Stealing Cash, it’s Even Better than Stealing Money...
There was a popular Aflac Insurance commercial series that ran several years ago featuring New York Yankee great Yogi Berra, known as much for his clever quips as his Hall of Fame baseball talents. In the spot Berra stated about the company, “they give you cash, which is just as good as money.” Turns out Yogi may have been onto something because in today’s cyber world, cash may be even better than money. Confused? Let me explain.
We are seeing some interesting trends amongst cybercriminals whereas they are developing simple but effective methods that allow them to use cyber tools and tactics to steal cash. Now you may ask, haven’t they been doing this all along? No, they have been stealing money and valuables, but not cash. Herein lays the difference and why these schemes can be so dangerous.
One of the few comforts that security teams for high-risk industries such as banking and financial services enjoy is that while they are under constant attack, they are also very good at remediation and forensic analysis so they are able to quickly trace the source of an attack and block it or recover assets. Unfortunately, those abilities and protections do not translate to a cash theft. Let’s use a simple analogy, if you are travelling and your credit card is lost or stolen, there are built in protections for you. You can cancel the card, the credit card company will launch an investigation and in most cases, you will not be held responsible for any of the charges that took place once the card was compromised. However, if you are travelling with a couple of thousand dollars in cash that is lost or stolen, you are simply out of luck and the chances of ever recovering the money are nearly non-existent.
A perfect example of this type of scheme was back in early May when a global network used sheer manpower to steal more than $45 million from cash machines around the globe. In announcing the case, Brooklyn U.S. Attorney Loretta Lynch, described the theft as "a massive 21st-century bank heist." From what we are seeing in the security community, this is not a onetime incident, but a dangerous trend. A trend that puts even greater emphasis on the ability to predict which assets are most at risk within your organization and tightening security around them.
Rose Romero, a former federal prosecutor and regional director for the U.S. Securities and Exchange Commission, would seem to agree with this assessment. After these attacks were uncovered she stated that "unfortunately these types of cybercrimes involving ATMs, where you've got a flash mob going out across the globe, are becoming more and more common. I expect there will be many more of these types of crimes.”
Here’s a quick look at how, by using cyber tactics, hackers were able to turn a routine breach into a massive physical crime worth millions of dollars. By breaching bank databases, they were able to manipulate the accounts and eliminate withdrawal limits on pre-paid debit cards. This also created access codes that enabled them to load the critical data onto any plastic card with a magnetic stripe. Whether it was a real credit card or not did not matter as long as it carried the account data and correct access codes. A coordinated and highly effective scheme, as the dollar amounts indicate.
My colleague, Ken Pickering, is an expert on these matters and was a resource from media outlets ranging from the Associated Press to the BBC after the story first broke. I think Ken said it best in his interview with the AP, "Once you see a large attack like this where they made off with close to $45 million that's going to wake up the cybercrime community. Ripping off cash, you don't get that back. There are suitcases full of cash floating around now, and that's just gone."
While the ATM example stated above represents an attack of a very sophisticated nature, we are also seeing a rise of the quick and simple attacks designed to get away with cash in $50 - $100 increments as well. Another colleague, Matt Bergin, was recently featured in the New York Times after discovering he could hack a cash register remotely, popping it open, by sending two digits from his smartphone to the service running on the cash register’s point-of-sale system.
According to Matt, they were able to reverse-engineer Xpient’s point-of-sale system, expecting that to interact with it he would have to crack a password or break through a layer of encryption. To their surprise, they encountered neither. By simply sending a two-digit code from his phone to the point-of-sale system, they discovered that they could pop open the cash register remotely. Think about that for a moment. While it may not seem like the crime of the century, the ability to simply key in a couple of digits on a phone and be off with a handful of cash before anyone was the wiser could be very lucrative. The simplicity of this attack would also appear to transfer well to other low-tech locking systems such as internal access doors.
They always say in the investment world that cash is king. We are now seeing that in terms of cyber as well. While the numbers may be smaller, the chances of getting caught are also greatly reduced and this may encourage would-be hackers to be a bit bolder. Stealing cash, it’s even better than stealing money.