Cosmos Co-operative Bank India suffers Massive Security Breach involving huge sum of Amounts, what experts have to say
Cyber criminals stole approximately Rs 94 Crore from the Pune-headquartered Cosmos Cooperative Bank Ltd, the second oldest and second biggest cooperative bank in India.
The malicious actors have initially cloned ‘Visa’ and ‘Rupay’ debit cards.This is supposedly a coordinated digital security breach, where the money was withdrawn through thousands of ATM transactions carried out from 28 countries.
In a public statement, Cosmos Bank chairman, Milind Kale said,“the fraudulent transactions were carried out last Saturday and on Monday and the malware attack originated in Canada. In two days, hackers withdrew a total Rs 78 crore from various ATMs in 28 countries, including Canada, Hong Kong and a few ATMs in India, and another Rs 2.5 crore were taken out within India,”. On Monday, hackers again fraudulently transferred Rs 13.92 crore in a Hong Kong-based bank.
In response to the incident, the bank registered an FIR and has closed all its servers and net banking facilities. Further, the case is sent for further cyber forensic investigation to gather forensic artifacts from the evidence collected and submit a report regarding the modus operandi of the cyber criminals and the exact destruction caused by them.
In general operation, the Core Banking System (CBS) receives debit card payment requests via its ‘Switching System’. But,in this Malware attack, a proxy switch was created by the wrongdoers and all the fraudulent payment approvals were passed through the proxy switching system.
After the incident was made public, a warning issued privately to the banks by the Federal Bureau of Investigation (FBI) of the United States of America, warned about a threat to the banking industry, where the cyber criminals are engaged in a malicious activity called “ATM Cashout” on a global level.
“The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation’,” reads a confidential alert the FBI shared with banks privately on Friday.
The FBI said that the cyber criminals are a group of criminals conducting organized cyber crimes in a manner where thenature of criminal activities included:
- Targets are mainly small to medium organizations
- Access bank customer card information and exploit network access
- Theft of money on a large scale
- Used cloned cards
- The operations were carried out mostly on weekends
- Alter account balances and security measures to make an unlimited amount of money available at the time of the transactions, enabling large amounts of cash withdrawal from the ATM
In a smart way to trick the bank, the cyber criminals would, just before the ‘ATM cashout’ transactions; remove many fraud controls at the financial institution, such as maximum ATM withdrawal amounts and any limits on the number of customer ATM transactions daily.
What industry experts have to say:
According to Nikhil Bedi, Partner, Deloitte India, robust security systems and incidence response capabilities are imperative for all companies and financial institutions that are custodians of customer data and customer assets, including funds.
“While there is growing awareness to regularly update an organisation’s cyber preparedness and defence mechanisms, a large number of institutions wake up to this reality only post an incident which often leads to a loss of reputation and/or financial misappropriation,” Bedi said in a statement.
“This is a big challenge specially for banks, where it is no longer sufficient to protect just your data centres and your headquarters, you have to protect ATMs and branch offices in addition to securing incoming data even from affiliated organisations,” cautioned Anshuman Singh, Senior Director, Product Management at Barracuda Networks Inc.
“Regulators need to develop a risk management framework, including adequate threat response strategies and define the chain of command in case of a security breach,” said Sanjay Katkar, Joint Managing Director and Chief Technology Officer at Pune-based Quick Heal Technologies Limited.
“Hiring chief information security officers must be made mandatory for players in the BFSI domain. The sector should also run regular security protocols and simulations to test their incident response capabilities,” Katkar told IANS.
“One of our network members has confirmed a malware attack on their system,” NPCI said, while reiterating that its systems are fully secured and that this issue has occurred within the bank’s information technology environment.
According to Sandeep Arora, CEO, CyberImmersionsSolutions (a niche solutions provider in cyber security & digital forensics), “It clearly demonstrates significant security gaps and lack of preparedness to identify and respond to cyber-attacks by the companies in India. There is urgent need for cyber security professionals to have a seat at board level and accountability to go up till the board. Personal data protection bill 2018 is definitely going to be an enabler in this direction by putting liability including imprisonment for directors in the company”.
The police are getting the transaction details from the bank and the primary focus right now will be to probe the domestic transactions, in which Rs 2.5 crore were withdrawn from ATM machines. Cross-border investigation depends on the co-operation and help from the respective countries, Jyotipriya Singh, deputy commissioner of police (cyber and economic offences wing), Pune Police, told PTI.
“An SIT has been formed to investigate the case,” Singh said, adding that she would be supervising the probe and work as a nodal officer to coordinate with various agencies.
The co-operative bank had informed the police about an abnormal transaction in an ATM located in Kolhapur, Maharashtra. The police are also checking when was the latest cyber security audit of the bank’s systems conducted and whether the systems were protected or not, the DCP said.