How To Hack A Bank David H. Freedman, 04.03.00
THE FINER POINTS
[1] Of eight respected computer security experts consulted for this article, all agreed that hacking into a bank was doable, and most insisted it wouldn't be all that hard. "If I were going into e-crime, I'd hit a bank," says Jon David, a security guru who has worked in the field for 30 years. Why haven't banks been hacked, then? Oh, but they have--big time. In 1994, a 24-year-old programmer in St. Petersburg, Russia, named Vladimir Levin hacked Citibank for $10 million. He was later caught, extradited to the United States and is serving a three-year sentence. (All but $400,000 of the money was recovered.) This sort of thing happens often but is hushed up, according to Michael Higgins, a former analyst with the Defense Intelligence Agency and now a financial computer security consultant who heads Para-Protect in Alexandria, Virginia. The federal government requires banks to report losses, but Higgins says banks avoid potentially bad publicity by reporting losses as accounting efficiency errors. "The losses are in the reports, but the FBI doesn't get them. They only get reports of alleged crimes," he says. "The reports aren't specific enough to identify losses that could have come from hacking." In the case of larger losses, bank managers simply disregard the law for fear that customers would flee if the truth were known, according to Bob Friel, a former Secret Service agent who now heads a computer forensics group at the Veterans Affairs Inspector General's office. During a stint as a security consultant to banks and other organizations, Friel was shocked to discover the magnitude of the hacker losses that banks were swallowing. He claims his sources in the financial industry report individual hits as large as $100 million. A half dozen banks contacted for this article declined to comment.
[2] Computer security insiders are usually careful to use the term cracker for someone who tries to gain unauthorized entry into a computer system, reserving hacker as a complimentary term for someone adept at programming. But we'll stick with the popular usage of hacker as an intruder.
[3] As with many high tech ventures in today's robust economy, finding good people will be our biggest challenge. Programmers with malicious or criminal bents tend not to be the exceptionally talented; most of those make pretty good money in legitimate jobs. If the bloom fades on the tech stock market, however, there could be a lot of high-living programmers who suddenly don't have jobs. In the meantime, we could use "false flag recruitment" techniques, convincing candidates that they would be serving a bank.
[4] Though our heist will be electronic, it would probably be close to impossible to pull it off without someone providing information from the inside. Levin had an inside partner on the Citibank job.
[5] Preferably we target a midsize bank that has moved aggressively into information technology and Internet banking, because competitive pressure from technology-savvy big banks has probably caused them to get in over their heads, opening up security gaps. Says Higgins: "Those banks are rushing into technology, and they don't comprehend it completely."
[6] According to Jim Settle, founder of the FBI's original computer crime squad and now CEO of security consultancy SST, a successful electronic bank heist should take about six months.
[7] To get our seed money, we can form a private syndicate of the sort that has cropped up to support computer credit card fraud operations in Russia. You'd think we'd be able to work with organized crime, but for now these people "are way behind the curve, for reasons nobody understands," says Settle. In any case, a syndicate or crime boss is going to want a near-guaranteed ROI. If we can't be convincing in that regard, and we lack even the tiniest shred of ethics or patriotism, we can always approach a hostile foreign government--Iraq, North Korea, Russia, and so forth--or even a terrorist organization. Saudi terrorist Usama bin Laden would probably be an eager backer, according to Kawika Daguio, a security expert who heads the bank-supported Financial Information Protection Association, because bin Laden has publicly declared his interest in disrupting U.S. financial institutions. Besides providing ready cash, these sorts of backers won't be on our case about ROI, says Daguio, because "the theft of money could trigger a crisis of confidence, and it doesn't have to be a huge amount."
[8] We should be able at least to match Levin's initial haul from Citibank, but we could expect to steal as much as $1 billion because of lax standards over the past few years, Friel says.
[9] Most midsize banks don't bother to do more than the most cursory of background checks of blue-collar employees and contractors.
[10] This is the opposite of what David Remnitz, CEO of New York information security consultancy IFsec, calls the "Catherine Zeta-Jones" approach--a big-bang, instant hack of the sort popularized by Hollywood and the New York Times that bears little resemblance to the sort of hacking that organizations really need to fear.
