Daily Archives: May 23, 2016

Ecuador Bank Hacked — $12 Million Stolen in 3rd Attack on SWIFT System

Posted on May 23, 2016 | Leave a comment

Bank_Hack

Bangladesh is not the only bank that had become victim to the cyber heist. In fact, it appears to be just a part of the widespread cyber attack on global banking and financial sector by hackers who target the backbone of the world financial system, SWIFT.

Yes, the global banking messaging system that thousands of banks and companies around the world use to transfer Billions of dollars in transfers each day is under attack.

A third case involving SWIFT has emerged in which cyber criminals have stolen about $12 million from an Ecuadorian bank that contained numerous similarities of later attacks against Bangladesh’s central bank that lost $81 Million in the cyber heist.

The attack on Banco del Austro (BDA) in Ecuador occurred in January 2015 and, revealed via a lawsuit filed by BDA against Wells Fargo, a San Francisco-based bank on Jan. 28, Reuters reported.

Here’s how cyber criminals target banks:

  • Uses malware to circumvent local security systems of a bank.
  • Gains access to the SWIFT messaging network.
  • Sends fraudulent messages via SWIFT to initiate cash transfers from accounts at larger banks.

Over ten days, hackers used SWIFT credentials of a bank employee to modify transaction details for at least 12 transfers amounting to over $12 Million, which was transferred to accounts in Hong Kong, Dubai, New York and Los Angeles.

In the lawsuit, BDA holds Wells Fargo responsible for not spotting the fraudulent transactions and has demanded Wells Fargo to return the full amount that was stolen from the bank.

The lawsuit filed by BDA in a New York federal court described that the some of these attacks could have been prevented if banks would have shared more details about the attacks with the SWIFT organization.

Wells Fargo has also fired back and blamed BDA’s information security policies and procedures for the heist and noted that it “properly processed the wire instructions received via authenticated SWIFT messages,” according to court documents.

According to reports, the heist remained a secret for a long time and now disclosed when BDA decided to sue Wells Fargo that approved the fraudulent transfers.

SWIFT did not have any idea about the breach, as neither BDA nor Wells Fargo shared any detail about the attack.

“We were not aware,” SWIFT said in a statement. “We need to be informed by customers of such frauds if they relate to our products and services so that we can inform and support the wider community. We have been in touch with the bank concerned to get more information, and are reminding customers of their obligations to share such information with us.”

It turns out that the security of SWIFT itself was not breached in the attack, but cyber criminals used advanced malware to steal credentials of bank’s employees and cover their tracks.

In February, $81 Million cyber heist at the Bangladesh central bank was carried out by hacking into SWIFT using a piece of malware that manipulated logs and erased the fraudulent transactions history, and even prevented printers from printing those transactions.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Malware

Tagged , ,

SEC: Cyber security is the biggest risk to the global financial system

Posted on May 23, 2016 | Leave a comment

Coding

WASHINGTON (Reuters) – Cyber security is the biggest risk facing the financial system, the chair of the U.S. Securities and Exchange Commission (SEC) said on Tuesday, in one of the frankest assessments yet of the threat to Wall Street from digital attacks.

Banks around the world have been rattled by a $81 million cyber theft from the Bangladesh central bank that was funneled through SWIFT, a member-owned industry cooperative that handles the bulk of cross-border payment instructions between banks.

The SEC, which regulates securities markets, has found some major exchanges, dark pools and clearing houses did not have cyber policies in place that matched the sort of risks they faced, SEC Chair Mary Jo White told the Reuters Financial Regulation Summit in Washington D.C.

“What we found, as a general matter so far, is a lot of preparedness, a lot of awareness but also their policies and procedures are not tailored to their particular risks,” she said.

“As we go out there now, we are pointing that out.”

White said SEC examiners were very pro-active about doing sweeps of broker-dealers and investment advisers to assess their defenses against a cyber attack.

“We can’t do enough in this sector,” she said.

Cyber security experts said her remarks represented the SEC’s strongest warning to date of the threat posed by hackers.

A former member of the World Bank’s security team, Tom Kellermann, who is now chief executive of the investment firm Strategic Cyber Ventures LLC, called it “a historic recognition of the systemic risk facing Wall Street.”

BROKEN WINDOWS

Under White, a former federal prosecutor, the SEC introduced an initiative called “broken windows” designed to crack down on small violations of SEC rules to deter traders and others from larger transgressions.

But critics have questioned whether the initiative, similar to one used by former New York City Mayor Rudy Giuliani in his crackdown on crime in the city, is an effective use of the agency’s limited resources.

An analyst looks at code in the malware lab of a cyber security defense lab at the Idaho National Laboratory in Idaho Falls, Idaho September 29, 2011. REUTERS/Jim UrquhartREUTERS/Jim UrquhartAn analyst looks at code in the malware lab of a cyber security defense lab at the Idaho National Laboratory in Idaho Falls, Idaho September 29, 2011. REUTERS/Jim Urquhart

The policy has been applied to instances of “rampant non-compliance” involving serious, significant rules, White said, noting that she considers the initiative a huge success.

For example, the SEC brought three groups of cases in a key area, the prohibition against short selling ahead of an IPO by individuals who then participated in the IPO, since 2013, she said. Each year, there have been fewer cases, with the most recent number at around 12, White said.

GAAP VS. NON-GAAP

Also on Tuesday, the SEC released guidance about how certain accounting practices could potentially mislead investors that White called “consequential.”

Companies are increasingly using non-Generally Accepted Accounting Principles, or non-GAAP, to report earnings, permitting them to back out certain expenses from earnings figures, such as non-cash costs. But critics say the practice can also mislead investors by creating a rosier picture of a company’s profits.

The SEC’s current rules allow companies to report with figures that do not comply with GAAP, as long as certain conditions are met and White said the guidance spells out those conditions, such as a requirement that “the GAAP measure has to be of equal or greater prominence than non-GAAP.”

Non-GAAP “is not supposed to supplant GAAP and obviously not obscure GAAP,” she said.

She declined to say if the SEC is considering enforcement actions against companies that might be misleading investors with non-GAAP, but noted the SEC would not hesitate to bring one if it uncovered an “actionable violation.”

For months now, the SEC has only had three commissioners, down from its full complement of five, and the U.S. Congress has stalled on confirming two nominees.

“We’re really functioning on all cylinders,” White said, ticking off a list of projects the commission has recently completed.

She added that, to comply with rules on meetings and disclosures, commissioners typically meet one-on-one.

“If there are only three of you, it’s shorter-circuited to some degree,” she said. “There are some advantages, too.”

 

Leave a comment

Posted in Cyber Security, Data Breach, Encryption, Hacking

Tagged ,