On February 16th, Kaspersky Lab reported what they called “The greatest heist of the century”. One billion USD was taken from a hundred banks across 30 countries (Image 1). The cyber-criminal gang, dubbed “Carbanak”, carried out the two-year-long heist. They avoided targeting the end user stole directly from the banks unnoticed.
Image 1: Carbanak Reach
Online communications used by banks, as well as end users for Internet banking and online shopping are susceptible to various malicious attacks. A malicious third party can intercept credit card and bank information. The symmetric encryption methods us used to prevent interception of confidential messages. The symmetric encryption system uses the same key to encrypt and decrypt a confidential message. In order for sender and receiver to encrypt and decrypt a message, both needed the same key. And in order for both to have a same key, both ends needed to communicate this key. The problem was that this key that was communicated could be intercepted as easily as the encrypted message, leaving it vulnerable to a malicious third party.
Public Key Cryptography (PKC) solved this. In the PKC system a message is encrypted using a public key (available to everyone). This can only be decrypted using the corresponding private key (known only to a private receiver). One way to see this is the mailbox that we have at our homes. Everyone who has access to our address and post into the mailbox, but only those living in that home have the key to open it. Using the publicly available key, the sender sends a message that is encrypted using the public key. Only the receiver who has the corresponding private key can decrypt the message. This ensures confidentiality.
However, how do we know if an impostor is not sending the message? In order to ensure both message integrity (confidentiality) and non-repudiation (sender authenticity), Enveloped Public Key Encryption (EPKE) was used. This means that the sender encrypts his message both with his private key and the receiver’s public key. The public key encryption can only be decrypted by private key, vice versa. The following diagram (Image 2) illustrates how this system works:
Image 2: Envelope Public Key Encryption system
The corresponding private keys are nearly impossible to decode by brute force (i.e. trial and error).
In order to further authenticate that the sender and receiver are not impostors, SSL Certificates are used. SSL certificates are like online ID cards that verify a website’s authenticity. Basically, it ensures that the website you are visiting is the site it claims to be. Certificate Authorities (CA) issues certificates to websites that are validated as authentic. The browser indicates a secure website with a lock icon or a green URL bar (Image 3). When a site is validated, an SSL handshake occurs between the sender and receiver, which determine the encryption used for communication, thus establishing a secure connection between the two.
Image 3: Browser URL bars
Despite these high security measures, why were hackers still able to pull off this billion-dollar heist? The gang relied on human carelessness. Kaspersky reported that in all observed raids, bank systems were compromised by spear phishing emails (Emails targeting specific organization that appears to come from trusted source). After gaining access, the gang carried out surveillance of bank procedures and stole confidential files. Every activity on staff computer screens were observed and mimicked precisely to siphon off the money without raising suspicion.
While security protocols have been set up, it is the human’s responsibility to be alert to suspicious emails and attempts to steal data via impersonation or interception. End users can ensure that they do not leave their information vulnerable by keeping their passwords secure and avoid repeated use of it. They can also avoid suspicious emails and software. Additionally, end-users should also check the authenticity of the website they are interacting with using the SSL certificate indicators.
Introduction to Public-Key Cryptography. (2005, September 26). Retrieved February 23, 2015, from https://developer.mozilla.org/en/docs/Introduction_to_Public-Key_Cryptography
Computer Science Unplugged. (n.d.). Retrieved February 24, 2015, from http://csunplugged.org/public-key-encryption
Public Key and Private Keys. (n.d.). Retrieved February 23, 2015, from https://www.comodo.com/resources/small-business/digital-certificates2.php
Rouse, M. (2008, June 1). What is asymmetric cryptography (public-key cryptography)? – Definition from WhatIs.com. Retrieved February 23, 2015, from http://searchsecurity.techtarget.com/definition/asymmetric-cryptography
Description of Symmetric and Asymmetric Encryption. (n.d.). Retrieved February 24, 2015, from http://support.microsoft.com/kb/246071
Firefox. (n.d.). Retrieved February 22, 2015, from https://support.mozilla.org/en-US/kb/secure-website-certificate
Drozhzhin, A. (2015, February 16). The greatest heist of the century: Hackers stole $1 bln. Retrieved February 24, 2015, from http://blog.kaspersky.com/billion-dollar-apt-carbanak/
Lennon, M. (2015, February 15). Hackers Hit 100 Banks in ‘Unprecedented’ $1 Billion Cyber Heist: Kaspersky Lab | SecurityWeek.Com. Retrieved February 24, 2015, from http://www.securityweek.com/hackers-hit-100-banks-unprecedented-1-billion-cyber-attack-kaspersky-lab
Yadron, D., & Glazer, E. (2015, February 16). Hackers pull off billion dollar bank heist. Retrieved February 22, 2015, from http://www.businessspectator.com.au/news/2015/2/16/technology/hackers-pull-billion-dollar-bank-heist
Cyber bank robbers steal $1bn, says Kaspersky report. (2015, February 16). Retrieved February 22, 2015, from http://www.bbc.co.uk/news/business-31482985