A year ago, a prominent hacker group Carbanak became famous for being the first to break into the banking system with the help of the methods previously used only by hackers engaged in cyber espionage for the governments of different countries.
Carbanak adapted these techniques to attack financial institutions (in most cases banks). And the security systems of these institutions succumbed under the pressure of new hacking techniques.
An important feature of Carbanak attacks is the use of legal software. This minimizes the risk of attack detection by antivirus programs. Besides, it saves time on the development of special hacking software. Carbanak hackers robbed hundreds of financial institutions in 30 countries around the world. They stole millions of dollars.
Such strong authentication tools as one-time passwords and PIN-codes, which are used to protect the money and data from being stolen, failed to stop the fraudsters. Hackers used a direct access to the bank systems which make money transactions. And thus, they had no need in OTP passwords.
This example was contagious. And not so long ago, two other similar groups have showed up – GCMAN and Metel. Their attacks in the majority of cases aimed at Russian financial institutions.
In both cases, the hacking attacks started with the targeted phishing emails deliveries. The phishing emails contained RAR-archives, which penetrated the banking systems after being opened. When the hackers took control over the processing systems of the banks, the further action scenario of the groups was different.
In the case of Metel, the main trick was to cancel the transaction after withdrawing cash at ATMs. Thus, the balance on the debit cards of the victims did not change. They discovered the loss of money only when hackers have already curtailed their activities. One these operations gave an opportunity to steal several million rubles.
GCMAN worked in a different manner. They used cron for their attacks. Cron software is legal and allows starting the user programs in Unix OS at a specified time. Thus, the hackers used the cron-script to continually withdraw $200 from infected users’ bank accounts. $200 is the limit for anonymous transactions in Russian banks. Later, the hackers transferred money to the encrypted accounts of ‘money mules’. These are the people hired specially for cashing the stolen money.
If hackers can overcome such strong bank security systems in such a deft manner, is there any way to stop them? Of course, the cyber-security services can strengthen the security of the servers and databases. They can use the newest software and hardware equipment. But, the experience has proven that these are only temporary measures. As the saying goes “It is easier to pull down than to build.” Sooner or later the hackers will find a way to bypass the most sophisticated technical barriers. Thus, these methods are not enough for reliable protection.
Let’s think, how does any hack begin? The fraudsters need to get access to only one computer of an aimed company. And it is quite impossible to do this without a human interference. An employee installs a file, follows a link and opens an attachment with the spyware. Thus, teaching the employees the information security rules is one of the most important data protection measures. It can prevent you or your employees from swallowing the cyber fraudsters’ bait.
And since people are still imperfect and prone to make mistakes – because of fatigue, carelessness, forgetfulness – user data protection with the dual authentication means must be at every workplace. And it is better to use two-factor authentication not only when logging into the account. Use it before any important activity.
Today, 2-factor authentication is the most proven means to confirm the user’s identity. Using the OTP tokens with CWYS function will significantly enhance the account protection. After all, these tokens are not connected to any network. During the OTP password generation, they take into account the characteristic parameters of each transaction or operation and thus make the interception of these one-time passwords useless for cyber criminals.
You should remember that the data protection, as well as any big deal, is made up of little things, each of which is important. Thus, only using a whole complex of protective measures is the best way to leave those hunting for other people’s money and secrets with nothing.