The Die Hard risk in your bank account

Izabella Kaminska

| Nov 03 19:14

http://ftalphaville.ft.com/2015/11/03/2143644/the-die-hard-risk-in-your-bank-account/

It is a business now, some of these organisations have complexes not quite as big as Google but it is an office facility and people come to work. Instead of coming to work out how to create things for cell phones, they go after banks because that’s where the money is.

That’s from cyber-security expert Clay Calvert, director of Cybersecurity at MetroStar Systems, who we contacted last week to get some insight on the multiple ways banking is turning into a cyber-security story.
Also, we wanted to know the degree to which everything is spiralling out of control for banks because cyber criminals are now organising themselves in the style of the more materialistic-minded criminal syndicates before them. It is, experts fear, the beginnings of a new cold war, of Spectre-style proportions. The criminals aren’t loan hackers in basements anymore. They’re high level organised networks.

Calvert tells us, for example, it’s not just that these organisations are getting large and sophisticated, they run themselves like modern profit-oriented businesses, with weekly targets and commission-based renumeration. And just like modern corporations, they’re competitively minded and fearful of challenges to their marketshare.
The only difference really is that instead of running enterprises which add value to society, their enterprises destroy it. They don’t contribute to the system. They take from it and never put back.
That one fact alone ensures they operate in a zero sum world. There is, after all, only so much spare output people will get duped into handing over. As a result there’s a maximum extraction rate for cybercriminals at any given time.
Cyber crime really is akin to exploiting exhaustible resources like oil, it seems.
Since you can’t bleed everyone dry in just one go — you’d render your assets dead before you could turn a profit — cyber criminals have learned it’s necessary to coax value slowly out of the system instead.
Indeed, just like the early oil prospectors over in Pennsylvania learned that over-exploitation of resources collapses the market for everyone, cyber criminals have figured out that exploitation only pays if there’s a cap on the number of people doing the exploitation. Cartel-style discipline means everything.
Incidentally, much like with the mafia and Colombian drug cartels, there’s now some serious competition between rival organised cybergang on the dark web.
Clavert tells us:

The cyber gangs are now turning on each other. One site will hack into another site and they will publish the info to out them.
If there were a milion hacking organisations, that would change the world, so they are trying to limit how many people are doing it. Finite resources. They are setting up their territory.

Banking is a cyber security story
Last week, the FT’s Sam Jones outlined last week how commercialised cyber crime has become. For example, on the dark net, off-the-shelf hacking software is available for as little as $30 a pop, meaning that the business of hacking really is accessible to anyone.*
But what really does it mean to hack people for financial gain?
Draining accounts of funds isn’t all that easy. You can’t just Bonnie and Clyde bags of cash out of people’s accounts.
Anti-money laundering rules, paper-trails and know-your-customer regulations ensure hacking is only successful if you have:

1. Cleared accounts to transfer funds into (hence why the cost of remittances or transfers to light-touch jurisdictions where anyone can set up accounts, or even become their own banks is so high).
2. Are able to convince people to voluntarily transfer the money over (usually via extortion, or ransom** based on exploitation of personal information, like naked photos etc, confiscation and ransoming of data).
3. Outright scamming involving promises of outsized financial returns if honest accounts provide proxy services.
4. Hope the victim doesn’t notice that small sums are being skimmed on a regular basis, which when done on a mass scale adds up.
5. Getting privileged information and trading off it.
6. Forcing ATMs to payout paper cash.

It’s as much about psychology and persuasion as it is outright force-based theft.
The Carbanak cybergang robbery, which saw up to $1bn stolen in about two years from financial institutions worldwide, is an excellent example of such strategies.
As Kaspersky noted, a combination of strategies 1, 3, 4 and 6 were used. People didn’t notice the missing sums because the hack literally involved creating bank liabilities in the form pure money printing, which inflated account balances before the funds were transferred into proxy accounts controlled by the criminals or directly debited via ATMs.
The vulnerability was the ease with which hackers could create bank liabilities without any legitimate offsetting assets on the banks’ ledgers or balance sheet.

