Over the last decade, network breaches at banks have been common around the world. In 2015, approximately $1 billion was stolen by a single hacking group, making it the single largest bank robbery in human history. All this was achieved through well known threat vectors, from social engineering, right through to specialized trojans and other forms of malware. The future though, is beginning to look a little bleak as new forms of technology hit the home hacker scene.
Future bank robberies won't need an internet connection.
Blasting onto the scene are modified AESA radars and Scanning Maser (MIDAR) radar/imaging technology. Banks would be fairly familiar with compromising emissions, also known under the codename TEMPEST. Security measures around this are relatively straightforward, in that secure rooms are Faraday cages. That said, Faraday cages work by impedance mismatches, just like a mirror, reflecting photons or absorbing them. This is great when the compromising emissions in a room are chaotic, but does little against more intelligent external attacks that work around impedance mismatches.
1. Operate in bands outside of the shielded frequency range. Much shielding covers only a portion of the spectrum.
2. Apply high gain spot/point/pencil beams that exceed the shielding capability. Much shielding is around 100dB and uneven both spatially and in frequency response.
3. Push the atoms into resonance and tunnel through with a spot/point/pencil beam.
4. Burn/ablate a hole
Once through the shielding, AESA radars and MIDAR have the capability to directly interface with the electronics in a data center. It must be pointed out here, that this is not something in the far off future. This is something many people can build at home. Most modern CPUs operate somewhere between 2-3 GHz, so any transceivers with an ADC/DAC capable of about 6GHz with at least 8 bit depth can be used to drive the input pins of a microchip. In fact, it is possible to place a modern CPU on a table (by itself) and with the correct radio gear, send it power and execute programs on it.
This sounds a little like rocket science, but an array of software defined radios with very high gain antennas and a modified virtualization solution like VirtualBox/XenServer would be all that is required. If I set this up to do spread spectrum frequency hopping, it will be damn near impossible to see me. Further, with a little intelligent feedback, I could also tell if anyone had intercepted the beam.
With all this I can sit anywhere within the local horizon of a bank and begin to steal money. This technology can pass through building, cars, people, etc., in a dynamic environment constantly learning how to get the beam from its current location, to the target machine. As both points are at fixed locations, this greatly simplifies the task.
I could sit in an apartment in New Jersey and steal billions from Manhattan with a very low probability of capture. Ultimately, I don't even need to be at the same location as the transceiver equipment.
One of the easiest ways to rob a bank with this tech is to perform bit flipping on objects in memory. Think of a sort code and bank account number being stored on RAM, or being sent back-and-forth between the CPU and main memory. At both points, it becomes possible to read the traffic and quickly modify it in transit or in memory. It also becomes possible to write malware that will do this, inject it onto the CPU and leave a false trail of a network breach.
Software running on top, such as operating systems and security suites would be blind to this lower level activity. In practice, there could be shadow and phantom payments that do not appear on the screens of any sending bank, but exist solely as digital transfers.
This latter issue is an immediate prime concern. This technology has been in the public realm for the better part of a decade and in military hands for almost 50 years. Thus, it is possible and indeed likely that much of the stated revenue in many banks is entirely fake. Only a complete cross-reference of the transactions between all institutions could reveal this.
How do banks defend themselves?
Well, right now, only the basic scientific principles are publicly known about the more advanced methods. There is enough information to replicate the attack, but absolutely nothing available on shielding/detection. Detection methods involve monitoring every sq mm of a room and condensing the energy across a range of bands to detect spread spectrum remote interfacing. This is extremely costly. At the minute, alternative shielding solutions are a complete unknown, however, it is likely that intelligent adaptive impedance mismatching or staggered impedance mismatching may work, along with some unheard of levels of drop off in energy (i.e. 200dB +).
As with all things, the initial R&D will be driven by demand, as will the ultimate pricing of the solution. That said, there is the issue of developing test equipment and new forms of sensors to support all of this and that could take time.
In the mean time, banks and other financial institutions will need to cross their fingers and hope that their digital records are correct, or we could have a major banking collapse on our hands. No doubt, the process of developing protection and cross-referencing transactions will run in parallel and will be off the ground in a relatively short time frame.
This will be an interesting race to watch, but for now, the hackers have the edge.