This article is more than 3 years old

Extortionists are threatening to publish the account information of a hacked banks’ customers unless they hand over cash.

According to Reuters, the group of unidentified hackers are targeting customers’ accounts at Valartis Bank Liechtenstein.

Located in the Alpine principality between Switzerland and Austria, the financial organization switched hands from the Swiss-listed Valartis Group to a Hong Kong-based holding company known as Citychamp Watch & Jewellery Group Ltd earlier this year.

As of this writing, the bank has yet to issue a comment publicly. It also didn’t respond to Reuters’s request for a private comment via phone or email on 27 November.

Now, in a typical bank heist, the attackers either raid affected customers’ accounts outright or they abuse something like the SWIFT platform to fraudulently transfer money to an account under their control.

But that’s not what’s going on here. Reuters explains:

“Unknown hackers found their way into the Liechtenstein bank’s system and obtained customer account information, including that of many Germans…, … politicians, actors and high net worth individuals… “The hackers are demanding 10 percent of the account balances, to be paid in Internet cryptocurrency Bitcoin to help preserve anonymity…”

In other words, the hackers want money from the bank’s customers, or else they’ll leak their account information online.

Is that a bad thing?

Potentially, yes.

Different countries have different ways of allowing people to withdraw money from their bank accounts. To process that kind of transaction, a criminal needs to have a valid bank account number and the routing number for the financial institution at which that account is held. But depending on how they attempt to withdraw money, they might need a physical card or photo identification.

The potential for fraud ultimately rests online, where an actor can abuse someone’s bank account number and routing number to submit an Automated Clearing House (ACH) transaction.

A bank can technically detect suspicious transactions through the use of anti-fraud measures. It could alert the user, for example, if they detect a money withdrawal from another country, but as we all know, bad actors can circumvent that obstacle through the use of the VPN.

Responsibility for detecting and reporting the fraud might therefore fall onto the user. If that’s the case, they might not have any choice but to close down their old bank accounts and open up a new one.

While Valartis Bank Liechtenstein figures out the best way to protect its users, it should disable online transactions. That will in the very least help prevent remote actors from stealing account holders’ money.

Under no circumstance should any of the affected customers meet the criminals’ demands.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.