Remember how your crazy old Aunt Sally stashed all her money in between mattresses because
“You just never can trust a bank to keep your money, Dearie.”?
You all rolled your eyes and pulled out dollar bills when she turned the other way. But hey, maybe she was on to something.
A bit of technical info on bank transfers
If you have ever tried to transfer money overseas from one bank to another you know you’ll need lots and we are talking LOTS of information – the person’s name and bank account number, bank address, bank branch, the IBAN number, which is an internationally agreed upon method to identify accounts within banks, and the eight or eleven digit SWIFT code. The SWIFT code, short for Society for Worldwide Interbank Financial Telecommunication, is a standard set of bank identifier codes and a unique identifier for the particular bank. The SWIFT code is sort of like a message relay system to send instruction on how and where to transfer money from one bank to another.
In theory, all these codes and numbers come together to ensure that the money gets sent from the right account and ends up in the right account.
This is all good and well when hackers aren’t in the picture. But when they do rear their ugly little criminally-minded heads, things don’t go as they should. Back in February of this year, $81 million was plucked out of the Bangladesh Central Bank by malware that send fraudulent messages using the SWIFT code protocol. By way of instructions sent using SWIFT, the bank was told to send the money to a specified foreign account in incremental amounts. Then in May a bank in Vietnam disclosed that it had been successful in thwarting an attack of about $1 million and now a third bank in Ecuador has been attacked using the same malware and the same method – and this time the hackers got away with $12 million.
Trojan.banswift’s deep roots
The crafty hackers are using a trojan called trojan.banswift to get in and create the instructions used to create fraudulent transfers. Trojan.banswift is linked to other very powerful banking trojans that have been used for years in all sorts of bank breaches. It’s also linked to a hacking group known as “Lazarus” which has been targeting businesses for years. Lazarus, in turn, is linked to the malware that helped breach Sony in the infamous Sony breach of 2014. Powerful stuff, indeed.
According to Bloomberg News, SWIFT has called on all member banks “to “urgently review” payments and messaging controls” but that ultimately, “members are responsible for their own system interfaces”. And while you might not be thinking of sending any large sums of money across the pond any time soon, there are a few lessons to take away here when it comes to your own online banking habits:
- Don’t bank while using public WiFi. When you use public WiFi, your information is essentially wide open for all to see. A safer bet is to wait until you get home to do your banking from a secure connection.
- Patch and update all software and operating system updates as soon as you are prompted to. The vulnerabilities in outdated software are the perfect entry point for hackers and no good do’ers. Patching them closes those holes, keeping the hackers out.
- Ignore phishing emails and phone calls that purport to be from your bank. Your real bank will never ever call or email you and ask you to give over your password. If you receive a suspicious email that says it’s from your bank, get out your banking card and call the number listed on the back of the card to check if it’s legit or not.
- Make sure you are set up with a solid anti-malware system like RCS that will block all malware and other unwelcome visitors. Malware that enters computers and other devices via links and attachments to emails or by way of malvertisements can wind up clearing out your bank accounts. Making sure you’re set up with a reliable and strong anti-malware keeps those baddies away in the first place.
- Stay constantly vigilant. Hackers change their attack methods all the time and you can’t let your guard down for even a moment when it comes to the security of your banking credentials. Let’s say for some reason your bank’s website seems odd or different in any way, stay off of it until it’s back to normal. Hackers are always trying to intercept secured connections and sometimes they go as far as to set up spoofed websites that are almost indistinguishable from the real ones. Just by entering one incorrect letter in a website address or by clicking a link in an email they sent can direct you to their fake site, where they sit, waiting to jump on that unsecured connection.
Lastly, like SWIFT said, ultimately the responsibility is yours – It’s up to you to make sure you do all you can to secure your digital identity, because no one else is going to take care of it for you. You don’t need to stash your cash in your bedroom, just make sure you use your head and secure down your online bank accounts and credentials. That way, nobody can say you’re as eccentric as old Aunt Sally, and you might just earn a few dollars in interest along the way too.