Banks using ‘P@ssw0rd’ for security are helping a new generation of teenage bank robbers

Source: Supplied

Digital disruption in the financial industry means we rarely go to the bank—and neither do robbers.

In Sweden, where the supply of banknotes continues to dwindle, old-school bank robbers have switched to endangered species wrangling and orchid thieving. But for the new generation of bank robbers—everyone from a teenager in their bedroom in Denmark, to international professional criminal networks—going digital has meant a single heist can bring in many, many times more than could ever have been stuffed into a duffle bag. These modern-day criminals don't need guns, balaclavas or getaway cars. In theory, they could be stealing a fortune while sitting at home in their underwear.

Governments working with – not against criminals

There has been massive spike in multi-million dollar cyberattacks on financial institutions in recent years. One of the most successful bank hacking teams is known as Lazarus Group. The group is widely believed to have the backing of the North Korean government, and has been behind a range of high profile attacks including the theft of US$81 million from Bangladesh’s central bank (they were aiming for a billion and got caught due to a spelling mistake, but $81 mil isn’t a bad consolation prize).

Highly sophisticated malware which was once only available to nation states is now increasingly also for sale to criminal buyers on the dark web. The lines between criminal and state-backed adversaries are themselves often blurry. For example, some senior leaders in Russian government cyber units allegedly allow criminal hackers to make use of state capabilities and infrastructure in return for a cut of the profits. The reality of potentially having to face down nation-state level attacks puts enormous pressure on cybersecurity teams working inside banks and financial institutions.

Given that attacks don’t respect country boundaries, national laws are often powerless when it comes to prosecuting international syndicates.

Elaborate, sophisticated attacks

The threat levels are only rising as digital technology becomes ever more crucial to the basic functioning of the financial system and banking moves from you desktop to your mobile (ApplePay) or your watch.

"The evolution of cybersecurity is extraordinary.  Many tools and techniques used 5 years ago are now redundant, and banks – in fact all businesses – are fighting an uphill battle to stay ahead of the cyber threats,” says Priya George, CEO of NIMIS Cybersecurity.

In May 2018, for example, Chile’s largest bank Banco de Chile came under what it initially thought was a malware attack. The attack caused a complete system failure across several of the bank’s branches. The bank told customers its computer systems had been affected by a virus.

As has since been revealed, however, the malware was just a diversion from the hackers’ real goal: an attack on Banco de Chile’s SWIFT systems. SWIFT is the interbank messaging system which allows banks all over the world to exchange payments, and thefts using the SWIFT network have become increasingly common since 2015. Whilst Banco de Chile’s cybersecurity team were distracted by the malware, the hackers successfully stole US$10 million

Disturbingly simple but effective attacks  

A 2018 report by security solutions company Positive Technologies found major flaws in basic information security practices at banks it had worked for over the past three years.

"We detected insufficient security measures and, frequently, their complete absence when it comes to protecting service protocols," the researchers note.

“We increasingly come across default accounts (with predictable passwords) left by administrators after installing database management systems, web servers, or operating systems or creating corporate accounts. Very often, applications either have excessive privileges or contain known vulnerabilities. As a result, intruders have the opportunity to obtain administrative rights in just one or two steps. A quarter of banks used the password ‘P@ssw0rd’ as well as such common combinations as ‘Qwerty123,’ empty passwords, and default passwords.”

They could be stealing a fortune while sitting at home in their underwear.

Australian authorities have acknowledged that it is likely only a matter of time before an Australian financial institution becomes victim to a serious attack.

“No APRA-regulated entity has experienced a material loss due to a cyber incident, but a significant breach is probably inevitable,” says Geoff Summerhayes, Executive Board Member of the Australian Prudential Regulation Authority. APRA is currently holding consultations on a draft prudential regulation on information security due to come into force in July 2019.

Digital technology brings new opportunities for financial institutions and consumers alike, but it also creates new ways for criminals to exploit the system. As the rapidly evolving cat and mouse game between criminals and defenders becomes ever more high tech, however, one truth remains constant – wherever there is money, you’ll find someone trying to steal it.

Elise Thomas is a freelance contributor to The Feed.