Don`t Learn to HACK - Hack to LEARN.All about Ethical Hacking, Penetration Testing & Computer Security

Friday, July 20, 2012

How To Hack A Bank (Intro)




[1] Of eight respected computer security experts consulted for this article, all agreed that hacking into a bank was doable, and most insisted it wouldn't be all that hard. "If I were going into e-crime, I'd hit a bank," says Jon David, a security guru who has worked in the field for 30 years. Why haven't banks been hacked, then? Oh, but they have--big time. In 1994, a 24-year-old programmer in St. Petersburg, Russia, named Vladimir Levin hacked Citibank for $10 million. He was later caught, extradited to the United States and is serving a three-year sentence. (All but $400,000 of the money was recovered.) This sort of thing happens often but is hushed up, according to Michael Higgins, a former analyst with the Defense Intelligence Agency and now a financial computer security consultant who heads Para-Protect in Alexandria, Virginia. The federal government requires banks to report losses, but Higgins says banks avoid potentially bad publicity by reporting losses as accounting efficiency errors. "The losses are in the reports, but the FBI doesn't get them. They only get reports of alleged crimes," he says. "The reports aren't specific enough to identify losses that could have come from hacking." In the case of larger losses, bank managers simply disregard the law for fear that customers would flee if the truth were known, according to Bob Friel, a former Secret Service agent who now heads a computer forensics group at the Veterans Affairs Inspector General's office. During a stint as a security consultant to banks and other organizations, Friel was shocked to discover the magnitude of the hacker losses that banks were swallowing. He claims his sources in the financial industry report individual hits as large as $100 million. A half dozen banks contacted for this article declined to comment. 


[2] Computer security insiders are usually careful to use the term cracker for someone who tries to gain unauthorized entry into a computer system, reserving hacker as a complimentary term for someone adept at programming. But we'll stick with the popular usage of hacker as an intruder. 


[3] As with many high tech ventures in today's robust economy, finding good people will be our biggest challenge. Programmers with malicious or criminal bents tend not to be the exceptionally talented; most of those make pretty good money in legitimate jobs. If the bloom fades on the tech stock market, however, there could be a lot of high-living programmers who suddenly don't have jobs. In the meantime, we could use "false flag recruitment" techniques, convincing candidates that they would be serving a bank. 


[4] Though our heist will be electronic, it would probably be close to impossible to pull it off without someone providing information from the inside. Levin had an inside partner on the Citibank job. 


[5] Preferably we target a midsize bank that has moved aggressively into information technology and Internet banking, because competitive pressure from technology-savvy big banks has probably caused them to get in over their heads, opening up security gaps. Says Higgins: "Those banks are rushing into technology, and they don't comprehend it completely." 


[6] According to Jim Settle, founder of the FBI's original computer crime squad and now CEO of security consultancy SST, a successful electronic bank heist should take about six months. 


[7] To get our seed money, we can form a private syndicate of the sort that has cropped up to support computer credit card fraud operations in Russia. You'd think we'd be able to work with organized crime, but for now these people "are way behind the curve, for reasons nobody understands," says Settle. In any case, a syndicate or crime boss is going to want a near-guaranteed ROI. If we can't be convincing in that regard, and we lack even the tiniest shred of ethics or patriotism, we can always approach a hostile foreign government--Iraq, North Korea, Russia, and so forth--or even a terrorist organization. Saudi terrorist Usama bin Laden would probably be an eager backer, according to Kawika Daguio, a security expert who heads the bank-supported Financial Information Protection Association, because bin Laden has publicly declared his interest in disrupting U.S. financial institutions. Besides providing ready cash, these sorts of backers won't be on our case about ROI, says Daguio, because "the theft of money could trigger a crisis of confidence, and it doesn't have to be a huge amount." 


[8] We should be able at least to match Levin's initial haul from Citibank, but we could expect to steal as much as $1 billion because of lax standards over the past few years, Friel says. 


[9] Most midsize banks don't bother to do more than the most cursory of background checks of blue-collar employees and contractors. 


[10] This is the opposite of what David Remnitz, CEO of New York information security consultancy IFsec, calls the "Catherine Zeta-Jones" approach--a big-bang, instant hack of the sort popularized by Hollywood and the New York Times that bears little resemblance to the sort of hacking that organizations really need to fear. 


[11] Virtually all banks, and most midsize and large companies, have by now installed a combination of hardware and software firewalls that sit between the outside world and the main gateway to the internal network. Some firewalls are harder to defeat than others, but we won't really care because we won't want to go through the network's main gateway anyway. Hackers usually look for the digital equivalent of rickety back doors and unlocked or easily breakable windows. By the way, larger banks and other businesses sometimes spend as much as millions of dollars apiece on automated "intrusion detection" software. But Settle points out that his company is often hired by companies to try to break into their networks, and in 40 break-ins his team's incursion has been detected only once.