If you think your money is safe after hackers recently stole US$1 billion from banks by directly targeting them, think again.
It was no Robin Hood banditry that spared innocent account holders.
In fact, security experts say consumers should keep a close eye on their bank accounts as epic raids such as this are becoming common, according to the Associated Press.
“Customers are still at risk,” said Sergey Golovanov, a researcher at the Russian cybersecurity firm Kaspersky Lab that released the report about the massive looting.
“Criminals had access to all banking infrastructure, so they were able to get any data about customers.”
Doug Johnson, senior vice president at the American Bankers Association, said there’s no evidence that any United States bank has been a victim of this particular breach.
Still, the report found that some of the proceeds were deposited with banks in China and the US.
The hackers detailed in the report, which was presented at a security conference in Cancun, Mexico, are the latest twist on data breaches that have struck not just banks but the health insurer Anthem and major retailers such as Target and Home Depot.
Experts say there are simple protections that consumers can take, AP reported.
Most American bank customers are insured against theft by the Federal Deposit Insurance Corp. The insurance applies to any sum up to US$250,000 in checking, a savings account or a certificate of deposit at a US bank.
Still, more people have become vigilant about monitoring their transactions and responding to alerts from their banks if a charge or withdrawal appears to be suspicious.
“We all look at our bank statements a hell of a lot more carefully than 20 years ago,” said John Gunn, vice president of communications at VASCO Data Security, which provides authentication software for financial institutions.
There are other simple moves that individuals can do to guard their financial data, said Stu Sjouwerman, founder of the data security firm KnowBe4.
Even if it appears to be from their bank, people should never open e-mail attachments that they didn’t request. Nor should they click on links inside e-mails, but instead type the name of their bank into the Web browser address bar.
And they should only provide a Social Security number or account information over the phone on calls that they initiated.
“Those are the normal things you would recommend consumers to use,” Sjouwerman said.
The hacker gang accessed computers by having bank employees click on e-mail attachments.
The hackers relied on a technique known as “spear phishing” in which they sent e-mails from a fake account that looked familiar to the bank workers.
Those e-mails infected the computer with a form of malware called Carbanak and gave the gang entry into the internal network, allowing them to mimic the actions of workers responsible for the cash transfer systems.
In a plan that smacked of a Hollywood thriller, the hackers then lurked unseen in the systems of more than 100 banks in 30 countries, according to the Kaspersky Lab report.
Working in stealth for months, the group would learn how each bank operated and used that knowledge to steal up to about US$10 million in each raid, a sum just small enough to go nearly undetected in the daily shuffle of money.
Their intended targets were primarily in Russia, followed by the US, Germany, China and Ukraine, Kaspersky says.
One bank lost US$7.3 million when its ATMs were programmed to spew cash at certain times that henchmen would then collect, while a separate firm had US$10 million taken via its online platform. The attacks remain active after about two years of thefts.
– Contact us at [email protected]