    Walks away from enormous but parochial market, while leaving global development teams in place

    Accounting software colossus Intuit has decided to pull its QuickBooks product from India.

    The decision comes into effect on January 31 2023, after which QuickBooks products and service offerings for accountancy and small business customers will no longer be available in the world's second most populous country.

    "After careful consideration, the decision was made that we can no longer continue to deliver and support QuickBooks products that serve the needs of small businesses and accounting professionals across India," reads a notice posted yesterday.

    Continue reading
  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • Voicemail phishing emails steal Microsoft credentials
    As always, check that O365 login page is actually O365

    Someone is trying to steal people's Microsoft 365 and Outlook credentials by sending them phishing emails disguised as voicemail notifications.

    This email campaign was detected in May and is ongoing, according to researchers at Zscaler's ThreatLabz, and is similar to phishing messages sent a couple of years ago.

    This latest wave is aimed at US entities in a broad array of sectors, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain, the researchers wrote this month.

    Continue reading
  • Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • Central bank: Crypto 'derives value based on make believe', threatens financial stability
    India's Reserve Bank no fan of digi-dollars – even its own planned central bank digital currency

    India's Reserve Bank has offered a scathing assessment of cryptocurrencies in its latest financial stability report – saying the risks they create demand attention before they undermine established institutions.

    "Cryptocurrencies are a clear danger," the report baldly declares in its Foreword, penned by Reserve Bank governor Shaktikanta Das. "Anything that derives value based on make believe, without any underlying [value], is just speculation under a sophisticated name."

    The report doesn't assess cryptocurrency as an immediate danger, noting that crypto assets represent just 0.4 percent of all financial assets and their interoperability with the traditional financial system is "restricted".

    Continue reading
  • Europol arrests nine suspected of stealing 'several million' euros via phishing
    Victims lured into handing over online banking logins, police say

    Europol cops have arrested nine suspected members of a cybercrime ring involved in phishing, internet scams, and money laundering.

    The alleged crooks are believed to have stolen "several million euros" from at least "dozens of Belgian victims," according to that nation's police, which, along with the Dutch, supported the cross-border operation.

    On Tuesday, after searching 24 houses in the Netherlands, officers cuffed eight men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse, and a 25-year-old woman from Deventer. We're told the cops seized, among other things, a firearm, designer clothing, expensive watches, and tens of thousands of euros.

    Continue reading
  • Indian government issues confidential infosec guidance to staff – who leak it
    Bans VPNs, Dropbox, and more

    India's government last week issued confidential information security guidelines that calls on the 30 million plus workers it employs to adopt better work practices – and as if to prove a point, the document quickly leaked on a government website.

    The document, and the measures it contains, suggest infosec could be somewhat loose across India's government sector.

    "The increasing adoption and use of ICT has increased the attack surface and threat perception to government, due to lack of proper cyber security practices followed on the ground," the document opens.

    Continue reading
  • Microsoft postpones shift to New Commerce Experience subscriptions
    The whiff of rebellion among Cloud Solution Providers is getting stronger

    Microsoft has indefinitely postponed the date on which its Cloud Solution Providers (CSPs) will be required to sell software and services licences on new terms.

    Those new terms are delivered under the banner of the New Commerce Experience (NCE). NCE is intended to make perpetual licences a thing of the past and prioritizes fixed-term subscriptions to cloudy products. Paying month-to-month is more expensive than signing up for longer-term deals under NCE, which also packs substantial price rises for many Microsoft products.

    Channel-centric analyst firm Canalys unsurprisingly rates NCE as better for Microsoft than for customers or partners.

    Continue reading
  • Zscaler bulks up AI, cloud, IoT in its zero-trust systems
    Focus emerges on workload security during its Zenith 2022 shindig

    Zscaler is growing the machine-learning capabilities of its zero-trust platform and expanding it into the public cloud and network edge, CEO Jay Chaudhry told devotees at a conference in Las Vegas today.

    Along with the AI advancements, Zscaler at its Zenith 2022 show in Sin City also announced greater integration of its technologies with Amazon Web Services, and a security management offering designed to enable infosec teams and developers to better detect risks in cloud-native applications.

    In addition, the biz also is putting a focus on the Internet of Things (IoT) and operational technology (OT) control systems as it addresses the security side of the network edge. Zscaler, for those not aware, makes products that securely connect devices, networks, and backend systems together, and provides the monitoring, controls, and cloud services an organization might need to manage all that.

    Continue reading
  • Indian government signals changes to infosec rules after industry consultation
    Reports suggest SMBs will get more time, but core elements including six-hour reporting requirement remain

    Indian media is reporting that the government has consulted with industry about its controversial infosec reporting rules, possibly resulting in concessions that slightly ease requirements for some businesses.

    The rules, introduced on April 29 with no warning and a sixty-day compliance deadline, require organizations operating in India to report 22 different types of information security incidents within six hours of detection, maintain extensive logs of their own and customers' activities and provide that info to authorities as required, and use only network time protocol (NTP) servers provided by Indian authorities or synced to those servers.

    The rules generated swift and widespread opposition on grounds that they were loosely worded, imposed enormous compliance burdens, made India less attractive to foreign tech companies, and would harm privacy. The requirement to report even trivial incidents within six hours was criticized as likely delivering a deluge of reports that would contribute little to the stated goal of securing intelligence with which to defend the nation. The Internet Society warned that insistence on using Indian NTP servers would create an unhelpful reliance on that infrastructure.

    Continue reading

Biting the hand that feeds IT © 1998–2022