The great 45 million ATM heist, why it is not surprising.

Background
In case if you do not know, last week several arrest were made in New York city in connection to sophisticated cybercrime attack where cyber criminals made with $45 million in ATM withdrawal scam involving prepaid debit cards. The arrested thieves were small part of a well organized global ATM theft that involved more than 2000 ATM machines across 26 countries in a matter of 10 hours time. You can read the detail news about this here on New York Times website. This most sophisticated and biggest cyber theft in history has Indian connection to it, read about this here on our Times of India website.

I am not at all surprised with the incident as this has been waiting to happen someday. Here are few reasons behind why I believe this is not surprising:

  1. Today we see lot of core banking and financial domain software is developed by companies who are not at all following security practices or do not have any training of how hackers can operate. These critical applications are further not tested for any security loop holes. All the testing that takes place on such applications is about functionality testing, stress testing. No tester thinks or is trained to think of tests cases with a cybercriminal in mind. As such no security testing takes place.
  2. Due to stiff competition, squeezed deadlines developers of such critical software hardly follow any secure development life cycle. When designing systems for such software that handles financial transactions the design itself has to be such that even if one of the developer plans to hack the system it should be impossible. It needs implementing secure designing practices from the early stage of system design. This is hardly followed by software developing companies.
  3. The biggest mistake done when designing these systems is to underestimate the insider threat perspective. This leads to non-adequate measures or zero measures implemented against insider threats in the system.

I believe all the above three reasons has role to play in this recent biggest cyber theft in the history. For common man, no matter how much precaution one take while performing online transactions, things can still get stolen if server side things are not that secure. It is high time that government should set new security standards for developing such critical financial systems and make sure they are enforced.


Subscribe
Notify of
guest
11 Comments
Inline Feedbacks
View all comments
Skywalker
Skywalker
7 years ago

correction : That’s “New *York* Times” in the 5th line, 1st Para… 😛

Rengaswami
Rengaswami
7 years ago

These comments are made without basis. Most reliable core banking software companies of Indian Origin – infrasoft, infosys, iflex, etc undertake security features and security audit measures at all levels of software development and delivery process. It is one of those things that has happened and $45mln has been lost. Criminals always love to be one step ahead be it hacking or virus creation or stealing…Now that this has happened, systems will come in place to prevent and tackle this genre of fraud. The author I am sure has not done any homework to check which software these Banks used… Read more »

Bhupen
Bhupen
7 years ago

I get a warning SMS on my cell phone each time I withdraw cash. If I receive a random pincode (valid for 5 mins)then I can use that along with my fixed pincode. But the SMS has to more reliable in speed.

Zubair Alam
Zubair Alam
7 years ago

Is there any way to protect our-self if we are not that much technically sound? Though I have activate SMS alert and often change my PIN but even then it seems that it is not enough to secure our money.

Ajay Gupta
Ajay Gupta
7 years ago

We need to change our pin time to time after transaction

Tuhin Das
Tuhin Das
7 years ago

Is Online or ATM banking really safe?? If not, then how shall we prevent any attack in our accounts??

Soumya Patnaik
7 years ago
Reply to  Tuhin Das

Hi Tuhin,

Your query has been answered in this blog

Anindya
Anindya
7 years ago

Following points I consider as security hole for personal level transaction: 1. I purchased goods at a famous shop at Kolkata, yesterday. I used my ATM cum Debit card to pay. They swiped it, but did not asked me to provide my PIN. The transaction was processed successfully. I got SMS from my bank within 4 minutes. If my card be stolen, the thief can easily purchase. Is not my bank responsible for this easy purchase process? Will my bank give back to me the stolen money? 2. I need to provide my password (Verified by Visa or Mastercard secure… Read more »

11
0
Would love your thoughts, please comment.x
()
x