When it comes to robbing a bank, the days of stocking masks and sawn-off shotguns are long gone. Nowadays, it is possible to hijack a bank’s entire online operations from the comfort of your swivel chair.
On a Saturday afternoon in October 2016, a team of ingenious cyber bank robbers seized control of a major – but as yet unnamed – Brazilian bank. They achieved this by changing the Domain Name System (DNS) registrations of all the bank’s online properties and commandeered its desktop and mobile website domains to take users to phishing sites which were perfectly set up to match the official sites.
In other words, anyone visiting the bank’s website URLs were redirected to lookalike sites – which even had valid HTTPS certificates issued in the name of the bank. This allowed them to steal login credentials at sites hosted at the bank’s legitimate web addresses. It is possible that the account details of millions of bank customers have been harvested.
Half of the world’s leading banks don’t manage their own DNS, instead delegating them to hackable third parties. Installing a registry lock and two-factor authentication would go a long way towards preventing this kind of well-executed heist – but even that may not be enough to protect an institution from such a crack team of audacious hackers.