[11] Virtually all banks, and most midsize and large companies, have by now installed a combination of hardware and software firewalls that sit between the outside world and the main gateway to the internal network. Some firewalls are harder to defeat than others, but we won't really care because we won't want to go through the network's main gateway anyway. Hackers usually look for the digital equivalent of rickety back doors and unlocked or easily breakable windows. By the way, larger banks and other businesses sometimes spend as much as millions of dollars apiece on automated "intrusion detection" software. But Settle points out that his company is often hired by companies to try to break into their networks, and in 40 break-ins his team's incursion has been detected only once.
[12] We can narrow down the list of numbers to dial by looking at the bank's published phone numbers, and our inside people should be able to help, too. Some banks furnish publicly accessible Web domain-name registries with the phone numbers of their computer systems administrators; it's a good bet that there is a modem with a similar number.
[13] The less sophisticated large corporation has thousands of modem-equipped computers attached to the corporate network, notes Settle. One device often overlooked: multipurpose printer/fax machines, usually left in auto-answer mode to receive faxes but connected to the network for printing purposes.
[14] Online banking servers should be "air-gapped" from the bank's main network, meaning that no physical connection should exist between them, foiling hackers. But small and midsize banks rushing into online banking don't always take this basic precaution. Even better, some banks are placing their Internet-based services on servers run by outside Web site-hosting companies--servers that may be shared by other, far less security-intensive Web businesses. We could break into one of these other sites, take control of the server, and then jump into the bank's main network. This is an example of the "weakest-link" approach to hacking, notes Higgins.
[15] Cable companies that provide home Internet access treat entire neighborhoods like one local-area network, points out security expert David, so a hacker can often gain full access to a PC in one home through a PC in a nearby home or a neighborhood cable switch.
[16] As it turns out, obtaining or guessing root-access passwords isn't necessarily any harder than getting ordinary passwords. For one thing, sysadmins tend to suffer from simultaneous inferiority and superiority complexes, often leading them to favor irreverent, self-aggrandizing, and entirely predictable passwords such as "god" and "bigkahuna." Even better, servers are often shipped from the factory loaded with supposedly default "backdoor" passwords meant for use by vendor technicians; these are sometimes known to the hacker community.
[17] A Trojan horse is a class of program, freely available on the Internet, that serves a function useful to a hacker but is disguised to look exactly like one of Unix's or Windows' legitimate components.
[18] Does it seem hard to believe that computer security professionals haven't wised up to these tricks and tools and set up effective defenses? In fact, top security professionals, like the ones interviewed for this article, always make sure such safeguards are installed in systems they are charged with protecting. Fortunately for us, there are barely enough top-notch people in this field to serve large companies; smaller banks and other businesses have to make do with lesser lights. But even the most experienced pros admit that their safeguards can be rendered ineffective by the new security vulnerabilities constantly being identified by hackers and passed around--often well before the typical IT security professional learns of them. Part of the problem is that software vendors are loath to admit to and publicize weaknesses. Says David: "Hackers share vulnerabilities very quickly and efficiently. The vendors often deny that they even exist." There's no shortage of these vulnerabilities: A new security flaw in Windows NT alone is discovered by security professionals on average every three days, says Bruce Schneier, a well-known expert on data encryption and founder of computer security firm Counterpane Internet Security in San Jose, California. Higgins says 32 new flaws were uncovered in Windows NT just in December. No one, of course, knows how many additional flaws hackers are turning up. "Some of these types of flaws have been known for 30 years, and they still haven't been fixed," Schneier says.
[19] In the book At Large, Charles C. Mann and I describe how a learning-impaired teenager with few computer skills managed, among other sobering feats, to hack from Sun Microsystems a copy of the source code for Solaris--one of the most widely used Internet server software systems in the world.
[20] According to Friel, midsize banks tend to be overly dependent on consultants and rarely spend the necessary resources on developing their own subject-matter experts. In particular, the consultant feeding frenzy fueled by Y2K anxiety provided a perfect opportunity for outsiders to secretly compromise bank and other software.
[21] In 1998, an employee of Russia's largest savings bank was caught after having doctored the bank's software to siphon money into his account.
