Cybersecurity & Finance
How to Hack a Bank
What the 2020 bank hack means for you
Just last week, news broke that a group of hackers broke into thousands of online bank accounts in a series of sophisticated and well-executed cyberattacks. These hackers stole millions of dollars, affecting thousands of account-holders across several banks. And it should serve as a stark reminder that we need better cybersecurity habits, collectively and individually, to protect our personal finances.
The observation by security expert Bruce Schneier rings just as true today as it did at the turn of the millennium:
People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems.
Secrets & Lies: Digital Security in a Networked World (2000)
Our information is vulnerable, and technology alone cannot guarantee its security. And considering that personal finances are deeply tied to our survival, it’s all that more important to cultivate robust security habits for tasks as mundane as transferring funds from a savings to checking account.
A solution is to conduct your online banking inside a virtual machine (VM).
With a well-secured VM, you can ensure an important layer of privacy and security for your device and data when you update bank statements, conduct wire transfers, pay taxes, or check your retirement account.
How to Hack a Bank Account
Last week, a group of security researchers at IBM discovered a sophisticated spree of cyberattacks that targeted thousands of accounts at European and North American financial institutions. (This story has already been noticed by ArsTechnica and WIRED.)
The hackers gained access to the accounts through mobile banking apps with a system named “evil mobile emulator farms”. The scale of its operation is astounding: the hackers created automated and scripted infrastructure supporting over 20 mobile emulators that spoofed the identities of over 16,000 compromised mobile devices. These mobile devices were probably compromised through a combination of malware infection and social engineering to harvest login credentials from the banks’ customers.
The hackers cycled stolen usernames and passwords through their system of emulators to access accounts through banks’ mobile apps. They used captured device identifiers to spoof a customer’s mobile device, and sometimes used randomized identifiers to give the appearance that a customer was logging into their account with a “new” device.
Emulators also spoofed GPS data, connecting to the banking apps through virtual private networks to avoid suspicious-looking login attempts.
Once the attackers had access to an account, they could view its balance and initiate a series of transfers just under amounts that would trigger a review by the bank. Over the course of a few days, and across several accounts and banks, the hackers siphoned millions of dollars.
No doubt, an attack of this complexity required rigorous testing and training, to make sure that scripts ran seamlessly and that infrastructure could perform at scale, all while evading detection by the target banks. Furthermore, the system also enabled the hackers to bypass account security measures like two-factor authentication by intercepting SMS messages (though the researchers don’t detail how this was accomplished).
The security researchers conclude that
the robustness and sophistication of the operation’s automation environment were not a common sight in the cybercrime area. It is likely that those behind it are an organized group with access to skilled technical developers of mobile malware and those versed in fraud and money laundering. These types of characteristics are typical for gangs from the desktop malware realms, such as those operating TrickBot or the gang known as Evil Corp.
The researchers also warn that “fraud-as-a-service” attacks are growing more popular among cybercriminals. Financial institutions will have to improve their security measures, and so will end users like us.
Virtual Banking
So what to do?
For device security, consider conducting all your banking inside a virtual machine (VM). What are VMs?
VMs enable you to run a separate operating system on your host computer, like running a computer within a computer. With VMs, it’s possible to run Windows on a Mac, Mac OS on a Linux, and, of course, any number of Linux distros on a Linux.
Programs running inside a VM are compartmentalized from those running on the host machine. For example, malware accidentally downloaded into the VM cannot touch the files or programs running on the host.
By compartmentalizing your online banking and personal finances in a VM, if your host machine becomes compromised by a cyberattack, an adversary may find it more difficult (especially if it’s password protected) to access sensitive information stored within the VM, like financial statements or even browser cookies that may facilitate access to sensitive accounts (like email) tied to those finances.
Setting up a VM for your personal finances is relatively simple:
(1) Download a hypervisor to run the VM
The hypervisor is the specialized software that creates and runs the VM. Oracle’s VirtualBox is a widely used, free and open source hypervisor, though there exist other options depending on your budget and technical comfort.
(2) Download the operating system that will run on the hypervisor
You can choose to download the disk image of whatever OS you would like to run. The disk image contains the files, structures, and configurations necessary to run the OS in the virtual environment, and it usually exists with the ISO filename extension.
If you’re going this far to protect your financial information, you may as well verify the integrity of the downloaded disk image to make sure it’s not corrupted or contains malware.
Consider downloading Qubes OS, a free, open-source, secure and privacy-respecting operating system well known and used by security experts (though always perform your due diligence!).
(3) Make sure that your VM is secure (and stays that way!)
This means treating your VM as if it were a different computer than your host.
Create a secure password, ideally not the one you use for your host machine. Additionally encrypt the VM (with a different password!) for another layer of protection. (This tutorial covers encrypting VirtualBox VMs.)
Avoiding downloading programs onto your VM that you absolutely do not need for attending to your personal finances, as additional software creates possible openings for vulnerabilities to your VM’s security.
If you store documents on your VM containing sensitive information (like credit card or social security numbers), you may also want to encrypt the files with software like VeraCrypt.
And make sure to keep casual internet browsing away from the VM! Sometimes all it takes is clicking on the wrong link.
After all, humans, not machines, are the weak link to any secure system.