The hack, in other words, was based on outstandingly detailed knowledge of bank operations — above all knowledge that loan decisions create money-like liabilities which the system at large views as cash.

That’s a big problem for banks because it equates to the very same thing as originating bad assets, which have no repayment possibility and certainly no interest income.

If you thought subprime write-downs were bad, just think how much worse bank balance sheets full of “hacker-lifestyle”-backed assets are. Especially when banks themselves are probably unsure of how many fake assets (or loans) may have been created.

The looser a bank’s loan creation criteria — the basic input of core personal data: identification numbers, addresses, credit scores and so forth rather than assessment via face-to-face qualitative means — the easier for a hacker to convince the system an asset with an offsetting liability has been created.

That’s the paradox in the system. The more automated, streamlined and people-lite the banking process — especially back-office confirmation and settlement — the easier it is for a hacker to game the system. But the more costly it is to police the system, which is already being pressured by capitalisation costs, the lower the profit margins for banks.

Small wonder the banks are suddenly obsessed with permissioned blockchain ledgers.

On the surface the technology promises to do the impossible: allow banks to cut human costs with automated tools — improving margins — and remain hacker resilient.

The way it plans to do this? Mostly, by taking banking back into the medieval age of single-entry accounting – wherein outstanding liabilities alone determined “value” on a banks books, with no consideration of the asset side.

Furthermore, chances are, it will take collective algorithmic action to permission new liabilities based on asset origination, meaning asset quality will no longer be determined by competing banks but by the group. It’s the re-cartelisation of banking to the point of near single unity status, especially once all the human intelligence is gone. Banking union like you’ve never seen before.

Will this be effective? Probably not. As Calvert tells us a lot of hacking is based on taking control of legitimate processes. It’s about impersonating instructions from member-network banks and hoping the rest of the network doesn’t notice they’ve come from a corrupted computer or source.

Which is why for as long as individual banks retain the right to create assets according to their own competitive IP-based prerogative — rather than be dictated to by the standards of the cartel — hacking risk remains. That’s blockchain or no blockchain.

And since limiting the outstanding number of liabilities to some arbitrary number makes no sense for a fluctuating economy, banking with blockchain is simply a route to a single non-competitive monetary authority issuing asset-backed liabilities in the system (i.e. a central bank).

Not that issuance via a single-central authority running an internal blockchain would contain the hacking risk. The point of failure will always and forever be connected to the weakest individual in the group. We know this, well, because Die Hard tells us so:

Takagi: [Hans is threatening to kill Takagi if he doesn't divulge the code to the vault] I don’t know it, I’m telling you. Get on a jet to Tokyo and ask the Chairman. I’m telling you, you’re just going to have to kill me.
Hans Gruber: Okay.
[shoots Takagi in the head]
Hans Gruber: We do it the hard way.

Which is why the only line of defence is in loading up on trustworthy, vetted, socially commended people. A costly proposition for banks.

Additional notes and caveats:

* When data goes on sale for $30, this can really be treated as a liquidity-prompted asset swap. A good way to think of it is as follows: the hacker selling the data knows the data has value but he does not have the time or the resources to employ it to its full potential. He offers it, as a result, at a discount to those in the market with current liquidity who do have the potential to maximise its value beyond its current trading price. People like professional cyber extorters, vindictive spouses or colleagues, or organised hackers operating mass-market hacking operations.

** Just wait until hackers start taking control of your IoT connected devices — especially self-driving cars — and threatening you with near certain death unless you make a legitimate transfer.

Related links:
If you call it a blockchain, it’s not a single-entry system - FT Alphaville
Exposing the “If we call it a blockchain, perhaps it won’t be deemed a cartel?” tactic – FT Alphaville