[22] If for some reason we have trouble enacting the swap, we might have more luck getting our hands on and modifying backup versions of the software, which, notes Schneier, are typically stored in less well-protected facilities. Then all we'll have to do is shut down the working version--the easiest kind of hack--forcing the bank to fire up the secretly modified version. This approach exploits the common vulnerability known as "default to insecure," as when a store can't get through to the network to verify your credit card and approves the purchase rather than lose business.
[23] Wire transfers are encrypted--that is, scrambled into unintelligible text--and it's not likely we'll break the encryption. Not that it's impossible. In fact, there is a long, rich history of supposedly impervious encryption schemes being broken. Just ask cell phone manufacturers, media companies whose works are distributed on DVD, and any company that has relied on the well-known DES encryption scheme--formerly the standard for banks and now considered crackable with an inexpensive, custom-built computer. Any bank with enough money to make it worth hitting currently employs the vastly more secure "Triple DES" scheme, which would require "alien technology" to break, according to Schneier. Fortunately, we don't need to break it. We might be able to find a bank employee's "pass phrase"--essentially a long password that unscrambles the information--on his or her PC, or lying around a desk. Even easier, we can hack the wire transfer information before it's encrypted.
[24] In England, for example, a teller discovered that change-of-address procedures for account holders were not audited by her bank--after all, what's so worrisome about a change of address?--so she simply changed the addresses of various account holders to that of her own when checks were due to be sent out, then changed them back. She operated this scam for 10 years before being caught.
[25] A recent particularly nasty example of nuisance hackware is "extended Trinu," a program that dispatches tens of thousands of "slave" programs throughout the Internet to hide out. When the hacker triggers the "master" program, it in turn sends out commands that activate all the slaves to start sending out streams of system-crippling bogus data via the Internet. "You can defend against 1 or 2 of these attacks," says David, "but not 10 or 20, let alone 10,000." By the way, one of the best-known denial-of-service attacks was carried out on a highly regarded national business magazine by a disgruntled former employee who remotely erased massive amounts of irrecoverable data on the magazine's servers.
[26] Stealing the money won't be the hard part; getting away with it will be. Schneier says Levin did a good job of hacking but was caught because of amateurish laundering. As Daguio points out, U.S. banks have a history of sparing no expense or effort to track down anyone who steals from them, going all the way back to the posses and bounties of the stagecoach era.
[27] According to Richard Cromwell, a former Goldman Sachs VP now with security consultancy IFsec, the end of the year is a particularly good time to pull the trigger because of the vast rivers of money moving through the holiday-shopping-fueled economy and the increase in staff absences.
[28] Friel estimates that a systems shutdown would cost a large business, such as eBay or Amazon.com, $1 million per hour in hard losses. "But the bad PR would cost 10 times that much," he adds.
[29] This is one example of a broader class of attack known as "spoofing," in which commands from an outside computer are disguised to make them look as if they are coming from another, friendlier computer.
[30] Eventually, each one of these banks will almost certainly report us to the authorities, under pressure from their own governments, which will be facing the threat of international sanctions. But if we push the money through enough of these banks, by the time the last bank is coerced, we'll long since have cashed out.
[31] The only risk of immediate physical apprehension will be borne by our insiders at the bank. Sad to say, they may have been expendable to begin with, especially if we obtained their services through extortion. But there is a good chance they will have been able to skip town ahead of the attack, too, having already provided all the needed information. Even if they are sitting right there, perhaps providing approval of the wire transfers, the final attack will be so buried in a sea of activity that it will probably be hours, if not a day or more, before the money is discovered missing--plenty of time to simply walk out and get to the airport.
[32] If--or, let's face it, when--a few banks are publicly cyberlooted, most might raise the security bar to the point where it simply doesn't make sense to go after them. At least not when there are so many other, far less well-protected businesses to pillage, offering expensive goods, engineering data, credit card numbers, payments for fictitious services, and more. Fortunately for us of the high tech criminal element, only a small percentage of companies make computer security a high priority, and there is little pressure from the marketplace on Microsoft, Sun Microsystems, and other major software vendors to stop turning out code that is rife with security flaws. So barring some sort of stunning wake-up call to corporate America, we should be able to keep on hacking profitably for years to come.
|