Hackers demand $1M XRP ransom or they’ll reveal bank customer details
Everything seems to have gone exactly as planned – for everyone except the affected customers.
Russian-based hackers have managed to grab a treasure trove in the form of the bank details of 90,000 customers. The hackers are demanding $1 million worth of Ripple XRP in ransom or they will release the information, CBC reports. According to an email from the hackers, the accessed information includes customer names, account numbers, passwords, security questions and answers, account balances and social security numbers.
The information was taken from the Simplii and Bank of Montreal (BMO) banks. The hackers also took pains to emphasise that they probably actually have the information and aren't just another scammer fishing for a quick buck.
They did this by explaining how they broke in.
The gist, according to the email, was that they managed to get customer account numbers with a common algorithm designed to quickly validate short numerical sequences like credit card numbers. This was supposedly all they needed to pose as the customers who forgot their passwords, and then reset the customer security questions and answers. Now they had the customer numbers and passwords, which let them log in as those customers and get all the other details.
The bank "was not checking if a password was valid until the security question were input correctly," the email said. "They were giving too much permission to half-authenticated account which enabled us to grab all these information."
To back up the point, the email shared identifying information about a customer from each bank.
"We warned BMO and Simplii that we would share their customers informations if they don't cooperate," it said. "These ... profile will be leaked on fraud forum and fraud community as well as the 90,000 left if we don't get the payment before May 28 2018 11:59PM."
That deadline has now passed, and it's not clear whether the ransom was paid.
It probably wasn't though. When CBC contacted the banks for a statement, BMO said its policy was "not to make payment to fraudsters" and instead remain "focused on protecting and helping our customers."
"We are continuing to work with cybersecurity experts, law enforcement and others to protect our Simplii clients' data and interests," the other bank said.
Assuming the hackers were telling the truth and that the ransom wasn't paid, 90,000 bank customers probably just had a lot of sensitive personal data sold on the darker corners of the Internet. The banks have reportedly notified affected customers.
"It's concerning," one affected customer said. "I'm not sure in this day and age what I can do to get control of that data again. Some of those things you can't change about yourself so I'm sure it's going to exist out there for as long as someone wants to look for it."
The dubious upshot might be that there's a good chance it was already out there. Millions of people get their data stolen all the time, mostly because there's no real way of securing it yet.
Banks and many other companies are well aware of this risk and have their own procedures for handling it. That procedure is typically to wait until an attacker gets in then reactively plug whatever hole the attacker used. These attackers were at least kind enough to explain exactly how they managed to get in.
Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VEN, XLM, BTC and NANO.