‘Too big to fail’—But the financial industry remains vulnerable. Just look at the ‘Carbanak attacks’ or the ‘Bangladesh SWIFT Hack’. A global financial meltdown due to hacker attacks is a realistic possibility: A poll taken at Black Hat 2016 indicates that 72% of security experts expect a ‘major issue’ to occur in the next 12 months. This post explains how cyber criminals launching a phishing attack could cause a global financial meltdown.
The Carbanak attacks and the Bangladesh Swift Hack: It is possible!
The Carbanak attacks targeted some 100 banks, capturing 8M USD on average from each, while the Bangladesh Swift Hack stole over 80M USD. Both prove one thing: Banks remain vulnerable. It should not be the case, but it remains a fact. Obvious weaknesses were and are still regularly exploited, with some experts even convinced that Carbanak remains active today. From this viewpoint, it is not surprising that a poll taken at Black Hat 2016 showed that two-thirds of the IT-security specialists surveyed expect a ‘major incident’ in the next 12 months.
Who gets attacked when cyber criminals want to strike the financial industry at its core?
Financial Market Infrastructures (FMIs) are the main targets. These are the banks and organizations that money flows through, including clearing banks, payment systems, SWIFT departments, and so on. Once hacked, FMIs unwittingly give gangsters the ability to manipulate an account’s balance upwards and remit the difference without altering the initial balance—the account owner’s balance remains the same.
Who attacks why?
Three (outside) attacker types are the most obvious: (1) Criminal groups who want to steal money, (2) state hackers who seek to manipulate economic and power politics, and (3) activist groups who act for supposedly ethical or idealistic reasons.
Financial meltdown: How the collapse of the financial system works?
There are 10 steps that could lead to the fall of the financial industry. The entire process would unfold over the course of months, and it would all start with social engineering
- Beginning with a Phishing attack or other social engineering trick (SMiShing, USB Trojans, etc.), gangsters gain access to a banking network and infiltrate it using malware. This malware then spreads ‘laterally’ as, say, the infection quickly moves among workstations.
- Exploration. The malicious software spies on the network and the way people work on it. User screens are recorded over months, as are keystrokes. Gradually, attackers learn which transactions must be executed to manipulate accounts and transfer funds.
- Attack. The attack is carried out. The attacker, e.g., raises the beginning balance of account X from $2000 to $20,000, then transfers the difference of $18,000 to a third location. Another example would be attacking an ATM, causing it to spit out oodles of money (ATM jackpotting). Optimally, an attack is one of many that happen simultaneously, effecting many accounts at many banks. The Carbanak Gang mastered this procedure by making cash withdrawals that were only big enough that the effected banks did not have to report irregularities and could continue to make their daily closings. Here is where the attack actually ends.
- Recognition. The targeted Banks note the irregularities because account balances are not increasing or decreasing as they should be. The central FMI banks also note the irregularities through their regular monitoring. But since neither side is communicating with the other, nobody knows how much money is missing and at which bank the initial break-in occurred.
- Open bank accounts and/or incorrect account balances bring the flow of money to a standstill. Now the meltdown begins to move fast. Because the banks no longer trust their numbers, they may not close their books or know exactly what their customers’ balances are. Therefore, banks become reluctant to wire customer transactions. The flow of money stops.
- Trade comes to a halt. Without reliable payment infrastructure companies and businesses can no longer function properly. Supply chains come to a standstill and trading begins to sputter.
- Panic and mass withdrawals. The financial meltdown begins: Now everyone realizes that something is wrong. Many account holders immediately try to withdraw their money.
- The first banks collapses. The outflow of funds (customers’ savings) leads to liquidity shortages and the banks ‘collapse’. Central banks normally help in such situations by providing banks with liquidity. But since no one knows exactly why something is wrong, and because many banks are effected at the same time, it becomes doubtful that central banks will be able to save the situation at all.
- The recovery of the backups fail. Since it is unknown exactly when the attack and the tampering began, there is an increased likelihood that the back-played backups are already corrupted too. A rapid recovery in business activity and decent banking operations are suddenly no longer possible.
- The ‘doomsday of the financial system’: weeks of bank holidays and a lack of public confidence. The financial institutions have no other option than to shut their systems down and proclaim a bank holiday. The industries’ envisaged “recovery time” of 2 hours degenerates into a farce. The financial meltdown and the unavailability of banking leads directly to the corresponding damage to the global economy. The long-term damage is even worse: The world’s confidence in the financial system has effectively been destroyed. In addition to the lengthy amount of work needed to find out what actually happened, it takes even longer to rebuild and restore public confidence, if such a thing is even possible any longer. It’s easy to imagine that such an incident could force the economy into a global recession and that market participants could walk away from the traditional financial institutions and turn to alternative clearing and payment systems.
Conclusion: phishing or social engineering are almost always the catalysts
This bleak scenario is not so far-fetched. For us, it’s proven that if such a scenario unfolded, a successful phishing attack would be the catalyst. With phishing or other social engineering technical measures, attackers gain access to the networks and computer infrastructures of financial institutions. Once attackers gain access, they inject malware and the APT begins. And our twenty years of penetration-testing experience has shown that social engineering, along with malware, always leads to a successful infection.
Use LUCY Server to prevent successful phishing attacks
By using LUCY you increase employee awareness against cyber attacks and social engineering. Our people testing and technology assessment server can be installed on premise or be used in the cloud. The solution allows users to perform DIY
- Phishing / SMiShing / Bad-USB simulations
- Malware simulations
- Ransomware simulations
- SIEM stress tests
- IT-security awareness education and training
A free community edition is available. We already have more than 2400 active installations. Just visit http://www.lucysecurity.com to learn more. LUCY Security – Increase IT Security, maintain Cybersecurity Awareness and prevent the financial meltdown!
- IT-Security experts are expecting a major issue next year
- Carbanak steals more than 1 Bn
- Carbanak: 8 Mio USD on average
- Bangladesh Hack
- Bangladesh Swift Bank Hack
- Carbanak is still active
- Policy: Two-hour recovery time
- What is an APT?
- Phishing and Malware are always working together! – LUCY Manifesto
LUCY has received an incredible amount of press coverage in a variety of different publications. Thanks so much! We didn’t expect to receive so much wonderful attention in 2015.
- German: http://www.heise.de/security/artikel/Lucy-Phish-yourself-2548676.html
*Updated JUN-27-2016 to reflect additional press coverage