Is it possible to steal money directly from the systems of a big bank?

Question

Sometimes I imagine: My money in the bank is just a floating point number in a mainframe's memory... So, if I just change 1 bit, I will win a lot of money...

The most common way to steal money in banks today is to just ask people for their account information and credentials, through fake e-mails or websites. However, this would seem to leave a fairly high chance of being identified if the victim catches on.

Alternatively, are there more anonymous ways by which one might steal money directly from the bank's servers? Or, is this virtually impossible to the point that the only real weakness lies in the customers?

Is a hack like this only possible in Hollywood movies, or can it really be done in reality? Are there any known cases of this already having happened.

Answer 1

Each transaction needs an audit trail - numbers need to come from somewhere - and bank systems have these checks in place. Are they perfect? Almost, but enough to make it easier to look for other attack vectors, like humans.

Did I mention that I was in jail in a far away country and I need you to wire me money for bail?

Answer 2

Alright, here's how you steal money from a bank's computer:

Make a wire or ACH transfer to another bank. Withdraw that money from the other bank. If you're of the go big or go home mentality, run that money to a lot of other banks. Taking in a big wire transfer and immediately sending it back out might look suspicious to the receiving bank if it's the only transaction, but receiving a big transfer and sending maybe 20% of it out would seem normal. Also, embedding the transfer into some other account that is normally highly active would also be helpful.

Remember, it's not yours until it's cash. Wire transfers can be reversed, so you need to make the withdrawal or get it so far gone and laundered that it isn't coming back.

Sometimes that line into the bank is through an outside computer at a regular company. This case has a few examples of where real money was taken from a bank by computer.

See the bottom of that article for links to the incidents below. The article focuses on the PATCO case which I've talked about previously

Experi-Metal Inc., which in December 2009 sued its former bank, Comerica, after losing more than $550,000 in fraudulent wire transfers;

Village View Escrow of Redondo Beach, Calif., which in March lost $465,000 to an online hack;

Choice Escrow, which in November 2010 sued its bank, BankcorpSouth, alleging inadequate security measures;

Hillary Machinery, which in January 2010 was sued by its bank, PlainsCapital Bank, after a legal battle over ACH fraud liability. The suit was later settled for undisclosed terms;

The Catholic Diocese of Des Moines, Iowa, which in August lost $600,000 in fraudulent ACH transactions.

Answer 3

Banks use a lot of security, but sure - you still have smart, well paid criminals who will try and find misconfigurations, weaknesses, vulnerabilities or loopholes as it is less physically risky to try to steal money over the Internet than to hold up a bank with a gun.

Still reasonable odds of getting caught if you pull off a big one - see this FBI article on the Worldpay heist arrests. The clever bit of this job was using a large gang of people withdrawing up to the maximum on cards at locations all over the world simultaneously.

Answer 4

There is always a possibility, but especially with banks it's close to impossible. There have been cases of banks being hacked.

There are a number of measures in place to prevent this. On the other hand if you look around there are still a number of banks using basic input authentication methods that are rather easy to obtain through social engineering or sniffing (recent topic).

There are probably even more cases than admitted, banks do not really want to be known as insecure.

Maybe something else you might fancy is a recent article about how one could exploit stock exchanges by abusing latencies.

Answer 5

The most common way to steal money from a bank is probably still wire fraud and in person robberies. It would be difficult to steal money directly from the bank, more likely the attack would be against individual accounts. People still commit frauds like check kiting.

Most cyber attacks are carried out by professional criminals using a number of mules to funnel the money. This is typically a well organized group or syndicate. By utilizing mules, the criminal organization can put the fall on the mule and escape with the money. Check out some of the articles from Krebs on Security.

From: http://www.fbi.gov/news/stories/2010/october/cyber-banking-fraud/cyber-banking-fraud-graphic

If money is illicitly wired out of your account, you have a good amount of protection under Regulation E in the US. And in many cases, the transaction will be reversed. The bank may also reimburse you without taking the effort to recover the money if its actually cheaper considering time and effort and your value to the bank.

Banks do in fact keep regular audit trails, monitor account activity, etc. Many smaller banks to not allow external transfers for regular individual customers through their Internet banking or require special authorization. Most banks are not implementing two-factor authentication for logon and before each transaction for commercial accounts and/or large transfers. Banks can monitor for unusual activity and respond to suspected fraud. Many banks also offer account activity alerts the individual can use to start a fraud investigation.

It would be possible to attack the banks internal applications, but those would still typically be attacks against customer accounts in most cases, not "the bank's money". Internal applications should also have controls in place to detect fraud or irregular activity. Most of a bank's applications are going to deal with the customer's money.

Here are some additional resources:

• Attacks on Banks
• US Cert: Understanding and Protecting Yourself Against Money Mules

Answer 6

All the banks I've worked with have an extreme amount of security surrounding the "mainframes" you are referencing. They are only accessible via device 'x' (locked down in some basement with no outside access, etc). All transactions go via proxies and multi-layered FW/IPS architectures. It's not impossible, but it's anything but easy

Edit:: Not to mention the endpoint security on the actual servers themselves. Gaining access to them may not even be the biggest problem (SSH key only logins etc).

Answer 7

First off that's not stealing money from the bank it's more like printing your own cash.

Technically it is possible to make money that way however only the central banks to do this so you'd need to have access to their systems to allocate currency to a commercial bank and then further allocate that to yourself. You'd also have to bypass the audit trail in the bank's systems and the heuristics which would flag up any large sudden windfall.

If you want to rob a bank account the best method remains transferring to a holding account and then to an e-gold service, finally forwarding to a collector account where a designated collector (hired on commission not the actual person stealing the cash) empties the account in cash.

Any straight bit flip would instantly be picked up by the auditing heuristics programs as any unexpected change in a balance or transfer will be flagged whether legitimate or not.

Answer 8

Some years ago a JavaScript code was injected into the website of a bank. It was silent and it just kept collecting credentials. People then used those credentials to steal money from the bank with a minimum effort, compared to hacking down to the core of the system.

The problem is that systems are circular. Where the beginning of the circle meets the returning line there exists a weak link. What is hard is correctly identifying the weak link and exploiting it.