We doubt that very few of you have heard of Cosmos Bank, especially if you live outside Maharashtra. But the hackers did and they victimized the 100-year-old Pune headquartered co-operative bank in a multi-layer hack to transfer Rs 94 crores.
Experts say that the fraud involved breaching the firewall authorizing ATM transactions. And then, a proxy server was created to authorize the transactions. It means that the ATMs were being used to released money without even checking whether the cards were genuine or whether there was an account linked to the card.
The very first attempt, on August 11, was planned to target the bank’s debit cards and the ATM switch – a system that let’s withdraw cash, change card pins and do other things to your bank account at an ATM of a different bank.
Most banks in India use the National Financial Switch ATM system developed by NPCI, National Payments Corporation of India.
The hackers cloned the VISA and Rupay debit cards to make the transactions and hacked the switch to verify them. Bank confirms the cards were not real but dummy cards. The hackers linked the fake cards to the bank by compromising the switch.
14,849 transactions of value over Rs 80 crores, 12,000 international transactions on VISA cards and rest domestic transactions on Rupay cards were made using the method.
VISA says that the company will look into the matter and identify the issue quickly, enabling financial institutions to take appropriate action to reverse the transactions efficiently.
Again on August 13, the hackers attacked other payment system banks use, SWIFT. SWIFT validates international money transfer. The hackers transferred over Rs 14 cores from Cosmos bank to an account with a Hong-Kong based bank.
Cosmos bank has filed an FIR at the local police station saying that the initial investigations witness the attacks to originate in Canada. But, the method used in the attack clearly indicates that the hackers are no amateurs, and thus likely to leave traces. They might have used proxy servers to mask the locations of their devices.
Cosmos Bank chairman Milind Kale said, “The bank turned off its servers and all internet banking applications after noticing several erratic and abnormally high transactions. These transactions happened over two hours and 13 minutes and were spread across 28 countries where cloned cards were used to debit several amounts ranging from $100 (Rs 6,900) to $2,500 (Rs 1.7 lakh).
The bank on Tuesday reassured it’s customers that the money is safe in their accounts and they will be able to withdraw and use the money once the systems are restored within a few days.
For now, Cosmos bank continues to provide NEFT and RTGS payment through its branches with extra precautions. Pay-in-slip payment and cheque disbursals are also continued. The bank will have to work with different countries. Withdrawals appear to have actually happened and getting back funds will depend on coordination with several agencies.
According to some experts, the hack could be the work of Lazarus, North Korea’s most notorious hacking group. The prolific hacking criminals have earlier pulled off some audacious attacks around the globe. From leaking and destroying Sony Pictures’ data to syphoning off tens of millions of dollars from Polish and Bangladeshi banks, they have done it all.
Just before the co-operative bank was attacked and defrauded, the international media had reported details of an FBI warning on Monday.
“The FBI has obtained unspecified reporting indicating cybercriminals are planning to conduct a global automated teller machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation’,” reads a confidential alert the FBI shared with banks reported first by KrebsonSecurity, a site which reports on cybercrime.
“The cybercriminals typically create fraudulent copies of legitimate cards by sending stolen card data to co-conspirators who imprint the data on reusable magnetic strip cards, such as gift cards purchased at retail stores,” the FBI warned. “At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards.”