Back in the good old days, robbers had to show up at banks, guns drawn, to make illicit withdrawals. Good thing that security cameras were in place to catch the bad guys.
But now—in an ironic, 21-Century feat of high-tech swindling—fraudsters can use those same cameras to access millions and millions of dollars, and escape without so much as a single second of video to identify them.
So don’t bet on them getting caught in broad daylight, and especially not bulb light: Criminals can crack your security through something as innocuous as a lightbulb. In fact, any device hooked up via the interconnected world known as the Internet of Things (IoT) is vulnerable.
How are high-tech fraud perpetrators getting in? Here we reexamine two prominent cases that criminals are no doubt studying closely—perhaps even more so than authorities—along with common-sense preventative measures.
An optical illusion: The mirage of Mirai
A massive attack last October on the Dyn company, which took out social media websites such as Twitter, should serve as a major warning to banks, says Florida cybersecurity expert Stu Sjouwerman, CEO of KnowBe4 Inc. Cyberthugs used compromised security cameras at the internet performance management firm to insert a computer virus called Mirai that kept picking security locks until it found its way inside Dyn’s system.
“There are definitely risks here,” Sjouwerman says. “Any IoT device with insufficient default security built in—and very few have it—is a cyberheist waiting to happen.”
How does the Mirai botnet do its dirty work, exactly? According to the Krebs on Security website, “Mirai scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.”
Vulnerability across the board is potentially massive, says Phil DuMas, who owns CTO Bell Curve Technology and serves as director of research and curriculum development for the non-profit National Cyber Partnership.
“If the bad guys start building combinations of attacks based on compromised devices within a network it will be very, very difficult to stop them short of completely pulling the plug,” says DuMas.
He cites this example: “How about if your camera started capturing login credentials and reported them to somewhere in China? If I were a bad guy that could get hold of an IP Camera, I would use it to watch the login screen or keyboard of the admin logging into the servers, or the CFO at his console, and steal a company blind.”
Yet Dyn went beyond the expected mea culpa to highlight a greater good in a blog about what it calls a “complex and sophisticated attack.”
“The attack opened up an important conversation about internet security and volatility,” wrote Scott Hilton, Dyn’s EVP of Product. “It has also sparked further dialogue in the internet infrastructure community about the future of the internet.”
Indeed, the time for that conversation is now.
“It did not take millions or billions of interconnected IoT devices to bring this company to its knees,” says DuMas. “It was 150,000. Over the next five years it is projected that five billion new IoT devices will be added—and if they are compromised at a rate of even 10 percent, the internet as we know it is in real trouble.”
Router roulette: Parlaying a $40 bet into $80 million
The costliest example of bank vulnerability took place just about a year ago. In February 2016, cyber criminals entered the Central Bank of Bangladesh and tried to make fraudulent transfers of $951 million from its account at the Federal Reserve Bank of New York. The cold comfort was that they didn’t get nearly that far, as most of the payments were blocked.
Still, more than $80 million was taken. Some of the money, $4.6 million, was routed to a casino junket operator in the Philippines, Kim Sin Wong, who has denied any wrongdoing. Meanwhile, most of the remaining stolen funds have not been recovered. How did the hackers get in?
You don’t need thousands of dollars in dynamite to blow up a safe when you can do the digital equivalent of prying open cheap, second-hand routers. Each router in Bangladesh cost about $10, according to Tech Times. And investigators counted just four of them in a window-less office measuring 12 by 8 feet, according to Reuters. This opened the door to sending payment instructions through SWIFT, a messaging system used by banks worldwide.
Scarier still, the attack gives copycats a blueprint to assault equally ill-prepared institutions. Meanwhile, SWIFT warns cyberattacks on banks will only increase.
The IoT “is going to be a huge risk” if banks don’t “deploy a set of rules for qualifying a device before putting it on the network,” says DuMas. “You would think this is already taking place. But recent events have shown this to not be true.”
Plugging holes before pulling the plug: Six smart action steps
It doesn’t have to come to pulling the internet plug, says DuMas, who offers a number of steps banks can take to protect themselves throughout existing systems.
- Never deploy an unknown device. Configure it, test it, deploy it in a sandbox environment and see who and what it talks to when deployed.
- Deploy the IoT on a separate, firewalled network from the rest of the mission critical devices.
- Change factory default usernames for devices, while avoiding obvious passwords (“password1234,” for example).
- Monitor everything. That especially means traffic to and from IoT devices, because they should generate the least amount of data.
- Never put the device directly on the Internet if you don’t want the world to see it. (ex: https://www.insecam.org/).
- And lastly, subscribe to the U.S. Computer Emergency Readiness Team (CERT) so you know when your device has been compromised and can follow appropriate steps to secure it.
Howard Altman covers the military and national security for the Tampa Bay Times. He has won more than 50 journalism awards and his work has appeared in the New York Times, Daily Beast, Philadelphia magazine, the Philadelphia Inquirer, New York Observer, Newsday and many other publications around the world.