Stealing is a profession that appears to operate according to two apparently contradictory rules. The first is that if you’re going to thieve then make sure the sums are insignificant so that nobody notices. Alternatively, ignore that rule altogether and simply steal a sum so large that people can’t ignore what you’ve done but are frightened to talk about it.
As long as you stick to one of these rules, and don’t dare mix them, then you’ll do well.
Oddly, people will often disparage the petty criminal who steals from a purse while having a sneaking admiration for the talent required to pull off a really big heist. It’s as if criminality is judged a profession with its talented winners and hopeless losers, just like any other.
The news that 32-year old Israeli citizen Yeron Bolondi has been arrested while apparently trying to siphon off up to £220 million ($423 million) from the Japanese Sumitomo Mitsui Bank puts him very much in the latter camp. We have very few details to go on – more on this later – but it looks as if this was close to being the most audacious theft ever attempted against a bank, putting even famous banks break-ins in the shade.
The idea that someone can steal such a huge sum from a bank without being anywhere near the premises still mystifies most people in the street. No stocking over the head, no sawn-off shotgun, no used bank notes in sacks, just (in this instance) a Trojan key-logging device or program to (we presume) record enough security passwords and account numbers to access one or more core bank accounts.
If you work in the security industry the bigger mystery will be that someone can evade all the expensively-assembled hardware and software systems designed to stop such a thing happening. Banks are not short of a penny to invest in the best technology and are noted for their paranoiac attitude to outsiders. And yet one man appears to have got at least some of the way to stealing a sum of money so large that we would almost certainly not have heard about it had he succeeded.
The Sumitomo Mitsui bank has been rightly praised for coming clean on what has happened; banks never talk about break-ins and fraud unless they have no alterative so this is unprecedented in itself.
Britain’s National High-Tech Crime Unit (NHTCU) also comes out of the story looking very clever indeed, an unexpected boost for a unit that is said to be short of resources in the face of its other priority of tackling Internet-based paedophilia. People assume the police are way out of their depth in this area and they are sometimes right. The police are out-numbered, as ever. Perhaps this coup will make them take the unit’s highly-regarded work more seriously in future.
What we don’t have is a full picture of what was going on in the attempted theft. Since the bank had been working with the NHTCU since October it looks as if the plot was being observed from a safe distance and that was not likely to succeed. This would be standard police stuff; observe a criminal to see if anyone else is working with them.
Neither do we have much detail on the type of key-logging Trojan used. It is important to know this in order that wider lessons can be learned. A lot has been written about how this form of malware can be used remotely, but it seems highly unlikely that a Windows-based Trojan could get this deeply into a bank’s systems which, as security expert Arthur Barnes of Diagonal Security pointed out when we discussed the issue with him, invariably run on Unix.
If this incident changes any of the above assumptions then we need to know now. Was anybody inside the bank involved? Was the Trojan tailored in any way to infiltrate the specific systems used by Sumitomo? Most important of all, at what point did the bank realise something was amiss and call in the police? Any one of these could tell us in what direction this sort of sophisticated crime is evolving, and offer real-world advance warning.
Expect security companies to jump on this event after a quarter when malware has been rapidly evolving but without doing a huge amount of damage. There is nothing like a big scare to help shift security systems that even now people hesitate to invest in.
This new concept of bank theft just serves to underline the fact that money doesn’t really exist nowadays, except in the sense that it moves around computer networks and is stored in databases. Most money earned by people is just the same. It sits in accounts and is never withdrawn in a physical form. It all belongs to someone, but perhaps we should worry that in this state of absolute virtuality, even the banks don’t quite know where it is at any given point.
We can be sure that criminals will have grasped this vulnerability even as we turn away in the hope that things will somehow sort themselves out on their own.