Perimeter

1/2/2019
10:30 AM
Zia Hayat
Zia Hayat
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

25 Years Later: Looking Back at the First Great (Cyber) Bank Heist

The Citibank hack in 1994 marked a turning point for banking -- and cybercrime -- as we know it. What can we learn from looking back at the past 25 years?

The banking industry was at a crossroads 25 years ago, marking the beginning of the digital world we know today. Banks were struggling to lower costs while improving customer access, and we saw physical branches and human tellers being replaced by ATM machines and electronic services.

It was also the time where Citibank fell victim to what many consider one of the first great cybercrimes. Vladimir Levin made headlines in 1994 when he tricked the bank into accessing $10 million from several large corporate customers via their dial-up wire transfer. Levin transferred the money to accounts set up in Finland, the United States, the Netherlands, Germany, and Israel. He was eventually caught, and Citibank ultimately recovered most of the money.

Looking back, it may be the first successful penetration into the systems that transfer trillions of dollars a day around the globe. The moment not only captured the attention of the world, but it caught the attention of my teenage self, inspiring my curiosity — and eventually a career — in the world of cybersecurity.

My young mind struggled to comprehend how something so seemingly simple could baffle the defenses of one of the world's largest financial institutions. As the Los Angeles Times reported in 1995, "The incident underscores the vulnerability of financial institutions as they come to increasingly rely on electronic transactions. ... But as they seek to promote electronic services — and cut the high costs of running branch offices — they face risks."

I think we could easily say we're in a similar situation today.

From Bonnie and Clyde to Black Hat
When I first learned of the heist through a documentary on local British television, I was shocked to know that someone could take money from a bank without even having to step into a branch. It was armchair fraud — the responsible person never left a physical fingerprint, all while essentially penetrating the impenetrable.

The 1990s and 2000s were abuzz with the excitement of the Internet and proliferation of access to Internet browsers. As we welcomed this new and wild World Wide Web, banks began to digitize their storefronts. However, the Internet wasn't inherently designed with digital security in mind. The framework of the Internet was born in academia, an altruistic environment built around trust and exploration.

But with every gain, there was someone trying to game the system for a variety of reasons. Some were just curious what was accessible in this digital frontier. Others, like Levin, had more nefarious goals in mind.

Fast forward 20-plus years, and while we are in an entirely unrecognizable digital world, we're still facing a similar battle. Rather than spoofing dial-up systems, we have industrial and government-level cybercrime, unpredictable intelligent bots, and vast amounts of computing power to deal with. Yet while there are similarities, there are a few important differences:

  • Scalability: While fraudsters were sophisticated for their time, scalability is what really affects how we understand fraud today. In the past, there were thousands of smaller banks and just a handful of people around the world with the capability to be able to "digitally" break in and make off with the loot. Now there are fewer — but larger — banks to steal from, yet with the digital resources today, fraudsters can maximize the footprint of their criminality. They target governments or large enterprises, or they simply get out of the robbery business and make their riches selling the tools globally across the Dark Web, which allows anyone with a computer, Internet connection, and a few hundred dollars to become a cybercriminal.
  • The rate of change: There was massive acceleration from the Industrial Revolution to digital revolution. While it's well known that rate of change in the Industrial Revolution was swift, today's rate of change is unmatched. Change inherently brings risk, and with the finance industry rapidly transforming, threats often move faster than the solutions that target them. This new rate of change has transformed the job of the CISO, who now must think strategically, and even abstractly, about protecting what isn't even known yet.
  • Digital identity: The concept of digital identity wasn't on the radar 24 years ago. But today, we have hundreds of websites where we must manage our identity, even if only about 10 are actually important. Consider Facebook, where nearly one-third of the global population log on and also use the same credentials to access millions of other accounts and services. In the digital world, you can become anyone as long as you can get a hold of their credentials — whether that is a password, Social Security number, a fingerprint.

Don't Fight Fraud Alone
Today's solutions must absolutely be comprehensive, involving much more than simple cross-industry collaboration. Regulations and frameworks can provide guidance and foster a productive global conversation about the issues at hand, but they take time to put into place and can't adapt as quickly as the threats they are meant to mitigate. Fighting fraud today requires real-time intelligence. For security executives, it means a continual education on the latest tools, trends, and trials of the cybersecurity market.

The financial services industry has adapted to this new age of fraud by promoting strategic partnerships — often between financial technology companies (fintechs) and banks. While banks bring to the table many decades of refined, robust security measures and regulatory knowledge, fintechs offer their innovative initiatives, agility, and scalability to develop even more sophisticated methodologies for fighting fraud. Every organization is facing an uphill battle as the "what" to protect and "who" to protect it from are rapidly changing. Fortunately, these partnerships offer the right mix of expertise, experience, and innovation to quickly adapt and respond to changes in the cyber ecosystem, often providing a blueprint for others to follow suit.

Will There Be a Great Bank Heist of 2024?
Today, we have a better understanding of what comprises our digital assets, but it remains a constant battle to determine how best to secure them. The monetary losses financial institutions suffer from fraud and theft are staggering. Worse, the cybersecurity space is maturing in more insidious directions, suggesting we need to reconsider the value placed on different assets. Compared with a traditional bank theft, when such commodities fall in the wrong hands, it affects the livelihood of many more citizens and the backbone of our modern society and economy.

Related Content:

Zia Hayat is CEO of Callsign, a company that specializes in frictionless identification. Zia has a PhD in information systems security from the University of Southampton and has worked in cybersecurity for both BAE systems and Lloyds Banking Group. He founded Callsign in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
1/3/2019 | 9:37:25 AM
What 25 years brings
No ransomware back then.  My first real network job was in 1998 with Aon when I was that greatest of all certifications - CNE - for Novell servers.  Hackers were rare back then and the first virus we ever got hit with was the famous Anna Kournikova picture - which did some damage to Aon files.  THAT was the biggie and then again so was not Y2K as we all sadly remember.  The Citibank theft made some new because it was new and weird, but today .... sadly .... we are far worse off, just say Equifax. 

Added thought - an actuary at Aon rec'd Anna Kournikovia pic and upon investigation, started to move mouse to OPEN IT UP.  I told him that if he opens it I would terminate IT support forever.  "Oh, I shouldn't do that?"   EGAD.  Users sometimes just want to see what it DOES.   Curiosity killed the cat. 
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6455
PUBLISHED: 2019-01-16
An issue was discovered in GNU Recutils 1.8. There is a double-free problem in the function rec_mset_elem_destroy() in the file rec-mset.c.
CVE-2019-6456
PUBLISHED: 2019-01-16
An issue was discovered in GNU Recutils 1.8. There is a NULL pointer dereference in the function rec_fex_size() in the file rec-fex.c of librec.a.
CVE-2019-6457
PUBLISHED: 2019-01-16
An issue was discovered in GNU Recutils 1.8. There is a memory leak in rec_aggregate_reg_new in rec-aggregate.c in librec.a.
CVE-2019-6458
PUBLISHED: 2019-01-16
An issue was discovered in GNU Recutils 1.8. There is a memory leak in rec_buf_new in rec-buf.c when called from rec_parse_rset in rec-parser.c in librec.a.
CVE-2019-6459
PUBLISHED: 2019-01-16
An issue was discovered in GNU Recutils 1.8. There is a memory leak in rec_extract_type in rec-utils.c in librec.a.