Lessons Learned from Biggest Bank Heist in History

By Richard Stiennon

(Back to article)

Last year’s news that thieves had managed to break in to Sumitomo Mitsui Bank’s branch in London and attempt to transfer almost $440 million to accounts in other countries should give CIO’s cause for concern.

If the heist had not been foiled and the money recovered there would have been a lot more scrutiny of this incident. As it is, most organizations I talk to are unaware of the incident all together. This article is intended to correct that! Here's why.

First a recap. Last year it came to light that U.K. authorities had put the kibosh on what would have been the largest bank heist in history.

The story is still developing but this is what we know: Thieves masquerading as cleaning staff with the help of a security guard installed hardware keystroke loggers on computers within the London branch of Sumitomo Mitsui, a huge Japanese bank.

These computers evidently belonged to help desk personnel. The keystroke loggers captured everything typed into the computer including, of course, administrative passwords for remote access.

By installing software keystroke loggers on the PCs that belonged to the bank personnel responsible for wire transfers over the SWIFT (Society for Worldwide Interbank Financial Telecommunication) network, the thieves captured credentials that were then used to transfer 220 million pounds (call it half-a-billion dollars).

Luckily the police were involved by that time and were able to stymie the attack. Now, on to the "lessons-learned" segment of the article:

  • Despite everything banks have done to secure their operations they are ludicrously vulnerable to a very simple attack. The Sumitomo case involved physical infiltration yet, the same result could have been obtained if the attackers had simply emailed Trojan-horse software to the right people, bundling the malware with some legitimate proposal, Power Point presentation, or resume.

  • With the bank robbers still at large, who are they targeting right now? Every organization with critical financial operations that can be breached by username/password pairs should put in place protections against keystroke loggers and system monitors.

  • Even if you are not a bank you should do scenario planning to determine what your exposure is to this type of attack. Could a small gang or an individual use these techniques to capture quarterly financial figures before they become public? Could they capture and make use of critical information during negotiations with a union or prior to an acquisition?

  • And finally, nothing has changed in the world of corporate security—especially banking. Organizations attempt to cover up security incidents when exposure could help the industry as a whole.

    I once had a teller "cash" my paycheck along with all the other incoming checks she handled that day; or at least so I thought. The first notice I had that something was amiss was from the bank informing me that the paycheck had not made it to their processing center so they were taking the funds out of my account.

    Never mind that I had the receipt given to me by the teller. After meeting with the “security officer” of the bank they finally admitted that the teller in question had absconded with my money and not shown up for work the next day.

    The crime here is that they did not report the incident to the police or press charges. They wanted to avoid at all costs letting the public know that a bank teller was not trustworthy.

    I can only assume that same teller went on to work at some other bank and repeat her nefarious ways. This tendency on the part of banks to hide from scrutiny is not serving the rest of the banking and financial services industry well.

    So be warned. The Sumitomo heist should put get you thinking about security all over again (not that you've ever really stopped, but … ). If your internal defenses are inadequate to stop a Sumitomo style attack, you should not rest until you are certain you can defend against the combination of insiders and Trojan horses.

    Richard Stiennon is the former vice president of Threat Research at Webroot Software and now the founder of IT Harvest, an IT security research firm. He is a holder of Gartner's Thought Leadership award for 2003 and was named "One of the 50 Most Powerful People in Networking" by Network World Magazine.