Welcome, Guest: Register On Nairaland / LOGIN! / Trending / Recent / NewStats: 3,207,703 members, 8,000,000 topics. Date: Monday, 11 November 2024 at 06:30 PM |
Nairaland Forum / Science/Technology / Programming / How Security Compass 'stole' $14 Million From A Bank (2139 Views)
Hacker Stole $100,000 From Users Of California Based ISP Using SQL Injection / How Security Compass 'stole' $14 Million From A Bank (2) (3) (4)
(1) (Reply)
How Security Compass 'stole' $14 Million From A Bank by lifestyle1(m): 10:06am On May 16, 2013 |
In early 2010, Nish Bhalla sat down at his computer with one objective: steal a huge amount of money from a bank. It wasn't a typical heist. Bhalla is the chief executive of Security Compass, a company that tests security systems at banks, retailers, energy companies and other organizations with sensitive data. His clients -- including the bank branch in the United States that he targeted in his 2010 attack -- pay him to break into their systems. It can be easier than most people think. The alleged thieves who made headlines last week for their $45 million bank heist used a similar type of attack that "created" money out of nowhere. Bhalla talked CNNMoney through his caper. Here, in four easy steps, is how he made himself into a millionaire. Step one, get access. Bhalla had one big advantage on actual thieves: His client gave him access to the bank's internal network. For real-world crooks, there are some surprisingly easy ways to get in. It's possible, Bhalla said, to gain access in some places simply by logging on to the bank's wireless network -- an amenity more and more banks are providing as a service to customers. Once you're on the bank's Wi-Fi, the internal and external networks are frequently not segregated enough. It can be possible to fool the bank's other computers into thinking that your computer is a bank computer, a process known as "arp spoofing." Another on-ramp: Someone posing as a janitor could insert a thumb drive into a teller's system and reboot it using a new operating system, which would enable them to access the hard drive of the teller's system. From there, user names and passwords are often readable. Because he could simply log straight into his client's network, Bhalla and his assistants skipped the "get physical access" step and dove straight into finding the money. Step two, start exploring. Bhalla used "sniffer" software, available online for free, to map out which of the bank's systems were connected to each other. Then he "flooded" switches -- small boxes that direct data traffic -- to overwhelm the bank's internal network with data. That kind of attack turns the switch into a "hub" that broadcasts data out indiscriminately. The machines that the tellers use quickly became Bhalla's prime target. Again, the sniffer software was deployed to look for login information and passwords in the data flood. Eventually, one hit. He was inside a teller's machine. Step three, move up the ranks. Amazingly, the information being sent between the tellers' computers and the branch's main database was not encrypted. This meant passwords and bank account numbers were all out in the open. Step four, cash in. Rather than steal money from depositors' accounts, Bhalla just invented a new account for himself. "We went into the database where the accounts are and set up an account with $14 million," Bhalla explained. "We just created $14 million out of thin air." If he wanted to, he could have walked into any bank branch, transferred the money to an offshore account, and never have had to work again. Instead, he went to an ATM to print out a record of his ill-gotten wealth. "The bank executives were extremely surprised," Bhalla said. "Their faces were shocked." The bank promptly deleted Bhalla's bounty, he said, and took steps to shore up its network. In the heist that came to light last week, federal officials say the thieves hacked into networks at firms that process transactions for pre-paid debt cards and created accounts with high spending limits. From there, it was just a matter of making physical debt cards for those accounts and going around to ATMs to withdraw the cash. "They just updated the database with that debit-card information," Bhalla said. "That's how simple it was." In many cyber bank heists, including the recent $45 million scam, it's hard to pin down who is ultimately liable for any losses. It's typically not individual customers. U.S. law protects consumer checking and savings accounts from losses stemming from fraud. Business accounts, though, have fewer protections. Bhalla said some financial institutions have insurance to cover the losses -- but he noted that insurance companies are reluctant to issue policies with high coverage limits because the risks in this area area still poorly understood. In the end, he said the losses are likely born by a combination of the company, insurance firms and governments. source : http://finance.yahoo.com/news/security-compass-stole-14-million-100700004.html
|
Re: How Security Compass 'stole' $14 Million From A Bank by adebayosun02: 10:01am On Aug 25, 2013 |
life_style: This is great men, I wish to horn my intelligence to and beyond this level. Although am a beginner in to programming(VB.net) That is gr8 Bhalla |
(1) (Reply)
Free Content Curation Plugin / Civic Innovation Lab: A Tech Hub In Wuse 2, Abuja. / Oracle Or Cisco Or Java
(Go Up)
Sections: politics (1) business autos (1) jobs (1) career education (1) romance computers phones travel sports fashion health religion celebs tv-movies music-radio literature webmasters programming techmarket Links: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) Nairaland - Copyright © 2005 - 2024 Oluwaseun Osewa. All rights reserved. See How To Advertise. 31 |