If the heist had not been foiled and the money recovered there would have been a lot more scrutiny of this incident. As it is, most organizations I talk to are unaware of the incident all together. This article is intended to correct that! Here’s why.
First a recap. Last year it came to light that U.K. authorities had put the kibosh on what would have been the largest bank heist in history.
The story is still developing but this is what we know: Thieves masquerading as cleaning staff with the help of a security guard installed hardware keystroke loggers on computers within the London branch of Sumitomo Mitsui, a huge Japanese bank.
These computers evidently belonged to help desk personnel. The keystroke loggers captured everything typed into the computer including, of course, administrative passwords for remote access.
By installing software keystroke loggers on the PCs that belonged to the bank personnel responsible for wire transfers over the SWIFT (Society for Worldwide Interbank Financial Telecommunication) network, the thieves captured credentials that were then used to transfer 220 million pounds (call it half-a-billion dollars).
Luckily the police were involved by that time and were able to stymie the attack. Now, on to the “lessons-learned” segment of the article:
I once had a teller “cash” my paycheck along with all the other incoming checks she handled that day; or at least so I thought. The first notice I had that something was amiss was from the bank informing me that the paycheck had not made it to their processing center so they were taking the funds out of my account.
Never mind that I had the receipt given to me by the teller. After meeting with the “security officer” of the bank they finally admitted that the teller in question had absconded with my money and not shown up for work the next day.
The crime here is that they did not report the incident to the police or press charges. They wanted to avoid at all costs letting the public know that a bank teller was not trustworthy.
I can only assume that same teller went on to work at some other bank and repeat her nefarious ways. This tendency on the part of banks to hide from scrutiny is not serving the rest of the banking and financial services industry well.
So be warned. The Sumitomo heist should put get you thinking about security all over again (not that you’ve ever really stopped, but … ). If your internal defenses are inadequate to stop a Sumitomo style attack, you should not rest until you are certain you can defend against the combination of insiders and Trojan horses.
Richard Stiennon is the former vice president of Threat Research at Webroot Software and now the founder of IT Harvest, an IT security research firm. He is a holder of Gartner’s Thought Leadership award for 2003 and was named “One of the 50 Most Powerful People in Networking” by Network World Magazine.