Keeping money safe is about to get a lot more difficult. Security researchers at the RSA #cyber security conference in San Francisco this week offered ample evidence that hackers are becoming more adept at infiltrating banking systems and even blockchain platforms, built to handle bitcoin transactions, are also vulnerable.
Global banking systems under attack
Despite billions spent to secure networks, banks are vulnerable to attacks as cyber criminals become more sophisticated in injecting malware into connected systems. A sign of what’s to come can be found in last year’s breach of Bangladesh Bank, where thieves gained access to funds through hacking of the SWIFT messaging system used by over 3,000 global institutions. The criminals got away with $81 million of the $951 million they attempted to steal.
Researchers also pointed out that the world’s ATM structure is sadly outmoded. According to IBM security adviser Bruce Schneier, “Ninety-five percent of the world’s ATM machines are still running on Windows XP.” Microsoft ended their support for the operating system in 2016.
The machines’ out-of-date technology has not gone unnoticed by criminals either. Less than a year ago, cyber thieves executed malicious software on an ATM network in Taiwan that yielded over $2 million before the country’s largest banks suspended withdrawals.
Blockchain flaws revealed
There are also growing concerns that the blockchain, a platform used to handle cryptocurrency transactions and “smart” contracts, may be vulnerable to hacking as well. Two separate presentations at this week’s RSA conference focused on vulnerabilities in a technology that many believed was virtually impossible to breach.
The issues with the blockchain are centered around the use of cryptographic keys and wallets where bitcoin currency is stored. Konstantinos Karagiannis, chief technology officer for British Telecom Americas, delivered a presentation at RSA that documented how advances in quantum computing will make it easier to obtain a blockchain user’s private key. He urged the blockchain community to consider implementing quantum-safe encryption.
Another presentation by Uri Rivner, who leads cyber strategy for BioCatch, described flaws in the handling of security controls for growing private blockchains, since they are not subjected to the same complex hashing rules as the public blockchain. “Taking keys from devices is very easy these days,” said Rivner.
The Internet security firm Cyren recently found evidence of malware that steals passwords from digital wallets and bitcoin as well. According to the firm, bitcoin users in the U.S. and Singapore are being targeted by enterprising hackers.
There have been other incidents over the past year which are raising concerns about blockchain security. Last October, the BlockChain.Info website, one of the largest bitcoin wallets, was hijacked and knocked out of service for nearly a day. And last summer, Bitfinex disclosed the loss of $60 million in customer funds. Just a few weeks ago, it was reported that the hackers of the Bitfinex accounts were beginning to move some of the bitcoin they stole into various exchanges in an apparent attempt to test how closely they were being watched.
The security world, gathered for five days this week in San Francisco, is clearly grappling with the rising sophistication of attackers and the tools they use. This has led to some interesting moments, such as one provided yesterday by James Lyne, the global head of security for Sophos.
In a live demonstration at the conference, Lyne deliberately infected his computer with malware that demanded a ransom in bitcoin for encrypted files. However, the researcher found the bitcoin service connection the criminals were using and quickly changed some code to trick the attackers into thinking they had been paid. Despite the escape, Lyne warned that “ransomware will continue to evolve and improve in quality.” And it could take much of the financial world with it.