Skip to main content

Taming the Digital Bandits: An Analysis of Digital Bank Heists and a System for Detecting Fake Messages in Electronic Funds Transfer

  • 204 Accesses

Part of the Advances in Intelligent Systems and Computing book series (AISC,volume 1271)

Abstract

In recent years, financial crimes and large scale heists involving the banking sector have significantly increased. Banks and Financial Institutions form the economic and commercial backbone of a country. An essential function of banks is the transfer of funds domestically or internationally. Most banks today transfer money by using electronic fund transfer systems such as the Automated Clearing House (ACH) or messaging systems such as SWIFT, FedWire, Ripple, etc. However, vulnerabilities in the use of such systems expose banks to digital heists. For example, the 2016 heist in the central bank of Bangladesh used the SWIFT network to send fake messages. It almost resulted in the theft of nearly $1 billion, which is one-sixth of the total foreign currency reserve of Bangladesh. Similar attacks have happened in many other countries as well. In this paper, we discussed multiple such incidents. From those incidents, we systematically analyze two such events – the Bangladesh Bank heist and the DNS takeover of Brazilian banks – to understand the nature and characteristics of such attacks. Through our analysis, we identify common and critical security flaws in the current banking and messaging infrastructures and develop the desired security properties of an electronic funds transfer system.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-58703-1_12
  • Chapter length: 18 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   139.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-58703-1
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   179.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.
Fig. 8.

References

  1. Ach Volume Grows. https://www.nacha.org/news/ach-volume-grows-56-percent-adding-13-billion-payments-2015-0

  2. Ach vs Wire vs Electronic Transfer? What is the difference?. https://moneyrep.iaacu.org/2014/05/ach-vs-wire-vs-electronic-transfer-what-is-the-difference/

  3. Citibank Credit Card Data Breach. https://www.thedailybeast.com/citi-credit-card-leak-nearly-twice-as-big

  4. Clearing House Interbank Payments System. https://en.wikipedia.org/wiki/Clearing_House_Interbank_Payments_System

  5. Cyber Security Cost of JPMorgan Chase. http://www.bankrate.com/finance/banking/us-data-breaches-1.aspx#slide=5

  6. Fedwire Funds Services. https://www.federalreserve.gov/paymentsystems/fedfunds_about.htm

  7. Hacker Bugging the System of Bangladesh Bank. https://web.archive.org/web/20160312145208/http://www.asianews.network/content/hackers-bugged-bangladesh-bank-system-jan-11271

  8. How a Simple Typo Helped Stop a 1 Billion Dollar Digital Bank Heist - The Washington Post. https://goo.gl/Fm5NRa

  9. Paypal. https://en.wikipedia.org/wiki/PayPal

  10. RCBC had to Pay 1 Billion Filipino Dollar as Penalty. https://manilastandard.net/business/213132/rcbc-pays-half-of-p1-b-penalty.html

  11. Rupay Credit Card Data Breach. http://www.reuters.com/article/us-india-banks-fraud/security-breach-feared-in-up-to-3-25-million-indian-debit-cards-idUSKCN12K0CC?il=0

  12. Bangladesh Bank Heist (2015). https://en.wikipedia.org/wiki/Bangladesh_Bank_heist

  13. Brazilian Bank Hack (2015). https://www.wired.com/2017/04/hackers-hijacked-banks-entire-online-operation/

  14. Ecuador Bank Heist (2015). http://www.reuters.com/article/us-wells-fargo-banco-del-austro-ruling-idUSKCN12J03J

  15. Fin-What is Swift (2015). https://fin.plaid.com/articles/what-is-swift

  16. Hetachi Heist (2015). https://timesofindia.indiatimes.com/business/india-business/hitachi-payment-accepts-malware-hit/articleshow/57071322.cms

  17. JP Morgan Bank Heist (2015). http://www.businessinsider.com/jpmorgan-hacked-bank-breach-2015-11

  18. Lyod Bank Hack (2015). http://www.theinquirer.net/inquirer/news/3003091/lloyds-bank-hack-ddos-attack-disrupts-banks-online-services

  19. Russian Bank DDoS Attack (2015). https://www.theregister.co.uk/2016/11/11/russian_banks_ddos/

  20. Tesco Bank Heist (2015). http://thehackernews.com/2016/11/tesco-bank-hack.html

  21. Ukraine Bank Swift Hack (2015). http://thehackernews.com/2016/06/ukrainian-bank-swift-hack.html

  22. US Bank DDoS Attack (2015). http://www.nytimes.com/2012/10/01/business/cyberattacks-on-6-american-banks-frustrate-customers.html

  23. Vietnam Bank Swift Hack (2015). http://www.reuters.com/article/us-vietnam-cybercrime-idUSKCN0Y60EN

  24. Aburrous, M., Hossain, M.A., Dahal, K., Thabtah, F.: Experimental case studies for investigating e-banking phishing techniques and attack strategies. Cogn. Comput. 2(3), 242–253 (2010)

