How hackers steal millions from bank accounts

The latest information from IBM Security Trusteer’s mobile security research team indicatesthat hackers have been using ‘mobile emulators’ to steal millions from financial institutions in Europe and the USA.

How they did it?

They set up a network of mobile device emulators that were behind thousands of spoof devices able to access thousands of compromised accounts. A set of set of mobile device identifiers was used to spoof an actual account holder’s device, and in each case it is likely that these accounts had been infected by malware, or collected via phishing.

The hackers have the victim’s username and password, and using an automatic process are able to “script the assessment of account balances.” They can then automate large numbers of fraudulent transfers. These are never large enough to trigger bank scrutiny at the time.

How does an emulator work?

It mimics the characteristics of several mobile devices. They are often used by developers to test applications, but in the wrong hands they are a crime tool.

According to Finextra: “IBM Trusteer says that the scale of the operation is one that has never been seen before, in some cases, over 20 emulators were used in the spoofing of well over 16,000 compromised devices.”

IBM added, “”The attackers use these emulators to repeatedly access thousands of customer accounts and end up stealing millions of dollars in a matter of just a few days in each case. After one spree, the attackers shut down the operation, wipe traces, and prepare for the next attack.”

IBM Trusteer’s intelligence team has also observed a trending fraud-as-a-service offer in underground venues, promising access to this type of operation to anyone willing to pay for it, with or without the required skill.

“This lowers the entry bar for would-be criminals or those who plan to transition into the mobile fraud realm,” says IBM, and is likely to become a growing trend amongst cybercriminals.

2020 Cybersecurity: Year Zero Trust

Prior to 2020, “the technology industry has long assumed that it would eventually get rid of the concept of implicit digital trust,” Emil Sayegh writes, pointing out that this got completely flipped this year as digital transformation was forced on a new route due to the surge in remote working. He calls it the year of ‘Zero trust’.

Why is this? Because organizations have had to rethink their security concerns with so many employees working from home. “Remote work IT capabilities changed the perimeters of traditional security, as well as its threat, Sayergh says, and adds that there is mounting evidence “that since this big shift, cybersecurity threats and threat vectors have increased 400% from pre-Covid times.”

Cybercriminals were quick to catch on to the fact that there were bound to be places that were easy to breach, plus they have updated their methods of attack to exploit fears by using more ransomware and targeted malware on organizations. What this tells us that there is a critical need to deal with their threats in a more efficient and intelligent way.

Every day is ‘Day Zero’

A ‘Day Zero’’ is the day that any cyber threat is unleashed, and in “a Zero Trust world, every day is assumed to be a potential ‘day zero’,” Sayergh says. The position to take from an IT perspective is one of overarching ‘mistrust’ and continuous vigilance over “who accesses what at every level possible.” As Sayergh remarks, every time a network is accessed it should be treated as ‘stranger danger’. Therefore all access should be “fully authenticated, authorized, and encrypted before any access can happen.” Ultimately, Zero Trust operates on the basis of a “hermetically sealed security” that also “empowers employees to work securely and efficiently, wherever they may be operating.”

As organizations now work on implementing Zero Trust, security capabilities are increasing. It also applies to cybersecurity strategies, and “leverages tools such as multi-factor authentication and active session-based risk detection to produce higher levels of security.”

In effect, Zero Trust has been akin to the cavalry riding into 2020. As Sayergh concludes: “By controlling access to specific applications, systems, and resources combined with an assumption of the continual breach, Zero Trust is positioned to enable a seamless move to greater security for all.”

Mastercard introduces AI-powered cybersecurity

Cybersecurity remains one of the hottest topics around. While browsing today’s media I noted one article said that cyber attacks rose by 250% during the pandemic. Apparently it was the perfect time for scammers and hackers to wield their weapons.

This may be one of the things that prompted Mastercard to launch Cyber Secure, “a first-of-its-kind, AI-powered suite of tools that allows banks to assess cyber risk across their ecosystem and prevent potential breaches.”


It all comes down to the fact that the digital economy is expanding rapidly and is more complex. Alongside this positive news, comes the less appealing revelation that the growth creates a vulnerability that some are delighted to take advantage of.  For example,it is estimated that one business will fall victim to a ransomware attack every 11 seconds by next year.


