Last week, Pune-based Cosmos Bank lost Rs 94 crore in a coordinated digital fraud comprising thousands of online transactions, made possible because of a malware attack on the bank’s systems. A look at how the fraud was carried out, and what questions it raises of security systems:
What the software did
The fraud began with a malware attack. Malware is malicious software that is normally sent as a link to the intended target; once clicked, it can install executable codes and scripts. It is normally avoided by using anti-malware and antivirus software, and firewalls. In this case, the malware compromised a digital system responsible for settling cash dispensation requests raised at ATMs. As soon as one swipes a card, a request is transferred to the core banking system (CBS) of the bank. If the account has enough money, the CBS will allow the transaction. In this case, the malware created a proxy system that bypassed the CBS and approved a series 14,800 fraudulent transactions to withdraw Rs 80.5 crore — Rs 78 crore through 12,000 transactions in 28 countries, the rest in India. Another Rs 13.5 crore was transferred to a Hong Kong-based entity using a facility called Society for Worldwide Interbank Telecommunications (SWIFT).
The ATM transfers
These are suspected to have been done with “cloned cards”, although a senior source at National Payment Corporation of India (NPCI) said that this is not certain at this stage. Cloned debit and credit cards have been used in several cyber crimes. The fraudster collects the card details (these are sometimes even sold over the dark net, a network with restricted access) and uses a a machine to copy these on dummies, or blank plastic cards.
How SWIFT works
It is a network that enables financial institutions to send and receive information about transactions in a secure environment. Earlier this year, the SWIFT system at City Union Bank, with its headuarters at Kumbakonam (Tamil Nadu) was targeted, and nearly $2 million in three lots was transferred to banks in Dubai, Turkey and China. The SWIFT system frequently releases security updates. Muslim Koser, director (product development) of Volon, a cyber security firm, suggested that banks ensure that their systems are patched immediately after the update. “The developers at SWIFT need to understand the particular kind of exploits being used and neutralise them,” he added. Former NPCI managing director and CEO A P Hota said, “I think it is responsibility of individual banks to ensure that their protection measures are in place.”
The attack on Cosmos took place around the same time that the FBI issued a warning of an “ATM cash out attack” where fraudsters could compromise a bank or payment processors, use cloned cards at cash machines across the world to withdraw money. These attacks normally take place over the weekend, and Cosmos was attacked on a Saturday.
Hota said the RBI has clear guidelines and if these are followed, such incidents will not happen. “There is a case that as far as security is concerned, attention is given more to commercial banks and cooperative banks have been sidelined. However there are 9-10 cooperative banks as big as private banks and Cosmos Bank is one of them. Maybe RBI should pay special attention to large cooperative banks,” Hota said. Cyber crime investigation expert Ritesh Bhatia said security measures across Indian banks are moderate and given the high level of coordinated international attacks, all banks need to upgrade their security mechanisms.
RBI guidelines say that if banks are at fault, they are liable to pay customers. “However, there is also the issue of inconvenience for account-holders. Account-holders at Cosmos Bank could not carry out Internet and mobile banking which were suspended in the aftermath of the attack… Banks form a part of the ‘critical infrastructure’ and one would be sceptical about opening an account at a bank where security has been compromised,” Bhatia said.