Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

1/2/2019
10:30 AM
Zia Hayat
Zia Hayat
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

25 Years Later: Looking Back at the First Great (Cyber) Bank Heist

The Citibank hack in 1994 marked a turning point for banking -- and cybercrime -- as we know it. What can we learn from looking back at the past 25 years?

The banking industry was at a crossroads 25 years ago, marking the beginning of the digital world we know today. Banks were struggling to lower costs while improving customer access, and we saw physical branches and human tellers being replaced by ATM machines and electronic services.

It was also the time where Citibank fell victim to what many consider one of the first great cybercrimes. Vladimir Levin made headlines in 1994 when he tricked the bank into accessing $10 million from several large corporate customers via their dial-up wire transfer. Levin transferred the money to accounts set up in Finland, the United States, the Netherlands, Germany, and Israel. He was eventually caught, and Citibank ultimately recovered most of the money.

Looking back, it may be the first successful penetration into the systems that transfer trillions of dollars a day around the globe. The moment not only captured the attention of the world, but it caught the attention of my teenage self, inspiring my curiosity — and eventually a career — in the world of cybersecurity.

My young mind struggled to comprehend how something so seemingly simple could baffle the defenses of one of the world's largest financial institutions. As the Los Angeles Times reported in 1995, "The incident underscores the vulnerability of financial institutions as they come to increasingly rely on electronic transactions. ... But as they seek to promote electronic services — and cut the high costs of running branch offices — they face risks."

I think we could easily say we're in a similar situation today.

From Bonnie and Clyde to Black Hat
When I first learned of the heist through a documentary on local British television, I was shocked to know that someone could take money from a bank without even having to step into a branch. It was armchair fraud — the responsible person never left a physical fingerprint, all while essentially penetrating the impenetrable.

The 1990s and 2000s were abuzz with the excitement of the Internet and proliferation of access to Internet browsers. As we welcomed this new and wild World Wide Web, banks began to digitize their storefronts. However, the Internet wasn't inherently designed with digital security in mind. The framework of the Internet was born in academia, an altruistic environment built around trust and exploration.

But with every gain, there was someone trying to game the system for a variety of reasons. Some were just curious what was accessible in this digital frontier. Others, like Levin, had more nefarious goals in mind.

Fast forward 20-plus years, and while we are in an entirely unrecognizable digital world, we're still facing a similar battle. Rather than spoofing dial-up systems, we have industrial and government-level cybercrime, unpredictable intelligent bots, and vast amounts of computing power to deal with. Yet while there are similarities, there are a few important differences:

  • Scalability: While fraudsters were sophisticated for their time, scalability is what really affects how we understand fraud today. In the past, there were thousands of smaller banks and just a handful of people around the world with the capability to be able to "digitally" break in and make off with the loot. Now there are fewer — but larger — banks to steal from, yet with the digital resources today, fraudsters can maximize the footprint of their criminality. They target governments or large enterprises, or they simply get out of the robbery business and make their riches selling the tools globally across the Dark Web, which allows anyone with a computer, Internet connection, and a few hundred dollars to become a cybercriminal.
  • The rate of change: There was massive acceleration from the Industrial Revolution to digital revolution. While it's well known that rate of change in the Industrial Revolution was swift, today's rate of change is unmatched. Change inherently brings risk, and with the finance industry rapidly transforming, threats often move faster than the solutions that target them. This new rate of change has transformed the job of the CISO, who now must think strategically, and even abstractly, about protecting what isn't even known yet.
  • Digital identity: The concept of digital identity wasn't on the radar 24 years ago. But today, we have hundreds of websites where we must manage our identity, even if only about 10 are actually important. Consider Facebook, where nearly one-third of the global population log on and also use the same credentials to access millions of other accounts and services. In the digital world, you can become anyone as long as you can get a hold of their credentials — whether that is a password, Social Security number, a fingerprint.

Don't Fight Fraud Alone
Today's solutions must absolutely be comprehensive, involving much more than simple cross-industry collaboration. Regulations and frameworks can provide guidance and foster a productive global conversation about the issues at hand, but they take time to put into place and can't adapt as quickly as the threats they are meant to mitigate. Fighting fraud today requires real-time intelligence. For security executives, it means a continual education on the latest tools, trends, and trials of the cybersecurity market.

The financial services industry has adapted to this new age of fraud by promoting strategic partnerships — often between financial technology companies (fintechs) and banks. While banks bring to the table many decades of refined, robust security measures and regulatory knowledge, fintechs offer their innovative initiatives, agility, and scalability to develop even more sophisticated methodologies for fighting fraud. Every organization is facing an uphill battle as the "what" to protect and "who" to protect it from are rapidly changing. Fortunately, these partnerships offer the right mix of expertise, experience, and innovation to quickly adapt and respond to changes in the cyber ecosystem, often providing a blueprint for others to follow suit.

Will There Be a Great Bank Heist of 2024?
Today, we have a better understanding of what comprises our digital assets, but it remains a constant battle to determine how best to secure them. The monetary losses financial institutions suffer from fraud and theft are staggering. Worse, the cybersecurity space is maturing in more insidious directions, suggesting we need to reconsider the value placed on different assets. Compared with a traditional bank theft, when such commodities fall in the wrong hands, it affects the livelihood of many more citizens and the backbone of our modern society and economy.

Related Content:

Zia Hayat is CEO of Callsign, a company that specializes in frictionless identification. Zia has a PhD in information systems security from the University of Southampton and has worked in cybersecurity for both BAE systems and Lloyds Banking Group. He founded Callsign in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
1/3/2019 | 9:37:25 AM
What 25 years brings
No ransomware back then.  My first real network job was in 1998 with Aon when I was that greatest of all certifications - CNE - for Novell servers.  Hackers were rare back then and the first virus we ever got hit with was the famous Anna Kournikova picture - which did some damage to Aon files.  THAT was the biggie and then again so was not Y2K as we all sadly remember.  The Citibank theft made some new because it was new and weird, but today .... sadly .... we are far worse off, just say Equifax. 

Added thought - an actuary at Aon rec'd Anna Kournikovia pic and upon investigation, started to move mouse to OPEN IT UP.  I told him that if he opens it I would terminate IT support forever.  "Oh, I shouldn't do that?"   EGAD.  Users sometimes just want to see what it DOES.   Curiosity killed the cat. 
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Why AI Will Create Far More Jobs Than It Replaces
John DiLullo, CEO, Lastline,  5/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Talk about vendor lock in...
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11816
PUBLISHED: 2019-05-20
Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 allows remote authenticated users to escalate privileges to administrator via a specially crafted request.
CVE-2019-10076
PUBLISHED: 2019-05-20
A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
CVE-2019-10077
PUBLISHED: 2019-05-20
A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
CVE-2019-10078
PUBLISHED: 2019-05-20
A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.
CVE-2019-12239
PUBLISHED: 2019-05-20
The WP Booking System plugin 1.5.1 for WordPress has no CSRF protection, which allows attackers to reach certain SQL injection issues that require administrative access.