Abstract
In recent years, financial crimes and large scale heists involving the banking sector have significantly increased. Banks and Financial Institutions form the economic and commercial backbone of a country. An essential function of banks is the transfer of funds domestically or internationally. Most banks today transfer money by using electronic fund transfer systems such as the Automated Clearing House (ACH) or messaging systems such as SWIFT, FedWire, Ripple, etc. However, vulnerabilities in the use of such systems expose banks to digital heists. For example, the 2016 heist in the central bank of Bangladesh used the SWIFT network to send fake messages. It almost resulted in the theft of nearly $1 billion, which is one-sixth of the total foreign currency reserve of Bangladesh. Similar attacks have happened in many other countries as well. In this paper, we discussed multiple such incidents. From those incidents, we systematically analyze two such events – the Bangladesh Bank heist and the DNS takeover of Brazilian banks – to understand the nature and characteristics of such attacks. Through our analysis, we identify common and critical security flaws in the current banking and messaging infrastructures and develop the desired security properties of an electronic funds transfer system.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Ach Volume Grows. https://www.nacha.org/news/ach-volume-grows-56-percent-adding-13-billion-payments-2015-0
Ach vs Wire vs Electronic Transfer? What is the difference?. https://moneyrep.iaacu.org/2014/05/ach-vs-wire-vs-electronic-transfer-what-is-the-difference/
Citibank Credit Card Data Breach. https://www.thedailybeast.com/citi-credit-card-leak-nearly-twice-as-big
Clearing House Interbank Payments System. https://en.wikipedia.org/wiki/Clearing_House_Interbank_Payments_System
Cyber Security Cost of JPMorgan Chase. http://www.bankrate.com/finance/banking/us-data-breaches-1.aspx#slide=5
Fedwire Funds Services. https://www.federalreserve.gov/paymentsystems/fedfunds_about.htm
Hacker Bugging the System of Bangladesh Bank. https://web.archive.org/web/20160312145208/http://www.asianews.network/content/hackers-bugged-bangladesh-bank-system-jan-11271
How a Simple Typo Helped Stop a 1 Billion Dollar Digital Bank Heist - The Washington Post. https://goo.gl/Fm5NRa
RCBC had to Pay 1 Billion Filipino Dollar as Penalty. https://manilastandard.net/business/213132/rcbc-pays-half-of-p1-b-penalty.html
Rupay Credit Card Data Breach. http://www.reuters.com/article/us-india-banks-fraud/security-breach-feared-in-up-to-3-25-million-indian-debit-cards-idUSKCN12K0CC?il=0
Bangladesh Bank Heist (2015). https://en.wikipedia.org/wiki/Bangladesh_Bank_heist
Brazilian Bank Hack (2015). https://www.wired.com/2017/04/hackers-hijacked-banks-entire-online-operation/
Ecuador Bank Heist (2015). http://www.reuters.com/article/us-wells-fargo-banco-del-austro-ruling-idUSKCN12J03J
Fin-What is Swift (2015). https://fin.plaid.com/articles/what-is-swift
Hetachi Heist (2015). https://timesofindia.indiatimes.com/business/india-business/hitachi-payment-accepts-malware-hit/articleshow/57071322.cms
JP Morgan Bank Heist (2015). http://www.businessinsider.com/jpmorgan-hacked-bank-breach-2015-11
Lyod Bank Hack (2015). http://www.theinquirer.net/inquirer/news/3003091/lloyds-bank-hack-ddos-attack-disrupts-banks-online-services
Russian Bank DDoS Attack (2015). https://www.theregister.co.uk/2016/11/11/russian_banks_ddos/
Tesco Bank Heist (2015). http://thehackernews.com/2016/11/tesco-bank-hack.html
Ukraine Bank Swift Hack (2015). http://thehackernews.com/2016/06/ukrainian-bank-swift-hack.html
US Bank DDoS Attack (2015). http://www.nytimes.com/2012/10/01/business/cyberattacks-on-6-american-banks-frustrate-customers.html
Vietnam Bank Swift Hack (2015). http://www.reuters.com/article/us-vietnam-cybercrime-idUSKCN0Y60EN
Aburrous, M., Hossain, M.A., Dahal, K., Thabtah, F.: Experimental case studies for investigating e-banking phishing techniques and attack strategies. Cogn. Comput. 2(3), 242–253 (2010)
