National Bank of Pakistan refutes hacking / cyber crime allegations.
So, it was not 'hacking', but 'fraudulent withdrawals'. However the fact is that there is a limit of Rs20,000/- and that is all that a client should be able to withdraw in one day. The attack managed to get Rs20 million from accounts that had zero money in them. Here is an image of the notice published in the papers.
Labels: Banking and Finance, Hack
NBP security was bypassed by using other Banks ATM cards where the accounts had no balance.
====================================================
NBP admits gang withdrew Rs20m in MultanBy Sher Baz Khan
ISLAMABAD, March 15: The National Bank of Pakistan on Saturday said that some people had fraudulently withdrawn Rs20 million from its automated-teller machines (ATMs) in Multan, while the Federal Investigation Agency believes that the bank’s online money providing system has been “hacked”.
While NBP president Ali Raza said the misuse of bank’s ATMs in the industrial zones of Punjab was a mere “glitch” and not a cyber crime, the head of FIA’s National Response Centre for Cyber Crimes (NR3C), Syed Ammar Jafri, told Dawn that the NBP’s ATM service had been hacked and it was a cyber crime.
“That’s why the NBP management has sought the help of NR3C — the FIA’s special wing for combating cyber crimes,” Mr Jafri added.
“Give me three or four days and I will tell you how many people are involved in the crime.” He did not rule out the involvement of those who knew about the security system of NBP’s ATM service.
He said it could also happen to other banks operating in Pakistan, but the NBP had been targeted perhaps for its weak security.
He said the FIA had taken into custody a retired employee of a bank, Amir Abbas, who was being grilled. Amir was arrested in Multan after the NBP management had registered an FIR against him.
Mr Jafri said that without hacking the system it was impossible to withdraw cash from the NBP’s One-Link through cash cards with zero balance. He said that cash cards of two employees of another bank, one of them retired, had been used, which meant that those who withdrew money had hacked the NBP system.
“If the system was not hacked how the ATMs were made to give positive response instead of negative?” he asked.
Sources told Dawn that before the NBP suspended its One-Link service on Friday, the gang had withdrawn money from four branches of the NBP in Islamabad.
However, the bank’s spokesperson said she did not know anything about the misuse of ATMs in the capital.
NBP’s clients can now use only the bank’s own ATM facility after the suspension of One-Link.
The sources said that millions of rupees had been withdrawn from the bank’s branches in Lahore, Sialkot and Faisalabad as well.
An official statement issued by the NBP said that with the bank’s help some culprits had been arrested red-handed while conducting fraudulent withdrawals from ATMs in Multan.
“The gang is currently been interrogated by the FIA and a case has already been registered with the relevant agency,” the statement said.
“The bank hopes to recover the fraudulently withdrawn money from those who perpetuated the fraud.”
The NBP is currently in the process of re-certification of its ATM switch software with One-Link and software vendor which is expected to be completed in two weeks. Soon after the completion of the process, the NBP will restore its links with other banks (14 in number) which are members of the One-Link.
An expert told Dawn that it required at least a thousand transactions (days) to withdraw Rs20 million from the NBP through ATMs which restricted clients to taking out only Rs20,000 per day.
Labels: Banking and Finance, Hack
Looks like an inside job, with an employee subverting the security system of the ATMs.
===============================================
NBP suspends inter-bank ATM service after fraud - By Sher Baz Khan
ISLAMABAD, March 14: The National Bank of Pakistan (NBP) on Friday unilaterally suspended its One-Link service with 14 other banks after finding out that a cyber gang had withdrawn millions of rupees from its different branches through automated-teller machines (ATMs) by cracking the PIN codes and hardware security modules.
Sources told Dawn that the bank had also sought the help of the FIA to determine how the gang had been misusing a couple of “zero-balance” accounts of two employees of another bank, one of them retired, and getting complete command over the ATM system of the NBP.
They said that involvement of some employees of both the banks could not be ruled out as one employee of the NBP headquarters in Karachi, in charge of hardware security of the bank’s online money supply service, had disappeared along with loads of information about private accounts and their ATM PIN codes.
Police have also arrested Amir Abbas, an employee of the Lahore branch of the other bank, one of the 14 banks sharing the ATM service with NBP.
Mr Abbas is being grilled by police while search is on for one Ali Hassan alias Bacha, who is believed to be the chieftain of the gang.
Insiders told Dawn that the bank’s management had detected ‘cyber theft’ of over Rs3 million from its ATMs in Multan and Lahore in recent weeks.
But it was surprised to find similar cases unfolding in its branches operating in the industrial belt of Punjab in Sialkot, Gujranwala and Lahore.
After following the transactions, the bank management found that the same group had withdrawn another over Rs8 million from the NBP’s ATM in Punjab just over the last weekend.
The sources said the hackers had targeted branches of the NBP operating in the industrial areas of Punjab because ATMs of these branches are normally filled to the brim.The NBP management is also busy tracing similar transactions in other parts of the country, perhaps by members of the same gang.
Initial investigations have found that the gang had full command over the entire ATM hardware system of the bank, which means that some employees of the bank’s ATM department had links with the gang and had provided them the data needed to hack the system.
In normal cases, an account holder can withdraw a maximum of Rs20,000 in 24 hours from an NBP ATM. But the hackers had full control even over this function and are believed to have made the machines deliver large sums in one go.
The NBP’s ATM issuance service has already come to a halt for a couple of months, an NBP employee said.