Ajay Bhalla, president, Cyber & Intelligence, Mastercard said:

“The world today faces a $5.2 trillion cyber breach problem. This is one of the biggest threats to consumer trust. At Mastercard, we aim to stay ahead of fraudsters and to continually evolve and enhance our protection of cyber environments for our bank and merchant customers. With Cyber Secure, we have a suite of AI-powered cyber capabilities that allows us to do just that, ensuring trust across every experience, for businesses and consumers.” 


Cyber Secure will enable banks “to continuously monitor and track their cyber posture,” writes Polly Harrison. It will allow banks to be more proactive in managing and preventing data compromise, as well as protecting the integrity of the payment ecosystem and consumer data. It should also, of course, prevent financial loss caused by attacks.

Mastercard has based its new product on the AI capapbilities of RickRecon, which it purchased in 2020. It uses advanced AI for risk assessment, which evaluates multiple public and proprietary data sources and checks it against 40 security and infrastructure criteria.

Harrison writes, “In 2019, Mastercard saved stakeholders $20bn of fraud through its AI-enabled cyber systems,” so it is to be hoped that Cyber Secure prevents even more theft in 2021 and beyond.

How governments snoop on us

Non-profit Privacy International (PI) has revealed how the EU funds surveillance techniques using development aid programmes. These include training security forces in non-EU countries. Privacy International and other campaigners are demanding reform of EU aid in respect of this, demanding they “do not facilitate the use of surveillance which violates fundamental rights.”

PI learnt of the situation following the public release of documents that revealed:

  • Police and security agencies in Africa and the Balkans are trained with the EU’s support in spying on internet and social media users and using controversial surveillance techniques and tools
  • EU bodies are training and equipping border and migration authorities in non-member countries with surveillance tools
  • Civipol, a well-connected French security company, is developing mass biometric systems with EU aid funds in Western Africa in order to stop migration and facilitate deportations without adequate risk assessments.

In an article, Thomas Brewster discusses how CEPOL, the EU’s law enforcement training agency, taught security personnel in Europe and Africa, on how to use malware to access citizen’s phones and monitor social media. As PI points out, some of the countries that EU aid for this type of surveillance was given to, are those with a history of human rights abuses. Which is why PI and other organisations want to press the EU to change its funding programme.

Edin Omanovic, advocacy director of Privacy International, said: ““Instead of helping people who face daily threats from unaccountable surveillance agencies, including activists, journalists and people just looking for better lives, this ‘aid’ risks doing the very opposite.”

He added, “The EU as the world’s largest provider of aid and a powerful force for change… failure to reform is a betrayal not just of the purpose of aid and the people it’s supposed to benefit, but of the EU’s own values.”

In the EU parliament, MEP Markéta Gregorová, who works in the EU group on surveillance reforms, commented: “We just made it much harder to export cyber-surveillance and it is unacceptable that at the same time our own law enforcement agencies are training dictators to spy on their people and even recommend surveillance software. This is unacceptable and irreconcilable with our values and screams for reform.”

According to some of the training materials obtained by PI, there are those promoting iPhone hacking tools like GrayKey. For example, in a training session for Morocco, the participants were told that by using Graykey and Axiom together, security personnel would be able to “grab the Apple keychain from within the iPhone, granting it access to apps and the data within.” Morocco is a good example of the reason PI is so determined to change the EU aid programme, as the country has for some time been accused of targeting iPhones to track the activity of journalists and all kinds of activists. In another example, found in the documents, Spain’s Policia Nacional, a CEPOL partner, trained authorities in Bosnia and Herzegovina on using malware to remotely control devices. The files also show how CEPOL and European police are encouraging foreign governments to spy on social networks.

It is unfortunate that the PI revelations come at exactly the same time as the EU announced it would be curtailing the export of particular surveillance tools, which they claim is a move that supports global human rights, saying, “We have set an important example for other democracies to follow.”

PI’s response to the statement was that it “critically undermined by the fact that EU agencies are themselves secretly promoting the use of techniques which pose serious threats.”

It would appear that while the European Parliament and Council are legislating to stop surveillance abuses, CEPOL and European police are doing the opposite. This kind of situation where the left hand apparently doesn’t know what the right is doing, is exactly one where those who wish to undermine the EU will look for ammunition. It must get its house in order on this important issue.