tech2 News Staff

As India moves ever closer to its dream of digitisation, issues of security and privacy are rearing their head in increasingly alarming numbers. A close second to privacy issues, the security of digital banking transactions is an important one to consider.

There is some good news on this front. A recent incident involving a $171 million heist from the Union Bank of India (UBI) was resolved, if reports are to be believed, in record time. All the money has also been recovered claim reports.

The Hindu, which published a full report on the incident, states that the investigation into the heist, which took place in July 2016, spanned seven countries. The investigation involved of Indian organisations and close cooperation with the government. The Ministry of External Affairs (MEA), the Reserve Bank of India (RBI) were also involved.

Arun Tiwari, Chairman of the UBI and India’s Chief Information Security Officer Dr Gulshan Rai told The Hindu that the money was recovered within 6 days.

Investigations have revealed that the heist was enabled by an infected email that was opened by an unnamed bank official. The contents of the email and the nature of the malware that resulted in the attack are unknown, but what is known is that by the next day, $171 million was stolen and transmitted to at least 5 different locations. This includes banks in Cambodia, Thailand, Taiwan and Australia. The Hindu reports that the funds were routed through Citibank and JP Morgan Chase in New York. The Swift messaging service for financial transactions was used for the hack.

A Swift official told The Hindu that the Swift service itself wasn’t compromised. The official alleges that the breach occurred at the bank’s end in the first place and that they have no control over a bank’s lax security policies. Cyber security and management policies need to keep pace, said the official. Security guidelines have already been issued to customers, adds the official.

The heist was discovered by a UBI treasury official who was surprised to note that an amount of $171 million was debited without his approval. He then reported the issue to senior management, who reported the theft.

Once the full extent of the breach was known, it was just a matter of working with the respective governments involved to track down and retrieve the money. There was, apparently, some trouble with retrieving the money from Taiwan as India doesn’t have diplomatic ties with the Taiwanese government and a court order was needed to reverse the transaction.

Last year’s hack involving the Bangladesh Central Bank (BCB) was an attempt to steal $951 million electronically. Luckily for the BCB, not all the transactions succeeded and it "only" lost around $100 million rather than 10 times that amount. Much of the money was recovered.

The Bangladesh heist is telling because the mechanism of the hack bears a striking resemblance to the UBI breach.

Hackers infected BCB computers with the Dridex malware by using infected Word files sent over email. Once the word document was opened, the malware was downloaded and the PC infected. This was used to record the bank’s transaction process and to steal credentials. Once the hackers had what they needed, they simply issued multiple transactions via Swift to transfer the money.

Luckily for the bank, the thieves misspelled the name of one of the beneficiaries, which caught the eye of banking officials.

While most of the money was recovered, the perpetrators were never identified.

In the case of the UBI hack as well, it appears that identifying the perpetrators will be impossible.

In both cases, it’s quite clear that lax security practices resulted in these heists.

The Dridex malware, for example, spreads via Word and Excel documents sent in spam or phishing mail. Worse still, the document will need to be opened by the user, macros will have to be enabled in Word or Excel (these are off by default) and only then will the PC get infected.

Dridex is hard to block via an anti-virus program, so adherence to stringent security policies is the best means of protection.

As Swift India’s CEO Kiran Shetty explains, installing firewalls on servers and following safe computing practices alone can prevent “85 percent of cyber-attacks.”

Banks need to buck up and sort out their security practices. Financial fraud is expensive and banks are a huge and easy target for hackers.