He said the bank had decided not to re-start its One-Link ATM system with all other partner banks without installing a new security system.
The NBP fears massive attacks on its hacked online money supply system across the country forcing it to suspend its One-Link operations for an indefinite period.
The employee said that ironically the NBP had not installed close-circuit cameras to cover its ATMs. Therefore, it is difficult to tell exactly how the gang drew money from the machines.
The NBP authorities are also investigating whether the ATM hacking started when its absconding employee was attending his office or after he had left to be with his accomplices while drawing cash from the machines.
NBP President Ali Reza and some other top officials could not be reached for the official version on the issue.
Labels: Banking and Finance, Hack, Insider
This is an article on how to break the security on fingerprint enabled 'secure' USB memory sticks. The sticks basic design is insecure.
To cut to the chase:
both sticks use something that's said to be very secure: fingerprint scanning. Then, why did they fail?The answer is simple: the key to the encryption has to be stored on the stick in some way.This is how it works: If you have a program doing encryption with a password as a key, the program doesn't have to know the password itself when not used. You run the program, enter the password, and the password is used to decrypt the info. Close the program and it will forget the password: it's stored nowhere on your computer. It's not needed: you yourself can enter the exact password when you want to have access to your data anymore. But you must enter exactly the password you've chosen: you can't make any mistake like using a capital-A instead of a lowercase one.Fingerprints aren't that precise. If you scan your fingerprint two times, the scans will always be subtly different. Pressure differences, the way you slide your finger over the sensor, interference, loss of skin cells... they all contribute to a certain amount of noise to the picture. You can't encrypt something with that: you need something that never changes. As far as I know, it's not possible to distill from a fingerprint a certain piece of data that never changes, but still has variation enough to make it impervious to brute-force-attacks.So, all systems have to take another route: encrypt the disk with a certain random key and hide that key somewhere together with the fingerprint of the user of the stick. As soon as the stick is inserted, the user is asked for his fingerprint and it is then compared to the stored copy. If they match, the disk is decrypted using the stored key.The problem with that is simple: if the program handing out the key to the decryption routine can be hacked, the hacker can, one way or another, get the key. There's no way around that: the program can access the key and the hacker can access the program: that means the hacker can access the key. There are two ways around this: The first one is not to allow the program access to the key. Truecrypt and other password-based programs do this, but as I explained, it's difficult for a fingerprint-based solution to do this. The other way is: don't allow the hacker access to the program. This would mean embedding a controller in the stick which should do all the fingerprint-comparing itself. While a really skilled hacker could still try and get into the microcontroller, it would be much, much more difficult to get to the data than with a software-based solution. Unfortunately, this solution is way more expensive than a PC-software-based solution.Labels: crypto, Hack, News Article
A GROUP of computer hackers suspected of seizing control of a British military communications satellite using a home computer, triggering a "frenetic" security alert, has been traced to the south of England.
A security source said that, up to a month ago, the hackers found a "cute way" into the control system for one of the Ministry of Defence's Skynet satellites and "changed the characteristics of channels used to convey military communications, satellite television and telephone calls".
Contrary to reports in a Sunday newspaper, the group did not move the satellite, nor did it attempt to blackmail the MoD, and the Serious Fraud Office is not involved in investigations.
Instead, the hackers triggered a "frenetic rather than panic-stricken" response by MoD officials as the intrusion was characteristic of an information-warfare attack, when enemies attempt to destroy or disrupt military communications networks.
The hackers are being investigated by Scotland Yard's Computer Crimes Unit and the Communications Electronics Security Group at GCHQ, with assistance from the US Air Force.
American hackers passed on information that implicates hackers in southern England. Scotland Yard is assembling evidence and arrests are expected soon.
The hackers intercepted the link between the Skynet's control centre and the ground station. The source said the hackers "managed to reprogram a satellite control system. In many ways, the clever thing was not to lose the satellite."
Last week, Margaret Beckett, Leader of the Commons, warned of the growing risk of malicious electronic attacks on Britain's critical information infrastructure. "Hijacking a satellite is one of the first activities in an infowar attack," the source said. Defence staff examined several other classified points that would be expected to be attacked in the event of an information warfare assault. "Initially, the attack was thought to be an overt act of war. Now we think it was a mischievous act."
A spokesman for Scotland Yard said a computer hacker was being investigated. "The hacker is believed to be targeting several different international sites, some of which may include military installations," he said.
Britain has three satellites that form what is known as Skynet 4, the most modern generation of British military satellites. The first generation was launched in the 1960s and Skynet 4 went up in the late Eighties. The satellite that was infiltrated is believed to cover Scandinavia, the North Sea and northern England. Like all the MoD's satellites, and the two others Britain operates for Nato, it is controlled by the Royal Air Force.
The British hacking community was "astounded and envious" at the audacity of the attack, said one British hacker. "We guess that it is an unusual crew, probably a group of students with access to the control system," he said.
The hacker group is believed to have used a "recipe" describing how to attack satellite control command systems, published several years ago by a Briton who subsequently fled to Japan to avoid arrest for another hacking incident.
Several years ago, an American hacker called Capt Midnight grabbed control of an American television satellite. He replaced some of the channels with a test card that protested at the introduction of pay-television.
Geoff Bains, editor of What Satellite?, said: "It has always amazed me that more people have not done this. You just have to learn a few control codes and send up your own signal to play around with a satellite yourself."
Labels: Hack, Military
