Bank had no firewall license, intrusion or phishing protection – guess the rest An Indian bank that did not have a valid firewall license, had not employed phishing protection, lacked an intrusion detection system and eschewed use of any intrusion prevention system has, shockingly, been compromised by criminals who made off with millions of rupees. The unfortunate institution is called the Andra Pradesh …
If you have Root access to the bank internals & can run unchecked through their digital vaults, why limit yourself to making a few withdrawls at various ATM's?
It's like you've got access to the entire cookie jar, but ignoring the cookies in favour of the crumbs in the bottom.
I could accept that except for the fact that most ATM's have a security camera that records the person using the device. The bank will know which accounts were given the money, which ATM's were used to withdraw said funds, & be able to hand the security footage over to the authorities.
Even if the person in the footage is obscured, the account holder is known & will be brought in for questioning. If they can't provide a plausible excuse for the person in the video *not* being them, they'll be on the hook for "receiving stolen property" at the least or the bank heist itself.
*Hands you a pint to hold against your forehead to help with the headache I've just caused*
Drink up with my apologies for my train of thought often causing good ideas to derail harder than a roller coaster jumping the track at the bottom of the first steep hill. =-j
"Even if the person in the footage is obscured, the account holder is known & will be brought in for questioning. If they can't provide a plausible excuse for the person in the video *not* being them, they'll be on the hook"
Ah yes, the old guilty-until-proven-innocent approach.
Ah yes, Mr Fakebankaccount, of 123 Anystreet, Sampleton, I see from our records that despite your associated photo ID being that of Adolf Hitler, a man not matching your description was seen running off with some stolen cash...
It's not even a case of "guilty until proven innocent"; as I understand it, the crooks created accounts in the banks systems, transferred cash to them, then withdrew it from cash machines. There was never any real identity associated with those accounts.
Please see my reply to KatrinaB above. The ATM wouldn't be the anonymous extraction point you envision.
The ATM has a security camera, the footage goes to the cops, the account holder of the account accessed to pull the funds will be known & reported to the cops, & that kind of blows the anonimity out of the water. =-/
*Hands you a pint to help with the headache*
Sorry for being a buzzkill, it's a side effect of my Dried Frog Pills. =-J
Many many ATMs have no camera. And who knows how long the ones that do retain images for. And easy enough to work around all that "hey kid, you can keep x rupees if you use this card and withdraw 10x rupees from that ATM over there for me". Heck, even if the kid runs off with all of it, not his loss.
Maybe they were too cheap to fly to the Caiman Islands (or wherever) to set up an account for a shell company there??
I would expect wire transfers, cashier's checks, some basic money laundering, and other organized crime techniques may also have been beyond their skill set. It only takes a semi knowledgeable script kiddie to use phishing attacks to set up a RAT trojan...
which ALSO means (the obvious) that proper bank security SHOULD have prevented this.
(I hope that no depositors lost their funds, but I expect they did)
Assuming that you set up shell companies someplace that's difficult to track you down in, you can assume you will be traced but not care a lot. Caiman Islands is one of those places you can set up this kind of money laundering scheme. It's a typical money laundering technique used by "the big time": crooks. YES, you CAN trace it with difficulty, and if the criminals know what they are doing, they will probably get away with it.
I mean how do drug cartels and organized crime bosses "get away with it" ? Pretty much "that".
The fraud and the withdrawals happened around the time when Omicron was raging. A face mask would absolutely have been the best anonymity device as no one would object to it.
I am sure out of those hundreds of withdrawals most would have got captured on camera (I know they do, we get reports of ATM frauds being stuck due to masks), but a masked face. And as someone suggested, if a bike helmet was placed on the face, a normal occurrence in India - then the CCTV would be useless.
The bank and its management ought to be convicted... for stupidity!
For a country with so many people that work in the IT industry this is just so foolish. I understand the monitory concern but there are so many open source firewalls that they could have stood up some generic box with one of these.
All the rest is just stupid management stuff. Don't implement standard security protocols because it is too intrusive to the users.
As long as bean counters will see IT as something too expensive whatever it's used for, such nonsense will occur.
Too many times shareholders want more and more year after year, and are willing to put a lot of pressure on 'support' services to increase the profit: those get what they deserve, losses and bad press.
