Home > News > Was the Billion-Dollar Bank Heist Preventable?

Comments 0 Comments
Advertiser Disclosure


A funny thing happened on the way to the ATM (and depending on who you believe, may still be happening). Scratch that. For the lucky few at the right place at the right time, an awesome thing has been happening: ATMs randomly coughing up cash—and a lot of it.  Like an international lottery, the phenomenon has occurred in more than 30 countries, leading to potentially as much as $1 billion in stolen funds.

At first glance, it might seem like a ghost in the machine was behind these pedestrian cash bonanzas (or a benevolent god), but as the walk-by windfalls multiplied a more likely scenario emerged. Called in to investigate, the international security software group Kaspersky Lab discerned the telltale signs of cybercrime behind the Mystery of the Communist ATMs.

The cash cataracts were the tip of an iceberg of massive proportions still unknown. As such, they underscore the need for private and public sector sharing of cybersecurity threat information. In an environment where cooperation, collaboration and communication are practiced, it’s harder for criminals to flourish. Had those ATM incidents been reported in a timely way, the scam probably would have been caught sooner.

President Obama signed an executive order last week on information sharing that was more like a guideline than anything else, but still very much a step in the right direction. “It’s one of the great paradoxes of our time,” the President told attendees of the first White House summit on Cybersecurity and Consumer Protection at Stanford University, “that the very technologies that empower us to do great good can also be used to undermine us and inflict great harm.”

Exploiting System Weaknesses

Members of a cybercrime gang called Carbanak appear to know that better than most. They were the ones behind the ATM paydays, according to Kaspersky Lab. Using a RAT (remote access tool), Carbanak was able to release large amounts of money without anyone touching the machines. What seemed like an unfortunate loss for the affected banks—on the surface these incidents only benefited random passers-by—stayed hush-hush. According to my colleague Byron Acohido, “companies by and large are loathe to let word of any successful hack leave the inner circle – unless absolutely necessary.”  But the knee-jerk reaction to circle the wagons that most companies have when they’ve been compromised by cybercriminals actually cost banks more in this instance since it allowed the Carbanak gang to have a longer run at the institutions they had cracked. Had the affected banks shared information, a pattern would have emerged early on.

The forensics experts at Kaspersky Labs started to work backward to piece together the anatomy of what we now know may be the biggest bank heist to date. The deeper they probed the cause of these money geysers, the more apparent it became that the extent of the hit went way beyond the scope of a few zombie ATMs. At least $300 million had been stolen over the two-year period.

Kaspersky reported these findings at the opening of their annual Security Analyst Summit, which was held in Cancun last week. According to the report, “the criminals have attempted to attack up to 100 banks, e-payment systems and other financial institutions.” The Carbanak targets included financial organizations across the globe. The form the attacks took: malware.

The days of the safe-cracking bank robber have given way to the security-breaching hacker—yet another reason institutions should value open lines of communication and a high level of cooperation when it comes to fighting the threats out there. In the Carbanak scam, spearphishing emails were sent to employees that infected work stations, and from there the hackers tunneled deeper into the banks’ systems until they controlled employee stations that would allow them to make cash transfers, operate ATMs remotely, change account information and make administrative changes.

Was It Avoidable?

It was a pretty standard scheme: an email with a link that looked like it was coming from a colleague contained the malicious code, which spread from there like a digital rhinovirus. The hackers recorded everything that happened on the affected computers to learn how the organization did things. When they had mastered the system, they commandeered it for a series of transactions that included the ATM hits, but also a practice of artificially inflating bank balances and then siphoning off that amount, so a customer’s account balance might go from $1,000 to $10,000 and then $9,000 would go to the hacker. Could banks have prevented the attack? Maybe not, but more communication and a culture of cybercrime awareness certainly could have limited the damage.

The truth is there is no solution, but there is something that could make it harder for this kind of attack to go undetected for such a long period of time: collaboration, communication and cooperation. This is not just at the enterprise level. Consumers who see their bank account balances increase for no reason need to speak up instead of pray no one notices. Banks that get robbed need to talk about it, and share information. Cybercrime flourishes most when it is able to operate in the shadows.

