New Report Cites Risks of Popular PINs for ATM, Credit Cards
Tech consultancy firm DataGenetics recently analysed a database of 3.4 million passwords, all of them compromised, and as it turned out, the most popular password combinations were the most vulnerable too – be they numeric or alpha-numeric. REUTERS

A high-tech global fraud ring that has attempted transfers of at least $78m (£49m) from financial institutions and personal bank accounts has been discovered.

The criminal campaign, dubbed Operation High Roller, is thought to have affected at least 60 banks in Europe, the UK and the Americas. Potential losses could be as high as £1.6bn.

The scam was uncovered through an investigation by web security companies McAfee and Guardian Analytics, which are now "working actively with international law enforcement organisations to shut down these attacks".

The attacks are completely automated and allow the fraudsters to bypass the physical chip and pin identification process and use "mule" business accounts to attempt tranfers from high-balance accounts. Some transfers were found to be as high as £79,000.

"With no human participation required, each attack moves quickly. This operation combines an insider level of understanding of banking transaction systems with both custom and off-the-shelf malicious code and appears to be worthy of the term 'organised crime'," reads the companies' report.

"Debunking the popular wisdom that only big banks are affected, the research documents attacks at every class of financial institution: credit union, large global bank, and regional bank."

The first attacks that were discovered targeted an Italian bank and its consumer and business accounts.

"While at first consistent with other client-based attacks we have seen, this attack showed more automation," the report claims.

"Instead of collecting the data and performing the transaction manually on another computer, this attack injected a hidden iFRAME tag [which embeds one document inside another] and took over the victim's account - initiating the transaction locally without an attacker's active participation."

Examples of the same style of attack started appearing across Europe, starting in Germany and then hitting banks in the Netherlands. The Dutch attack was the biggest yet, with a total estimated fraud of around £28.5m as the hackers began targeting business accounts.

More than a dozen accounts were later targeted in Colombia and in the US. The investigators were able to track down fraudulent transaction servers in California and Russia.

"The criminals have created a computer code which automatically finds a victim's highest-value account," the report explains.

"It then transfers money to a pre-paid debit card which can then be drained anonymously."

Despite the complexity of the fraud, the report authors insist that security companies can still fight this type of threat.

"We can do this, the machinery exists," they conclude.

"We encourage other security vendors and the global banking industry to take action against this ballooning fraud ring and similar future attacks by improving detection and information-sharing.

"Hopefully, this report also will spur more sensitivity and vigilance by the high-value businesses and consumers whose accounts are being plundered."