3 Devastating Cyber Attacks on Banks That Show How Vulnerable Our Money Is

When it comes to online banking, there’s no room for tolerating sloppy data security. You might not lose any sleep if your (hopefully unique) Adobe password is leaked and you may only experience a few minutes of rage if your Dota 2 game is DDoSed. But if your bank goes offline, better hope it’s only for a few minutes and that your money is safe.

These 3 Cyber Attacks on Banks Had Devastating Consequences

Whether we’re talking about large banks or scrappy new fintechs, any financial companies that do business online are vulnerable to security risks, just like anyone else. Here are three major incidents where online banks had their security compromised.

1. American Banks Targeted With Extended DDoS Campaign

Starting in early 2012, a wave of malicious traffic swept over several American banks, targeting banking web applications one at a time. The attacks affected Bank of America, Citigroup, Wells Fargo, Capital One, and HSBC, among others. Rather than targeting customer data or stealing money, the hackers used DDoS attacks to overwhelm online banking websites and prevent actual customers from accessing bank services.

A group called Izz ad-Din al-Qassam Cyber Fighters took credit for the attacks, dubbed Operation Ababil, claiming it was retribution for an anti-Islam video. But due to the sophistication of the attacks, the US government suspects the group is just a front for the Iranian government, seeking their own retribution for American cyberwarfare attacks.

The campaign was the largest cyberattack in history (a record since surpassed many times). Attacks were carried out in three phases, the final launching in March 2013. More than just a nuisance, a successful DDoS attack costs banks an estimated $100,000 per hour. What’s worse, however, is that any server, web application, device, or IoT device compromised by a botnet can be used in such a DDoS attack.

Piles of USD
Terrorists acting on their own or state-sponsored warfare. Whoever they were, they weren’t after this stuff.

2. South Korea’s Banking Industry Hit By Massive Coordinated Attack

On March 20, 2013, South Korean citizens were rattled by a far-reaching cyber blackout that froze computer terminals and paralyzed ATMs and mobile payments. At two banks, Windows and Linux computer systems were affected and entire hard drives were wiped. Others such as Woori Bank reported intrusion attempts but claimed they fended off the hackers. The attackers also managed to disrupt broadcasts of three major TV stations.

The South Korean government accused North Korean operatives of orchestrating this cyberwarfare campaign from China, where the attacker IP was traced. It is possible either a North Korean cyberwarfare unit was active in China, or they hired a China-based mercenary botnet that had already compromised South Korean targets.

This attack was carried out by a relatively unsophisticated malware program known as “DarkSeoul,” and could have been prevented had adequate cyber security measures been put in place. Despite the disruption to services and deletion of data, it is clear the attack was mainly intended to disrupt business and cause chaos. The total cost of the carnage, both through denial of service and data loss,  was calculated at $725 million.

An old-time bank in the Wild West with a woman on horseback.
This is what our banks will look like in the future if we don’t start taking cyber security seriously.

3. Russian Hackers Pull Off World’s Biggest Bank Heist

A cybercriminal gang has been attributed to a crime spree that launched a diverse repertory of well-planned attacks against as many as 100 banks across 30 countries. The group, dubbed Carbanak by Kaspersky Lab, is believed to consist of Russians, Ukrainians, and Chinese, with their targets being located primarily in Russia, followed by the US, Germany, China, and Ukraine. Their crime spree began in early 2014, peaking in June, and went unaddressed until February 2015.

The hackers used botnets to send out malware-infected e-mails to bank employees, a tactic called spearphishing, and were able to infiltrate many employee accounts. This allowed them to steal many different kinds of sensitive information, including customer data, secret keys used by ATMs to confirm PINs, bank video surveillance, and information on security systems and anti-fraud measures. They could also manipulate account balances and create fake accounts to move stolen money around. Each attack took around two to four months.

One bank was robbed of $7.3 million when the hackers reprogrammed its ATMs. Another bank’s online platform was accessed and the thieves made away with $10 million. Some of these attacks could have been prevented had employees only updated their Microsoft software. The thieves were able to make off with as much as $1 billion, and authorities have been unable to catch them.

A grave marker for bank robber John Dillinger, scattered with coins
No, Carbanak is not like your granddaddy’s bank robbers.

These three incidents show hackers with varying motivations and means, using differing techniques to achieve their own unique goals. Whether disrupting service or stealing money, or cybercrime or cyberwarfare, cyber threats cannot go unaddressed. And rather than going after only the biggest banks, hackers are increasingly targeting smaller fintech startups with fewer resources and less experience with cyber security. We must cooperate to secure the Internet from these actions, or we’ll pay the price in the end.