    CrossRef  Google Scholar 

  25. Ahmad, M.K.A., Rosalim, R.V., Beng, L.Y., Fun, T.S.: Security issues on banking systems. Int. J. Comput. Sci. Inf. Technol. 1(4), 268–272 (2010)

    Google Scholar 

  26. Alazab, M., Venkatraman, S., Watters, P., Alazab, M., Alazab, A.: Cybercrime: the case of obfuscated malware. In: Global Security, Safety and Sustainability & e-Democracy, pp. 204–211. Springer (2012)

    Google Scholar 

  27. Chachra, N., Savage, S., Voelker, G.M.: Affiliate crookies: characterizing affiliate marketing abuse. In: Proceedings of the 2015 ACM Conference on Internet Measurement Conference, pp. 41–47. ACM (2015)

    Google Scholar 

  28. Claessens, J., Dem, V., De Cock, D., Preneel, B., Vandewalle, J.: On the security of today’s online banking systems. Comput. Secur. 21(3), 253–265 (2002)

    CrossRef  Google Scholar 

  29. FBI: Bank Crime Statistics (2015). https://www.fbi.gov/investigate/violent-crime/bank-robbery/bank-crime-reports

  30. Holz, T., Engelberth, M., Freiling, F.: Learning more about the underground economy: a case-study of keyloggers and dropzones. Comput. Secur.-ESORICS 2009, 1–18 (2009)

    Google Scholar 

  31. Lee, J.H., Lim, W.G., Lim, J.I.: A study of the security of Internet banking and financial private information in South Korea. Math. Comput. Model. 58(1), 117–131 (2013)

    CrossRef  Google Scholar 

  32. Li, W., Chen, H.: Identifying top sellers in underground economy using deep learning-based sentiment analysis. In: 2014 IEEE Joint Intelligence and Security Informatics Conference (JISIC), pp. 64–67. IEEE (2014)

    Google Scholar 

  33. Mannan, M., van Oorschot, P.C.: Security and usability: the gap in real-world online banking. In: Proceedings of the 2007 Workshop on New Security Paradigms, pp. 1–14. ACM (2008)

    Google Scholar 

  34. Motoyama, M., McCoy, D., Levchenko, K., Savage, S., Voelker, G.M.: An analysis of underground forums. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, pp. 71–80. ACM (2011)

    Google Scholar 

  35. Oro, D., Luna, J., Felguera, T., Vilanova, M., Serna, J.: Benchmarking IP blacklists for financial botnet detection. In: 2010 Sixth International Conference on Information Assurance and Security (IAS), pp. 62–67. IEEE (2010)

    Google Scholar 

  36. Pearce, P., Dave, V., Grier, C., Levchenko, K., Guha, S., McCoy, D., Paxson, V., Savage, S., Voelker, G.M.: Characterizing large-scale click fraud in ZeroAccess. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 141–152. ACM (2014)

    Google Scholar 

  37. Riccardi, M., Oro, D., Luna, J., Cremonini, M., Vilanova, M.: A framework for financial botnet analysis. In: ECrime Researchers Summit (ECrime), 2010, pp. 1–7. IEEE (2010)

    Google Scholar 

  38. Tajalizadehkhoob, S., Gañán, C., Noroozian, A., Eeten, M.V.: The role of hosting providers in fighting command and control infrastructure of financial malware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 575–586. ACM (2017)

    Google Scholar 

  39. Tajalizadehkhoob, S., Asghari, H., Gañán, C., van Eeten, M.: Why them? Extracting intelligence about target selection from Zeus financial malware. In: WEIS (2014)

    Google Scholar 

  40. Financial Crimes Enforcement Network of Department of the Treasury (2015). https://www.fincen.gov/reports/sar-stats

  41. Yousafzai, S.Y., Pallister, J.G., Foxall, G.R.: A proposed model of e-trust for electronic banking. Technovation 23(11), 847–860 (2003)

    CrossRef  Google Scholar 

  42. Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 95–109. IEEE (2012)

    Google Scholar 

  43. Zhu, D.: Security control in inter-bank fund transfer. J. Electron. Commer. Res. 3(1), 15–22 (2002)

    Google Scholar 

Download references

Acknowledgements

This research was supported by the National Science Foundation through awards DGE-1723768, ACI-1642078, and CNS-1351038.

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Yasser Karim or Ragib Hasan .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Karim, Y., Hasan, R. (2021). Taming the Digital Bandits: An Analysis of Digital Bank Heists and a System for Detecting Fake Messages in Electronic Funds Transfer. In: Choo, KK.R., Morris, T., Peterson, G.L., Imsand, E. (eds) National Cyber Summit (NCS) Research Track 2020. NCS 2020. Advances in Intelligent Systems and Computing, vol 1271. Springer, Cham. https://doi.org/10.1007/978-3-030-58703-1_12

Download citation