How to hack a bank

Tom was trying to hack a bank.

Based in Copenhagen, he targeted a Nordic financial institution. Assisted by a team of hackers, he began by casing the joint: Working out who works for the bank, what they do, and where the bank's mainframe is located. By going after its employees, Tom's team managed to obtain passwords and logins, and almost everything required to gain access.

But there was a catch: "[The bank] had secured the mainframe so you could only access the mainframe from one building physically," Mikko Hypponen, chief research officer at security company F-Secure told Business Insider.

Tom managed to get initial access to the building by going to a formal event there under false pretenses. "And then as they were being escorted out of the building he asked to be taken to the toilet, and just stays there. Doesn't come out for 45 minutes." When he finally emerged, the host escorting him had vanished.

"So then he's in his suit with his laptop, walking around this building in plain sight," Hypponen said. "But nobody cares because he seems to know what he's doing, walking with purpose," talking to people. He "sits down in an empty cubicle, takes out his laptop, connects the cable - he's in the right building - gains access to the mainframe."

Tom didn't do any damage, or attempt to move any funds. That's because he was a penetration-tester employed by F-Secure. The Nordic bank had contracted the security company to test its systems - and, mission accomplished, they had been found lacking

But then Tom didn't leave.

"He's getting hungry," said Hypponen. "He's like 'I can do better!' He's pinged the mainframe, it pings back in two milliseconds." The hacker set himself a new goal: "I'm going to find this mainframe, and take a selfie with the mainframe."

"So he's guessing it's in the basement, because that's where it's most likely to be - and he's in floor four, so he needs to get down several floors. Which is hard, because you don't have a pass, so how do you do that? You chat with people. He's walking the corridor with someone who is obviously going that way ... 'Hey, how you doing, haven't seen you in ages' ... talking with someone as he is going through the doors. Don't try to hide, put yourself out in the open, because no-one expects you to do that if you're an outsider.

"So he gets down two or three floors ... getting closer, when bad luck happens. He's walking the corridor, and at the other end of the corridor is the host from two hours ago, same guy. Tom is trying to walk away, but too late - he sees him, he's caught. The guy comes over: 'Hold on, how are you here, you can't possibly be here, I left you in the toilet three hours ago!' And Tom is like 'yeah, I'm lost!' 'Okay, this a security breach, I have to escort you out.'"

At this point, Tom decides there's no reason keeping up the pretense. He explains to the host that he works for a security consulting company, and he's doing an audit of the bank. "The host goes 'ohhhh, I see. You have a good day!" and goes away, and leaves him there. That's it!

"Then he gets down one more floor, actually finds the mainframe, and takes the selfie."

He stole employee passwords, got in, got access to the bank's systems - even got caught! - and still managed to get away again.

Hypponen concludes: "People are a weak link, because there's no patch. There's nothing you can do to fix that."

Bank hacking for dummies ...

There has been a flood of news about hacks targeting financial insitutions recently. The national bank of Bangladesh was hit in a highly sophisticated attack, with the attackers taking off with $81 million (£58 million) - and attempting to steal as much as $1 billion (£710 million).

The group has also attacked banks in Ecuador, Vietnam, and the Philippines, according to investigators.

Hackers are getting more ambitious, spending longer on attacks, and demonstrating greater sophistication, experts told Business Insider - and the rewards they're reaping are larger than ever.

So how do you hack a bank?

For starters, you need to scope the organisation out. Like Tom and his team did, you need to research employees, and work out who you are going to target. This is because you're likely to rely on human error for your initial penetration - using a phishing scam to steal an employee's password, dropping a USB stick with malware on, etc. - rather than exploiting a vulnerability in the bank's outwards-facing systems.

"It's very hard to guarantee a company will have forgotten to patch a system, or they'll have a coding error in their website application, or they'll have some other vulnerability you can exploit from the outside," says Luke Hull, UK & Ireland director for Mandiant, a FireEye-owned security firm that is one of those investigating the Bangladesh bank hack.

"It's a lot easier to trust in the fact someone in that organisation is going to click a link in an email, or they're going to fall for a scam of some kind, and that's going to give you that first level of access."

The attacker's resources will determine the nature of the attack.

How the employees are compromised will be dependent on the determination and sophistication of the attacker. You can buy off-the-shelf "exploit kits" for infecting employees with malware for around £1,000 ($1,400) that can - potentially - get you in, while at the higher end attacks will be far more targeted and considered.

Another option for getting in is hiring someone on the inside, if the stakes are high enough. "If you're stealing hundreds of millions of dollars, you can afford to have a mole inside the organisation planted there," said Mikko Hypponen. "That's going to pay itself back a thousandfold."

Once in, some level of technical skill will be required to move through the network undetected - with some attackers demonstrating remarkable finesse. In the case of the Bangladesh hack, the bank had a security feature that printed out every transaction on paper. "They knew the data on computers can be falsified, but if it's on paper it cannot be changed," explained Hypponen. "And they actually bypassed that," hacking the printers themselves to hide the fraudulent transactions.