A thousand times this. My support department has been gutted from 26 people running 24/7/365 to 3. The cracks started showing a long time ago and there are people in management positions who ask why we haven't done X.
Well boss, could it be because you fired everyone and that there are more managers above me than people in my department?
IT has and always will be seen as a dirty, money swallowing black hole by those at the top. "Computers right? They just look after themselves, why do we need all these people with all these skills? What the hell do we need to pay for more kit? We only just some 6 months ago!"
If you're lucky enough to have a young'ish CEO who sees the real value of technology and how to use it productivey to increase the company worth, then you're already winning big time. If on the other hand you have some old fart ( ex-Bean counter usually ) at the top who cannot see why you need to keep pace with tech and pay for skilled workers, then I strongly advise you get out and find a company with a young'ish CEO who sees the real...you get the idea!
Overall corporate culture is the thing to look for.
I work for a tech company with a gray-haired CEO who absolutely gets it. I won't argue against the notion that older CEOs are statistically less likely to be tech-savvy, but then I work for an individual and not a statistic.
I've also worked for a gray-haired CEO who was an absolute abusive nightmare and never made a mistake he couldn't blame on someone else. I left that place - best thing I've done in years, second only to landing my present job.
There ARE workplaces out there where the PHB pays attention to the BOFH, everyone is working toward the same goals, priorities are based on rational discusion, everyone really IS valued, and no one is abused. They won't be Fortune 500 companies, and probably not publicly-traded on the stock market, but they do exist. Seek them out.
Posting as anon because I value opsec and there are evil people out there.
If on the other hand you have some old fart ( ex-Bean counter usually ) at the top who cannot see why you need to keep pace with tech and pay for skilled workers, then I strongly advise you get out and find a company with a young'ish CEO who sees the real...you get the idea!
I agree with the bean counter argument but not the grey hair thing.
You should appreciate some of the history of computing.
Did you know that the first computer used for commercial business applications was for a company that makes tea, running its first test programs in 1949.
While the engineers who did the work where nut grey beards, the board who allowed the overall investigation, research, commissioning etc to happen almost definitely where.
They where pioneers of their time, no one else was running computers for business programs so they literally had to build their own.
What business today does something as left field as that? That’s like some tiny business that sells books deciding it’s going to create a huge intercontinental distribution system to sell other peoples stuff & then deciding to build huge datacenters all around the globe and then let other companies run their own programmes in their dc’s. From books to logistics to cloud computing is quite a leap but yes Geoff wasn’t a grey beard, but then he didn’t start by creating logistics, he built upon what already existed by working with the established logistical giants.
We used to have to fight tooth and nail to get anything security wise implemented or paid for in my company. Then one of our competitors got hit with Ransomware, which also hit some their subcontractors (Construction industry) through poorly implemented VPN security. It was amazing how fast all of our security initiatives were budgeted and fast tracked! We even have a dedicated Security team now,
Greed: The Board of Directors would not authorize funds for up-to-date software licenses and software support.
Executive Arrogance: "What are the chances we'll get hit? Anyway, I'll get a bonus and/or promotion for cutting costs, and be in a different job by the time it does happen, if ever."
Possible* Bank IT Incompetence: There are open source, free-as-in-beer firewalls available. Why didn't bank IT deploy one if they couldn't get funds to maintain their commercial firewall?
*They may have suggested, and denied this option by their management.
This sort of thing will continue until the people responsible do serious jail time, and office politics ensures anyone found 'officially responsible' will be lower-level types only, and not actual directors.
I remember once a colleague telling me about suggesting something open source to their manager:
"So, how much does it cost?"
"It's free"
"Ok, but who sets it up for us, what consultancy?"
"We can do it ourselves"
"But what if it goes wrong, who do we sue?"
"We don't."
"This sounds like pirate software to me, I'm not approving it. And if you suggest anything like this again, it'll be a written warning."
My personal response would be to reach for the D-ring and exit the plane stage right.
"Who do we sue if this goes wrong?" is that rere thing, an actually stupid question.
The RIGHT question is: "Will we be better off if we do this, or if we don't? Is this the best option, or is there a better one?"
Planning for whom to sue in case of failure is planning for failure.
