Hackers Attempt To Ransom Sensitive Banking Data In Exhange For XRP Payout
Rather than give in to the demands, banks disclosed the breach to users, urging them to take measures to secure accounts.
On May 28, 2018, Simplii Financial reported to consumers that it had raised the alert and implemented enhanced security measures after receiving a tip that hackers apparently accessed the private banking information of as many as 40,000 customers. Likewise Bank of Montreal was also warned of a hack affecting around 50,000 customers, this time by the hackers themselves who threatened to publicize the consumer data.
Later that day Canadian media outlets received what was in effect a ransom letter to banks. The letter threatened that the consumer data would be leaked if a payment was not made of $1 million (USD) in the form of Ripple (XRP) by Monday at 11:59 PM. The wallet which was to be the recipient of this ransom was only created last month, but already contains the equivalent of $5 million (USD).
The deadline came and went without a response from the targeted financial institutions who sent a clear message: they do not negotiate with hackers.
By contacting banks in an effort to blackmail them, the hackers may have rendered their efforts impotent; banks were able to reach out to customers affected and institute short term remedies including password changes, the issuance of new cards, and complimentary credit monitoring.
Banks also offered to assist with any financial impact as a result of the hack; with access to accounts, a malicious actor was able to make unauthorized transfers, of which banks have said they will refund 100 percent of funds lost in all such cases. Still, consumers in Canada who need to wait for cards to arrive in the mail for up seven days for lack of a brick and mortar facility are left without access to funds in the interim.
Reports indicate an email sent to the bank from the hackers revealed the method used to crack the bank’s security. A mathematical algorithm designed to verify short sequences of numbers was able to determine correlating account numbers, credit card numbers, and social insurance numbers. From there it was a matter of using those credentials to reset passwords and any security questions manually to usurp control of the account in question.
Unlike indiscriminate phishing attacks which are often spammed out across millions of emails, such as the recent issues experienced by EOSIO users, or the GDPR related scam that National Westminster Bank customers had to fend off, the attack that pitted algorithms against individual accounts to game their information from the bank’s flawed security system is more reminiscent of a spear-phishing attack. Spear-phishing uses specific pieces of information that can be used to fool central authorities into mistaking the hacker for the account holder. It’s the same tactic employed by Iranian hackers, who also used brute force methods, to slip away with intellectual data valued at approximately $3.4 billion (USD).
As central banks continue to struggle with security issues, consumers may wish to turn to decentralized financial services as a failsafe when institutions drop the ball.
MetaCert is creating solutions for anti-phishing, child safety, brand protection, crypto-address verification, and news credibility with the MetaCert Protocol. You can find out more about the MetaCert Protocol by joining our Telegram community to stay up to date on our blockchain project. Remember to install Cryptonite, to protect yourself from phishing scams before it’s too late.