Attackers are willing to spend months on attacks in pursuit of their goals, with operations acting much like traditional businesses. Jobs are sometimes advertised in advance, with clearly defined roles, Luke Hull explains. In addition to technical jobs, you've got human resources-type support roles, as well as "people behind the scenes who can handle the business end" - understanding how the bank functions, mapping out its corporate structure as the infiltrators move through it.

Successful attackers will ultimately end up with valid user accounts and an intimate knowledge of how the bank operates. At that point, what you do next depends on what your motivations are.

Hackers target banks for cash - or intelligence.

For many hacks, the end game will be turning a profit. This means, when infiltrating a bank, the goal is to gain access to its money-transfer systems to steal funds.

The attacker will attempt to send cash to an account elsewhere that they control; in the recent bank hacks, this has been via the SWIFT network, an international messaging system between banks.

The funds, once successfully exfiltrated, will be laundered - while the hacker attempts to cover their tracks to give them maximum time for the getaway, as the Bangladeshi hackers did with the printer hack.

But that's not the only reason you might want to hack a bank. Some other attacks - largely carried out by government-backed hackers - have a different aim: intelligence-gathering. Across all industries, around 45% of the attacks Mandiant detects will be nation state attacks, Hull said.

"If a nation state were to attack the bank I'm sure they'd be much more interested in things like where is the bank moving the money ... if they had their own central bank, how does it match up ... all this kind of stuff is information collection, and all this kind of stuff requires a very low footprint and very longterm access. So they're probably not going to be moving money."

In other words, if you're hacking a bank for intel, then you're not going to risk setting off alarm bells by trying to steal funds. Your end game is to sit there quietly, watching.

And this is what makes one theory about the culprits behind the Bangladesh hack so unusual.

"This would have been the first in history"

Code discovered in the hack has been seen before - in the devastating 2014 hack of Sony Pictures, and used against South Korean banks and media companies. In both cases, North Korean hackers have been blamed.

If North Korea is behind the bank hacks, it would be a world-first. If true, "it's a financial attack, they're trying to fix their budget," Hypponen says. "And this makes it even more unique, because we have seen thousands of nation state attacks over the last 15 years. Every single one of them - every single one - has been either espionage or sabotage. They're either stealing information, or doing stuff like Stuxnet. This would have been the first in history which is a nation state doing offensive cyber attacks to steal money."

Bloomberg reports that that investigators have also found evidence of state-sponsored Pakistani hackers in Bangladesh's central bank - and it may be a third, as-yet unidentified organisation that was responsible for the actual theft of funds. (If correct, this would mean while North Koreans may have also breached the bank, they were presumably only there for intelligence-gathering purposes.)

Who is this third group? An unpublished report from Booz Allen Hamilton "makes the case this is Filipino-Chinese businessmen collecting money to overthrow the government of the Philippines," Mikko Hypponen told Business Insider. "The technical evidence doesn't really support all that so far as I can see, but it's perfectly possible."

The Booz Allen Hamilton report has not been released publicly, and the organisation did not respond to Business Insider's request for a copy of the report.

Whoever's behind the recent string attacks - it's likely that there are more to come. "I'm certain there are other cases, which either the banks don't know about themselves or which just haven't been made public," Hypponen said. "These attacks have targeted more banks than just these four."

And the majority of attacks against financial institutions by other groups of attacks are likely going unnoticed says Mandiant's Luke Hull. "I'd be surprised if the majority of attacks were recognised. A lot of attacks, unless you catch them right at the start, they ... move further away from malware. You start to use actual user accounts as if they were in the office, start to use their home working solutions, and eventually you use their actual accounts to move money or something. At that point it becomes more of an antifraud exercise than a technical redesign exercise."

This is a "wakeup" call, experts say.

The attacks on central banks mark a break from tradition.

"We have seen banks targeted by online criminals for 15 years," F-Secure's Mikko Hypponen said. "But most of the attacks - practically all of the attacks - against banks have not been against banks' own central systems. It's about the banks' customers' systems."

Why? "Because banks are very good at securing their own systems. They put a lot of money in there. It's kind of hard to break - it's doable, but it's very hard. As opposed to breaking a bank's customer's systems ... trivial. Of course you can't steal as much from them, but if you have a thousand victims, and you steal a thousand euros from each, that's a million euros."

Industries tend to be targeted in a cyclical basis. Businesses in one sector get hit hard, they upgrade their systems to a point where its no longer profitable for hackers to target them, and so the attackers move onto something else. "They pick an industry, beat it up, and get out before the money is spent on security," Hull said.

Hypponen said: "We saw a great wakeup call in the industrial control sector six years ago with Stuxnet ... the car industry woke up last year."

After banking, who will be next to wake up?

"I don't know, but I guess we'll find out."