The highly orchestrated event, according to some experts, could be the handiwork of Lazarus, North Korea’s most prolific hacking group that has pulled off some audacious attacks around the globe — from leaking and destroying Sony Pictures’ data to siphoning of tens of millions of dollars from banks in Poland and Bangladesh.
What did hackers do exactly?
Payment experts said the fraud involved breaching the firewall in servers that authorize ATM transactions. After this, a proxy server was created and transactions authorized by the fake or proxy server. This meant that the ATMs were being directed to release money without checking whether the cards were genuine or whether there was a bank account.
The FBI had warned global banks that cyber criminals are planning a choreographed, global fraud known as an “ATM cash-out”. An ATM cash-out refers to a highly orchestrated event where a bank or a card payment processor is compromised and the unauthorized access is misused to withdraw cash within hours.
International media had reported details of the FBI warning on Monday by which time Cosmos Bank had already been defrauded.
“The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global automated teller machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation’,” reads a confidential alert the FBI shared with banks reported first by KrebsonSecurity, a site which reports on cybercrime.
“The cyber criminals typically create fraudulent copies of legitimate cards by sending stolen card data to co-conspirators who imprint the data on reusable magnetic strip cards, such as gift cards purchased at retail stores,” the FBI warned. “At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards.”
According to the report, all cashout operations take place on weekends after banks close for business.
Is depositor money safe?
1) The account holders money is safe now and in the future, says the bank, as the proxy switch was operative on the payment gateway, not the core banking system.
2) The bank has appointed a professional forensic agency to investigate the attack
3) The servers, internet, banking, mobile banking and ATMs have been suspended
4) The bank said it will take 3-4 switch to become operational
Cosmos chairman Milind Kale said that depositors would not be hit. “Our security systems have not been compromised. It was as late as in July 2018 when the RBI inspected the bank’s IT robustness and it has also sent about four officials who are examining the extent of damage.” he said. MD Suhas Gokhale sent out an SMS to customers saying the attack was “not at all” on the core banking system where accounts are maintained.
Inspector Vaishali Galande told TOI: “We have registered a case under the IT Act and penal offences against unidentified persons.” The cyber crime cell is likely to take over the probe.
Kale said, “The bank turned off its servers and all internet banking applications after noticing several erratic and abnormally high transactions. These transactions happened over two hours and 13 minutes and were spread across 28 countries where cloned cards were used to debit several amounts ranging from $100 (Rs 6,900) to $2,500 (Rs 1.7 lakh).” He said the bank turned off the system related to international switch transactions soon after. “In one of these transactions, the amount was as high as $11,000 (Rs 7.6 lakh).” The RBI alerted the bank about unusual transactions, it said. Kale said, “We will have to work with different countries. Withdrawals appear to have actually happened and getting back funds will depend on coordination with several agencies.”