Skip to main content
SpringerLink
Log in

Taming the Digital Bandits: An Analysis of Digital Bank Heists and a System for Detecting Fake Messages in Electronic Funds Transfer

  • Conference paper
  • First Online:
Book cover National Cyber Summit (NCS) Research Track 2020 (NCS 2020)

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 1271))

Included in the following conference series:

  • 417 Accesses

Abstract

In recent years, financial crimes and large scale heists involving the banking sector have significantly increased. Banks and Financial Institutions form the economic and commercial backbone of a country. An essential function of banks is the transfer of funds domestically or internationally. Most banks today transfer money by using electronic fund transfer systems such as the Automated Clearing House (ACH) or messaging systems such as SWIFT, FedWire, Ripple, etc. However, vulnerabilities in the use of such systems expose banks to digital heists. For example, the 2016 heist in the central bank of Bangladesh used the SWIFT network to send fake messages. It almost resulted in the theft of nearly $1 billion, which is one-sixth of the total foreign currency reserve of Bangladesh. Similar attacks have happened in many other countries as well. In this paper, we discussed multiple such incidents. From those incidents, we systematically analyze two such events – the Bangladesh Bank heist and the DNS takeover of Brazilian banks – to understand the nature and characteristics of such attacks. Through our analysis, we identify common and critical security flaws in the current banking and messaging infrastructures and develop the desired security properties of an electronic funds transfer system.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Ach Volume Grows. https://www.nacha.org/news/ach-volume-grows-56-percent-adding-13-billion-payments-2015-0

  2. Ach vs Wire vs Electronic Transfer? What is the difference?. https://moneyrep.iaacu.org/2014/05/ach-vs-wire-vs-electronic-transfer-what-is-the-difference/

  3. Citibank Credit Card Data Breach. https://www.thedailybeast.com/citi-credit-card-leak-nearly-twice-as-big

  4. Clearing House Interbank Payments System. https://en.wikipedia.org/wiki/Clearing_House_Interbank_Payments_System

  5. Cyber Security Cost of JPMorgan Chase. http://www.bankrate.com/finance/banking/us-data-breaches-1.aspx#slide=5

  6. Fedwire Funds Services. https://www.federalreserve.gov/paymentsystems/fedfunds_about.htm

  7. Hacker Bugging the System of Bangladesh Bank. https://web.archive.org/web/20160312145208/http://www.asianews.network/content/hackers-bugged-bangladesh-bank-system-jan-11271

  8. How a Simple Typo Helped Stop a 1 Billion Dollar Digital Bank Heist - The Washington Post. https://goo.gl/Fm5NRa

  9. Paypal. https://en.wikipedia.org/wiki/PayPal

  10. RCBC had to Pay 1 Billion Filipino Dollar as Penalty. https://manilastandard.net/business/213132/rcbc-pays-half-of-p1-b-penalty.html

  11. Rupay Credit Card Data Breach. http://www.reuters.com/article/us-india-banks-fraud/security-breach-feared-in-up-to-3-25-million-indian-debit-cards-idUSKCN12K0CC?il=0

  12. Bangladesh Bank Heist (2015). https://en.wikipedia.org/wiki/Bangladesh_Bank_heist

  13. Brazilian Bank Hack (2015). https://www.wired.com/2017/04/hackers-hijacked-banks-entire-online-operation/

  14. Ecuador Bank Heist (2015). http://www.reuters.com/article/us-wells-fargo-banco-del-austro-ruling-idUSKCN12J03J

  15. Fin-What is Swift (2015). https://fin.plaid.com/articles/what-is-swift

  16. Hetachi Heist (2015). https://timesofindia.indiatimes.com/business/india-business/hitachi-payment-accepts-malware-hit/articleshow/57071322.cms

  17. JP Morgan Bank Heist (2015). http://www.businessinsider.com/jpmorgan-hacked-bank-breach-2015-11

  18. Lyod Bank Hack (2015). http://www.theinquirer.net/inquirer/news/3003091/lloyds-bank-hack-ddos-attack-disrupts-banks-online-services

  19. Russian Bank DDoS Attack (2015). https://www.theregister.co.uk/2016/11/11/russian_banks_ddos/

  20. Tesco Bank Heist (2015). http://thehackernews.com/2016/11/tesco-bank-hack.html

  21. Ukraine Bank Swift Hack (2015). http://thehackernews.com/2016/06/ukrainian-bank-swift-hack.html

  22. US Bank DDoS Attack (2015). http://www.nytimes.com/2012/10/01/business/cyberattacks-on-6-american-banks-frustrate-customers.html

  23. Vietnam Bank Swift Hack (2015). http://www.reuters.com/article/us-vietnam-cybercrime-idUSKCN0Y60EN

  24. Aburrous, M., Hossain, M.A., Dahal, K., Thabtah, F.: Experimental case studies for investigating e-banking phishing techniques and attack strategies. Cogn. Comput. 2(3), 242–253 (2010)

    Article  Google Scholar 

  25. Ahmad, M.K.A., Rosalim, R.V., Beng, L.Y., Fun, T.S.: Security issues on banking systems. Int. J. Comput. Sci. Inf. Technol. 1(4), 268–272 (2010)

