Hackers demand $1M XRP ransom or they’ll reveal bank customer details

Posted: 30 May 2018 3:19 pm

Everything seems to have gone exactly as planned – for everyone except the affected customers.

Russian-based hackers have managed to grab a treasure trove in the form of the bank details of 90,000 customers. The hackers are demanding $1 million worth of Ripple XRP in ransom or they will release the information, CBC reports. According to an email from the hackers, the accessed information includes customer names, account numbers, passwords, security questions and answers, account balances and social security numbers.

The information was taken from the Simplii and Bank of Montreal (BMO) banks. The hackers also took pains to emphasise that they probably actually have the information and aren't just another scammer fishing for a quick buck.

They did this by explaining how they broke in.

The gist, according to the email, was that they managed to get customer account numbers with a common algorithm designed to quickly validate short numerical sequences like credit card numbers. This was supposedly all they needed to pose as the customers who forgot their passwords, and then reset the customer security questions and answers. Now they had the customer numbers and passwords, which let them log in as those customers and get all the other details.

The bank "was not checking if a password was valid until the security question were input correctly," the email said. "They were giving too much permission to half-authenticated account which enabled us to grab all these information."

To back up the point, the email shared identifying information about a customer from each bank.

"We warned BMO and Simplii that we would share their customers informations if they don't cooperate," it said. "These ... profile will be leaked on fraud forum and fraud community as well as the 90,000 left if we don't get the payment before May 28 2018 11:59PM."

That deadline has now passed, and it's not clear whether the ransom was paid.

It probably wasn't though. When CBC contacted the banks for a statement, BMO said its policy was "not to make payment to fraudsters" and instead remain "focused on protecting and helping our customers."

"We are continuing to work with cybersecurity experts, law enforcement and others to protect our Simplii clients' data and interests," the other bank said.

Assuming the hackers were telling the truth and that the ransom wasn't paid, 90,000 bank customers probably just had a lot of sensitive personal data sold on the darker corners of the Internet. The banks have reportedly notified affected customers.

"It's concerning," one affected customer said. "I'm not sure in this day and age what I can do to get control of that data again. Some of those things you can't change about yourself so I'm sure it's going to exist out there for as long as someone wants to look for it."

The dubious upshot might be that there's a good chance it was already out there. Millions of people get their data stolen all the time, mostly because there's no real way of securing it yet.

Banks and many other companies are well aware of this risk and have their own procedures for handling it. That procedure is typically to wait until an attacker gets in then reactively plug whatever hole the attacker used. These attackers were at least kind enough to explain exactly how they managed to get in.

Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VEN, XLM, BTC and NANO.

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Latest cryptocurrency news

Picture: Shutterstock

Get into cryptocurrency

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Go to site