The great 45 million ATM heist, why it is not surprising.

Background
In case if you do not know, last week several arrest were made in New York city in connection to sophisticated cybercrime attack where cyber criminals made with $45 million in ATM withdrawal scam involving prepaid debit cards. The arrested thieves were small part of a well organized global ATM theft that involved more than 2000 ATM machines across 26 countries in a matter of 10 hours time. You can read the detail news about this here on New York Times website. This most sophisticated and biggest cyber theft in history has Indian connection to it, read about this here on our Times of India website.

I am not at all surprised with the incident as this has been waiting to happen someday. Here are few reasons behind why I believe this is not surprising:

  1. Today we see lot of core banking and financial domain software is developed by companies who are not at all following security practices or do not have any training of how hackers can operate. These critical applications are further not tested for any security loop holes. All the testing that takes place on such applications is about functionality testing, stress testing. No tester thinks or is trained to think of tests cases with a cybercriminal in mind. As such no security testing takes place.
  2. Due to stiff competition, squeezed deadlines developers of such critical software hardly follow any secure development life cycle. When designing systems for such software that handles financial transactions the design itself has to be such that even if one of the developer plans to hack the system it should be impossible. It needs implementing secure designing practices from the early stage of system design. This is hardly followed by software developing companies.
  3. The biggest mistake done when designing these systems is to underestimate the insider threat perspective. This leads to non-adequate measures or zero measures implemented against insider threats in the system.

I believe all the above three reasons has role to play in this recent biggest cyber theft in the history. For common man, no matter how much precaution one take while performing online transactions, things can still get stolen if server side things are not that secure. It is high time that government should set new security standards for developing such critical financial systems and make sure they are enforced.

Sanjay Katkar

Sanjay Katkar


11 Comments

Leave a Reply to Tuhin Das Cancel reply

Your email address will not be published.

CAPTCHA Image

  1. Avatar SkywalkerMay 13, 2013 at 8:55 PM

    correction : That’s “New *York* Times” in the 5th line, 1st Para… 😛

    Reply
  2. Avatar RengaswamiMay 14, 2013 at 12:10 AM

    These comments are made without basis. Most reliable core banking software companies of Indian Origin – infrasoft, infosys, iflex, etc undertake security features and security audit measures at all levels of software development and delivery process.
    It is one of those things that has happened and $45mln has been lost. Criminals always love to be one step ahead be it hacking or virus creation or stealing…Now that this has happened, systems will come in place to prevent and tackle this genre of fraud. The author I am sure has not done any homework to check which software these Banks used for the Card Processing, etc The author has typed general gibberish, which has potential to harm Indian Software companies.

    Reply
    • I would like to clarify two things here.
      1. The comments are not without basis but based on the conclusions of the analysis of previous cyber heists.
      2. My views are not country specific but are in general for most of the software industry. As many software miss the angle of third party security testing by security experts.

      Secure product development lifecycle is followed in an old fashion way or even missing some times at application development level, the security practices that are followed now needs to be updated with respect to current cyber criminal activities. Even big MNCs like Microsoft has learnt it the hard way where they changed the way they develop from Windows Vista onwards where they started to follow SDL. (Know more)

      Reply
  3. I get a warning SMS on my cell phone each time I withdraw cash. If I receive a random pincode (valid for 5 mins)then I can use that along with my fixed pincode. But the SMS has to more reliable in speed.

    Reply
  4. Avatar Zubair AlamMay 14, 2013 at 11:56 AM

    Is there any way to protect our-self if we are not that much technically sound? Though I have activate SMS alert and often change my PIN but even then it seems that it is not enough to secure our money.

    Reply
  5. Avatar Ajay GuptaMay 14, 2013 at 1:44 PM

    We need to change our pin time to time after transaction

    Reply
  6. Avatar Tuhin DasMay 15, 2013 at 7:37 PM

    Is Online or ATM banking really safe?? If not, then how shall we prevent any attack in our accounts??

    Reply
  7. Following points I consider as security hole for personal level transaction:

    1. I purchased goods at a famous shop at Kolkata, yesterday. I used my ATM cum Debit card to pay. They swiped it, but did not asked me to provide my PIN. The transaction was processed successfully. I got SMS from my bank within 4 minutes.

    If my card be stolen, the thief can easily purchase. Is not my bank responsible for this easy purchase process? Will my bank give back to me the stolen money?

    2. I need to provide my password (Verified by Visa or Mastercard secure code) to purchase from Indian websites. But don’t need the password for purchase from websites outside India; even purchase in US$.

    Please suggest security prevention.

    Sorry for my poor English.

    Reply