As Justice Louis Brandeis said, “Sunlight is said to be the best of disinfectants; electric light the most efficient policeman.” Right now, the 3Cs of collaboration, communication and cooperation are the bright light in the dark night of cybercrime’s ascendency.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

More on Identity Theft:

Image: Hemera

Comments on articles and responses to those comments are not provided or commissioned by a bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by a bank advertiser. It is not a bank advertiser's responsibility to ensure all posts and/or questions are answered.

Please note that our comments are moderated, so it may take a little time before you see them on the page. Thanks for your patience.

Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them.

Hello, Reader!

Thanks for checking out Credit.com. We hope you find the site and the journalism we produce useful. We wanted to take some time to tell you a bit about ourselves.

Our People

The Credit.com editorial team is staffed by a team of editors and reporters, each with many years of financial reporting experience. We’ve worked for places like the New York Times, American Banker, Frontline, TheStreet.com, Business Insider, ABC News, NBC News, CNBC and many others. We also employ a few freelancers and more than 50 contributors (these are typically subject matter experts from the worlds of finance, academia, politics, business and elsewhere).

Our Reporting

We take great pains to ensure that the articles, video and graphics you see on Credit.com are thoroughly reported and fact-checked. Each story is read by two separate editors, and we adhere to the highest editorial standards. We’re not perfect, however, and if you see something that you think is wrong, please email us at editorial team [at] credit [dot] com,

The Credit.com editorial team is committed to providing our readers and viewers with sound, well-reported and understandable information designed to inform and empower. We won’t tell you what to do. We will, however, do our best to explain the consequences of various actions, thereby arming you with the information you need to make decisions that are in your best interests. We also write about things relating to money and finance we think are interesting and want to share.

In addition to appearing on Credit.com, our articles are syndicated to dozens of other news sites. We have more than 100 partners, including MSN, ABC News, CBS News, Yahoo, Marketwatch, Scripps, Money Magazine and many others. This network operates similarly to the Associated Press or Reuters, except we focus almost exclusively on issues relating to personal finance. These are not advertorial or paid placements, rather we provide these articles to our partners in most cases for free. These relationships create more awareness of Credit.com in general and they result in more traffic to us as well.

Our Business Model

Credit.com’s journalism is largely supported by an e-commerce business model. Rather than rely on revenue from display ad impressions, Credit.com maintains a financial marketplace separate from its editorial pages. When someone navigates to those pages, and applies for a credit card, for example, Credit.com will get paid what is essentially a finder’s fee if that person ends up getting the card. That doesn’t mean, however, that our editorial decisions are informed by the products available in our marketplace. The editorial team chooses what to write about and how to write about it independently of the decisions and priorities of the business side of the company. In fact, we maintain a strict and important firewall between the editorial and business departments. Our mission as journalists is to serve the reader, not the advertiser. In that sense, we are no different from any other news organization that is supported by ad revenue.

Visitors to Credit.com are also able to register for a free Credit.com account, which gives them access to a tool called The Credit Report Card. This tool provides users with two free credit scores and a breakdown of the information in their Experian credit report, updated twice monthly. Again, this tool is entirely free, and we mention that frequently in our articles, because we think that it’s a good thing for users to have access to data like this. Separate from its educational value, there is also a business angle to the Credit Report Card. Registered users can be matched with products and services for which they are most likely to qualify. In other words, if you register and you find that your credit is less than stellar, Credit.com won’t recommend a high-end platinum credit card that requires an excellent credit score You’d likely get rejected, and that’s no good for you or Credit.com. You’d be no closer to getting a product you need, there’d be a wasted inquiry on your credit report, and Credit.com wouldn’t get paid. These are essentially what are commonly referred to as "targeted ads" in the world of the Internet. Despite all of this, however, even if you never apply for any product, the Credit Report Card will remain free, and none of this will impact how the editorial team reports on credit and credit scores.

Your Stories

Lastly, much of what we do is informed by our own experiences as well as the experiences of our readers. We want to tell your stories if you’re interested in sharing them. Please email us at story ideas [at] credit [dot] com with ideas or visit us on Facebook or Twitter.

Thanks for stopping by.

- The Credit.com Editorial Team