Ahmad, M.K.A., Rosalim, R.V., Beng, L.Y., Fun, T.S.: Security issues on banking systems. Int. J. Comput. Sci. Inf. Technol. 1(4), 268–272 (2010)
Alazab, M., Venkatraman, S., Watters, P., Alazab, M., Alazab, A.: Cybercrime: the case of obfuscated malware. In: Global Security, Safety and Sustainability & e-Democracy, pp. 204–211. Springer (2012)
Chachra, N., Savage, S., Voelker, G.M.: Affiliate crookies: characterizing affiliate marketing abuse. In: Proceedings of the 2015 ACM Conference on Internet Measurement Conference, pp. 41–47. ACM (2015)
Claessens, J., Dem, V., De Cock, D., Preneel, B., Vandewalle, J.: On the security of today’s online banking systems. Comput. Secur. 21(3), 253–265 (2002)
FBI: Bank Crime Statistics (2015). https://www.fbi.gov/investigate/violent-crime/bank-robbery/bank-crime-reports
Holz, T., Engelberth, M., Freiling, F.: Learning more about the underground economy: a case-study of keyloggers and dropzones. Comput. Secur.-ESORICS 2009, 1–18 (2009)
Lee, J.H., Lim, W.G., Lim, J.I.: A study of the security of Internet banking and financial private information in South Korea. Math. Comput. Model. 58(1), 117–131 (2013)
Li, W., Chen, H.: Identifying top sellers in underground economy using deep learning-based sentiment analysis. In: 2014 IEEE Joint Intelligence and Security Informatics Conference (JISIC), pp. 64–67. IEEE (2014)
Mannan, M., van Oorschot, P.C.: Security and usability: the gap in real-world online banking. In: Proceedings of the 2007 Workshop on New Security Paradigms, pp. 1–14. ACM (2008)
Motoyama, M., McCoy, D., Levchenko, K., Savage, S., Voelker, G.M.: An analysis of underground forums. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, pp. 71–80. ACM (2011)
Oro, D., Luna, J., Felguera, T., Vilanova, M., Serna, J.: Benchmarking IP blacklists for financial botnet detection. In: 2010 Sixth International Conference on Information Assurance and Security (IAS), pp. 62–67. IEEE (2010)
Pearce, P., Dave, V., Grier, C., Levchenko, K., Guha, S., McCoy, D., Paxson, V., Savage, S., Voelker, G.M.: Characterizing large-scale click fraud in ZeroAccess. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 141–152. ACM (2014)
Riccardi, M., Oro, D., Luna, J., Cremonini, M., Vilanova, M.: A framework for financial botnet analysis. In: ECrime Researchers Summit (ECrime), 2010, pp. 1–7. IEEE (2010)
Tajalizadehkhoob, S., Gañán, C., Noroozian, A., Eeten, M.V.: The role of hosting providers in fighting command and control infrastructure of financial malware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 575–586. ACM (2017)
Tajalizadehkhoob, S., Asghari, H., Gañán, C., van Eeten, M.: Why them? Extracting intelligence about target selection from Zeus financial malware. In: WEIS (2014)
Financial Crimes Enforcement Network of Department of the Treasury (2015). https://www.fincen.gov/reports/sar-stats
Yousafzai, S.Y., Pallister, J.G., Foxall, G.R.: A proposed model of e-trust for electronic banking. Technovation 23(11), 847–860 (2003)
Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 95–109. IEEE (2012)
Zhu, D.: Security control in inter-bank fund transfer. J. Electron. Commer. Res. 3(1), 15–22 (2002)
Acknowledgements
This research was supported by the National Science Foundation through awards DGE-1723768, ACI-1642078, and CNS-1351038.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Karim, Y., Hasan, R. (2021). Taming the Digital Bandits: An Analysis of Digital Bank Heists and a System for Detecting Fake Messages in Electronic Funds Transfer. In: Choo, KK.R., Morris, T., Peterson, G.L., Imsand, E. (eds) National Cyber Summit (NCS) Research Track 2020. NCS 2020. Advances in Intelligent Systems and Computing, vol 1271. Springer, Cham. https://doi.org/10.1007/978-3-030-58703-1_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-58703-1_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-58702-4
Online ISBN: 978-3-030-58703-1
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)