This video purports to be a bank robbery in Kiev. He first threatens a teller, who basically ignores him because she’s behind bullet-proof glass. But then the robber threatens one of her co-workers, who is on his side of the glass. Interesting example of a security system failing for an unexpected reason.
The video is weird, though. The robber seems very unsure of himself, and never really points the gun at anyone or even holds it properly.
Posted on August 14, 2017 at 6:03 AM •
Ross Anderson describes DigiTally, a secure payments system for use in areas where there is little or no network connectivity.
Posted on November 30, 2016 at 9:33 AM •
The Economist has an article on the potential hacking of the global financial system, either for profit or to cause mayhem. It’s reasonably balanced.
So how might such an attack unfold? Step one, several months before mayhem is unleashed, is to get into the system. Financial institutions have endless virtual doors that could be used to trespass, but one of the easiest to force is still the front door. By getting someone who works at an FMI or a partner company to click on a corrupt link through a “phishing” attack (an attempt to get hold of sensitive information by masquerading as someone trustworthy), or stealing their credentials when they use public Wi-Fi, hackers can impersonate them and install malware to watch over employees’ shoulders and see how the institution’s system functions. This happened in the Carbanak case: hackers installed a “RAT” (remote-access tool) to make videos of employees’ computers.
Step two is to study the system and set up booby traps. Once in, the gang quietly observes the quirks and defences of the system in order to plan the perfect attack from within; hackers have been known to sit like this for years. Provided they are not detected, they pick their places to plant spyware or malware that can be activated at the click of a button.
Step three is the launch. One day, preferably when there is already distracting market turmoil, they unleash a series of attacks on, say, multiple clearing houses.
The attackers might start with small changes, tweaking numbers in transactions as they are processed (Bank A gets credited $1,000, for example, but on the other side of the transaction Bank B is debited $0, or $900 or $100,000). As lots of erroneous payments travel the globe, and as it becomes clear that these are not just “glitches”, eventually the entire system would be deemed unreliable. Unsure how much money they have, banks could not settle their books when markets close. Settlement is a legally defined, binding moment. Regulators and central banks would become agitated if they could not see how solvent the nation’s banks were at the end of the financial day.
In many aspects of our society, as attackers become more powerful the potential for catastrophe increases. We need to ensure that the likelihood of catastrophe remains low.
Posted on July 25, 2016 at 6:10 AM •
The New York Times is reporting that some women in China are being forced to supply nude photos of themselves as collateral for getting a loan. Aside from the awfulness of this practice, it’s really bad collateral because it’s impossible to ever get it back.
Posted on June 20, 2016 at 6:01 AM •
This interesting essay argues that financial risks are generally not systemic risks, and instead are generally much smaller. That’s certainly been our experience to date:
While systemic risk is frequently invoked as a key reason to be on guard for cyber risk, such a connection is quite tenuous. A cyber event might in extreme cases result in a systemic crisis, but to do so needs highly fortuitous timing.
From the point of view of policymaking, rather than simply asserting systemic consequences for cyber risks, it would be better if the cyber discussion were better integrated into the existing macroprudential dialogue. To us, the overall discussion of cyber and systemic risk seems to be too focused on IT considerations and not enough on economic consequences.
After all, if there are systemic consequences from cyber risk, the chain of causality will be found in the macroprudential domain.
Posted on June 10, 2016 at 12:56 PM •
Ross Anderson liveblogged this year’s Financial Cryptography conference.
EDITED TO ADD (3/20): Details of the associated Bitcoin workshop.
Posted on March 15, 2016 at 12:37 PM •
I saw two related stories today. The first is about high-denomination currency. The EU is considering dropping its 500-euro note, on the grounds that only criminals need to move around that much cash. In response, Switzerland said that it is not dropping its 1,000-Swiss franc note. Of course, the US leads the way in small money here; its biggest banknote is $100.
This probably matters. Moving and laundering cash is at least as big a logistical and legal problem as moving and selling drugs. On the other hand, countries make a profit from their cash in circulation: it’s called seigniorage.
The second story is about the risks associated with legal marijuana dispensaries in the US not being able to write checks, have a bank account, and so on. There’s the physical risk of theft and violence, and the logistical nightmare of having to pay a $100K tax bill with marijuana-smelling paper currency.
Posted on February 19, 2016 at 6:34 AM •
It helps if you own the banks:
The report said Shor and his associates worked together in 2012 to buy a controlling stake in three Moldovan banks and then gradually increased the banks’ liquidity through a series of complex transactions involving loans being passed between the three banks and foreign entities.
The three banks then issued multimillion-dollar loans to companies that Shor either controlled or was connected to, the report said.
In the end, over $767 million disappeared from the banks in just three days through complex transactions.
A large portion of this money was transferred to offshore entities connected to Shor, according to the report. Some of the money was then deposited into Latvian bank accounts under the names of various foreigners.
Moldova’s central bank was subsequently forced to bail out the three banks with $870 million in emergency loans, a move designed to keep the economy afloat.
It’s an insider attack, where the insider is in charge.
What’s interesting to me is not the extent of the fraud, but how electronic banking makes this sort of thing easier. And possibly easier to investigate as well.
Posted on May 8, 2015 at 6:13 AM •
Sidebar photo of Bruce Schneier by Joe MacInnis.