I decided to wait a little to see how the reporting of the $45 million dollar bank heist progressed. It was big news for about a week and it has quickly faded into obscurity as other news has pushed it out of the public’s consciousness.
Just in case you blinked while this was going on, Alberto Yusi Lajud Pena was allegedly the leader of a gang of cyber criminals that stole $45 milllion from ATM machines around the world. He was found dead in the Dominican Republic awhile ago and many of the people involved in the caper have been caught or are being tracked down by law enforcement. Federal prosecutors in New York state have handed down indictments for over half a dozen people.
The effort involved prepaid debit cards and it appears that only 17 cards may have been involved in this mess. The trick was to generate the cards and then bypass the limits normal mortals face when using these cards at ATMs. The culprits had to hack a number of systems but not a lot.
To start with, they attacked a card processing company and changed the account balances for a batch of MasterCard debit cards from the National Bank of Ras Al-Khaimah that is located in the United Arab Emirates. They also essentially eliminated the withdrawal limits on the cards. This is something that should have been limited at the ATM but it meant that the hackers did not have to modify the ATMs which would have been a much harder task.
This was not the first attack by the group and the subsequent attack which amounted in the larger loss was similar in execution but it involved a dozen debit cards from another bank. There was also a larger group of co-conspirators involved in a larger geographic area.
A number of discussions have arisen about how to prevent these attacks in the future and what areas were really under attack since details about were initially few and banks were not interested in providing a lot of additional detail. Questions arose about the security associated with the ATMs to that of the third parties involved in the creation and distribution of the debit cards.
This actually meshes well with a security article I recently wrote on security (see Embedded Devices Gird Up Against Cyber Threats). I do not address financial attacks but I do take a look at legacy and consumer devices. One of the ideas floated in various discussions was the vulnerability of the ATMs and how that should be changed. The same idea arises for many legacy systems. Adding a firewalls is one approach that works well although one needs to consider the number of systems that might be involved in any kind of upgrade. That could be millions in the case of ATMs.
As it turns out, the ATMs were really not the problem although they were involved in delivering the cash to the crooks. Still, there are methods of attack that would compromise the ATMs so their protection should not be overlooked.
In general, features like secure boot and the use of more secure programming languages like Ada or static analysis tools for C or C++ applications need to be utilized on a much more regular basis by developers. A fixed limit on withdrawals from an ATM would have limited the problems of the debit card attack but only if it was difficult or impossible to change the limit.
Likewise, building monitoring tools into a system is part of the initial design. They may not catch an attack immediately but they can help identify a set of attacks as part of a trend. Unfortunately, these tools can often deliver too much information so that it is ignored instead of utilized. This is often what happens with diagnostic tools from trace facilities to static analysis results. If the tools do not provide a way of refining or filtering the results there is simply too much information left to process.
Proper design and security tools may not eliminate the possibility of this type of attack in the future but they could make it much more difficult and less damaging in the long run. Hopefully security does not fade into obscurity.