    Google Scholar 

  26. Alazab, M., Venkatraman, S., Watters, P., Alazab, M., Alazab, A.: Cybercrime: the case of obfuscated malware. In: Global Security, Safety and Sustainability & e-Democracy, pp. 204–211. Springer (2012)

    Google Scholar 

  27. Chachra, N., Savage, S., Voelker, G.M.: Affiliate crookies: characterizing affiliate marketing abuse. In: Proceedings of the 2015 ACM Conference on Internet Measurement Conference, pp. 41–47. ACM (2015)

    Google Scholar 

  28. Claessens, J., Dem, V., De Cock, D., Preneel, B., Vandewalle, J.: On the security of today’s online banking systems. Comput. Secur. 21(3), 253–265 (2002)

    Article  Google Scholar 

  29. FBI: Bank Crime Statistics (2015). https://www.fbi.gov/investigate/violent-crime/bank-robbery/bank-crime-reports

  30. Holz, T., Engelberth, M., Freiling, F.: Learning more about the underground economy: a case-study of keyloggers and dropzones. Comput. Secur.-ESORICS 2009, 1–18 (2009)

    Google Scholar 

  31. Lee, J.H., Lim, W.G., Lim, J.I.: A study of the security of Internet banking and financial private information in South Korea. Math. Comput. Model. 58(1), 117–131 (2013)

    Article  Google Scholar 

  32. Li, W., Chen, H.: Identifying top sellers in underground economy using deep learning-based sentiment analysis. In: 2014 IEEE Joint Intelligence and Security Informatics Conference (JISIC), pp. 64–67. IEEE (2014)

    Google Scholar 

  33. Mannan, M., van Oorschot, P.C.: Security and usability: the gap in real-world online banking. In: Proceedings of the 2007 Workshop on New Security Paradigms, pp. 1–14. ACM (2008)

    Google Scholar 

  34. Motoyama, M., McCoy, D., Levchenko, K., Savage, S., Voelker, G.M.: An analysis of underground forums. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, pp. 71–80. ACM (2011)

    Google Scholar 

  35. Oro, D., Luna, J., Felguera, T., Vilanova, M., Serna, J.: Benchmarking IP blacklists for financial botnet detection. In: 2010 Sixth International Conference on Information Assurance and Security (IAS), pp. 62–67. IEEE (2010)

    Google Scholar 

  36. Pearce, P., Dave, V., Grier, C., Levchenko, K., Guha, S., McCoy, D., Paxson, V., Savage, S., Voelker, G.M.: Characterizing large-scale click fraud in ZeroAccess. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 141–152. ACM (2014)

    Google Scholar 

  37. Riccardi, M., Oro, D., Luna, J., Cremonini, M., Vilanova, M.: A framework for financial botnet analysis. In: ECrime Researchers Summit (ECrime), 2010, pp. 1–7. IEEE (2010)

    Google Scholar 

  38. Tajalizadehkhoob, S., Gañán, C., Noroozian, A., Eeten, M.V.: The role of hosting providers in fighting command and control infrastructure of financial malware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 575–586. ACM (2017)

    Google Scholar 

  39. Tajalizadehkhoob, S., Asghari, H., Gañán, C., van Eeten, M.: Why them? Extracting intelligence about target selection from Zeus financial malware. In: WEIS (2014)

    Google Scholar 

  40. Financial Crimes Enforcement Network of Department of the Treasury (2015). https://www.fincen.gov/reports/sar-stats

  41. Yousafzai, S.Y., Pallister, J.G., Foxall, G.R.: A proposed model of e-trust for electronic banking. Technovation 23(11), 847–860 (2003)

    Article  Google Scholar 

  42. Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 95–109. IEEE (2012)

    Google Scholar 

  43. Zhu, D.: Security control in inter-bank fund transfer. J. Electron. Commer. Res. 3(1), 15–22 (2002)

    Google Scholar 

Download references

Acknowledgements

This research was supported by the National Science Foundation through awards DGE-1723768, ACI-1642078, and CNS-1351038.

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Alabama at Birmingham, Birmingham, AL, USA

    Yasser Karim & Ragib Hasan

Authors
  1. Yasser Karim
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ragib Hasan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Yasser Karim or Ragib Hasan .

Editor information

Editors and Affiliations

  1. Department of Information Systems, The University of Texas at San Antonio, San Antonio, TX, USA

    Kim-Kwang Raymond Choo

  2. University of Alabama in Huntsville, Huntsville, AL, USA

    Tommy Morris

  3. Air Force Institute of Technology, Wright-Patterson AFB, OH, USA

    Gilbert L. Peterson

  4. University of Alabama in Huntsville, Decatur, AL, USA

    Eric Imsand

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Karim, Y., Hasan, R. (2021). Taming the Digital Bandits: An Analysis of Digital Bank Heists and a System for Detecting Fake Messages in Electronic Funds Transfer. In: Choo, KK.R., Morris, T., Peterson, G.L., Imsand, E. (eds) National Cyber Summit (NCS) Research Track 2020. NCS 2020. Advances in Intelligent Systems and Computing, vol 1271. Springer, Cham. https://doi.org/10.1007/978-3-030-58703-1_12

Download citation

Publish with us

Policies and ethics

Search

Navigation