Sumitomo Matsui Bank sophisticated hacking sends alarm
London, UK - 17 March 2005, 11:30 GMT - A criminal gang with advanced
hacking skills has tried to steal GBP 220 million (USD 421 million) from the
London offices of the Japanese banking group Sumitomo and transfer the funds
to 10 bank accounts around the world. Intelligence on the attempted theft
via key logging software installed on banks' computers has been circulating
in security circles since late last year after warnings were issued to financial
institutions by the police to be on the alert for criminals using Trojan Horse
technology that can record every key stroke made on a computer.
Police at the National High Tech Crime Unit (NHTCU) in the UK have been investigating
the case since October, when the gang gained access to Sumitomo's computer
systems and tried to transfer the cash electronically to several bank accounts
around the world. One of the most audacious bank thefts attempted in London
for many years was uncovered just before any cash was transferred, in a joint
operation with police forces. Israeli police have arrested a man whose business
account had been the intended recipient of over GBP 10 million of the cash.
The man has been charged with money laundering and deception.
When money and information are both digital, the key challenge for criminals
is access to identity authentication details to seek access to valuables.
If authentication is via a password only, identity theft is easier. The global
computer dependent society is essentially in 'easy mode' on authentication
but not for long as criminals exploit weaknesses in identity management, according
to the mi2g Intelligence Unit.
Earlier this month, using stolen passwords from legitimate customers, intruders
have accessed personal information on as many as 32,000 US citizens in a database
owned by the information broker LexisNexis. At LexisNexis, criminals found
a way to compromise the log-ins and passwords of a handful of legitimate customers
to get access to the database. The FBI and the US Secret Service are both
investigating the breach. The database that was compromised, called Accurint,
sells reports for $4.50 each that include an individual's Social Security
number, past addresses, date of birth and voter registration information,
including party affiliation.
The announcement comes close on the heels of a series of similar high-profile
breaches, the most serious affecting another large data broker, ChoicePoint
Inc. in which a number of identities were stolen. The ChoicePoint case, as
well as other data losses including one affecting some 1.2 million federal
employees with Bank of America charge cards, have prompted an outcry for federal
government oversight of a loosely regulated commercial sector. In the data-brokering
business, sensitive data about nearly every adult American is bought and sold.
The global economic damage from all types of digital risk including overt
and covert digital attacks, malware incidence, phishing scams, DDoS and spam
is estimated to lie between USD 470 billion and USD 578 billion for 2004,
more than double the damage calculated for 2003 by the mi2g Intelligence
Unit. [Breakdown damages are available.] At an estimated 1.2 billion computer
units worldwide, the damage per machine lies between USD 390 and USD 480 per
machine. As of 2004, the damage caused by digital risk manifestations per
machine is running equivalent to the average price of a new computer unit.
In 2005 and 2006, the 'digital damage per machine' figure is projected to
exceed the price of the machine significantly as the price of computers keeps
coming down and the damage from digital risk carries on rising.
"The Sumitomo Matsui attempted heist is the
tip of the iceberg that came to light. Banks are already beginning to shy
away from their responsibility to compensate users in the event of an online
fraud where they have issued warnings and the incapability of the user is
to blame." said DK
Matai, Executive Chairman, mi2g. "The
present computing environment is not fool-proof and is not safe enough because
of under-investment, inadequate training and incomplete authentication layers.
This era is likely to come to an end with a bang. Triple layer authentication
based on something you are, something you know and something you have is the
way for the future. Users and government regulators will demand change and
they have the collective power to influence the thinking of banks and computing
vendors who have at times put profits and time-to-market before safety and
Digital risk damages are calculated by the mi2g Intelligence Unit on
the basis of helpdesk support costs, overtime payments, contingency outsourcing,
loss of business, bandwidth clogging, productivity erosion, management time
reallocation, cost of recovery and software upgrades. When available, Intellectual
Property Rights (IPR) violations as well as customer and supplier liability
costs have also been included in the estimates.
mi2g is at the leading edge of building secure on-line banking, broking
and trading architectures. The principal applications of our technology are:
2. Digital Risk Management; and
3. Bespoke Security Architecture.
mi2g pioneers enterprise-wide security practices and technology to
save time and cut cost. We enhance comparative advantage within financial
services and government agencies. Our real time intelligence is deployed worldwide
for contingency capability, executive decision making and strategic threat
mi2g Research Methodology: The Frequently Asked Questions (FAQ) List
is available from here in pdf. Please
note terms and conditions of use listed on
Full details of the February 2005 report are available as of 1st March 2005
and can be ordered from here.
(To view contents sample please click here).