Have on more than one occasion had to explain to people that using an open source software platform to store health research data does not mean making that data publicly available....
How successful have you been so far in getting this message through? Asking for a friend...
Another aspect of this is you have all these "Security Consultants"* that will tell management that "Open Source is a terrible security risk!" So they can sell the expensive kit they support and make big bucks on.
I've had to counter this with "How many eyes are on their code? Can we see their code? How motivated are they to publicize the fact their software has a security flaw?" "With open source there are 100's or even 1000's of people looking at the code, we can download the code and examine it ourselves, No ones ego or corporate reputation is resting on the quality of the code! There is no motivation to hide vulnerabilities until they are fixed."
It was harder to win this argument in the past but Open Source it is getting more an more acceptable.
*I don't mean to disparage all security consultants, there are some that are excellent! But there are others that are just fear mongering con-men!
Oh I've seen this by the bucket load.
4 successive failed audits. Each time the company pleaded and said they were working on resolving the issues (they were not). The funniest thing was one particular auditor I met on the first 2 audits joined the company some time after the last audit. I ran into him by chance, and he was complaining that, several years on, NONE of the recommendations he'd made had been implemented.
I just laughed. I reminded him of the times in the audit interviews where I commented that I had tried (unsuccessfully) to get the issues addressed (all documented, with meeting minutes) and been ignored.
As long as the entity paying for the auditors is the entity getting audited the audit is useless. I've seen this time and again.
I've also see that IT audits are performed by 20 something employees of large accounting consulting firms like Deloitte. They are absolutely clueless regarding IT security and only operate from a list of items given to them. Again, the audit is absolutely useless.
-> The latter is not uncommon because enterprise software is often priced to western standards, and users in less prosperous nations who find the cost prohibitive roll the dice on unsupported and/or out of date code.
This is completely true. Every time I read about x billion $ being lost due to 'software piracy', consider for a moment that if the cost of Adobe here in the UK is expensive, how much more expensive it is in, say, India. Adobe has no chance whatsoever of persuading a lot of people there to part with a huge amount of their income just to have the pleasures of Photoshop. So there is 'software piracy'.
Adobe has made more money "because" of pirated copies of PhotoShop then they have ever lost because of Piracy. All those college students that used a pirated copy of PhotoShop in college and then when they got a job insisted that they have PhotoShop so their employer purchased it!
I have no sympathy for Adobe, ever!
Creative Cloud is am expensive pile of stinking dung and I wish I could extricate it from our enterprise!
"Another technology the bank had chosen not to adopt was virtual LANs, so once the RAT went to work the attackers gained entry to the Bank's systems and were able to roam widely – even in its core banking application."
Really ???? Even in the 80s, this was unthinkable ! And it's not as they cost anything ! My 50 E 8 ports Netgear switch supports them !
What is more important is the absolute lack of any user security segmentation. I say this all the time, "Why do some people have the veritable 'Keys to the kingdom'?" No one person should have full access EVERY piece of data your organization has! NO ONE! Not even in IT.
Yes, I'm a Domain Admin, yes I have access to all the servers ad their data with that account but NO I do not use that account for my daily computer use. Also, I DO NOT have access to our financial data, not with ANY account!
You'd be surprised. Early 2000s I had a short contract job at a financial institution that had 700+ NT4 desktops on a flat network alongside the servers. With stacked hubs no less. After pointing this out as a "bad idea" many times I was basically told "We know, shut up!". Not exactly sure what they wanted me to do and why I was hired.
Would not have been surprised so that in the event that something bad happens, they can point to the previous contractor (you in this case) as the one who did not do anything about it / advice about it.
Hope you had everything in emails or some other paper trail in that instance so you can point to that in the event you are blamed.
> Bank had no firewall license, intrusion or phishing protection – guess the rest
They realised their mistake, paid their licence arrears, put in place a system to prevent recurrence, extensively audited their systems to ensure no intrusion had occurred, write a grovelling apology to their customers and by their quick corrective action managed to avoid being exploited?
Did I win?
"They realised their mistake, paid their licence arrears, put in place a system to prevent recurrence, extensively audited their systems to ensure no intrusion had occurred, write a grovelling apology to their customers and by their quick corrective action managed to avoid being exploited?"
Does Hell freeze over once a blue moon?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
