A little anecdote about an IMPS fraud attack
Legend has it that Newton had cut a hole in his door for his cat. The cat had a bunch of kittens. So, he made another smaller hole for the kittens. Sounds paradoxical for a genius to do that? OK. Hold on to that thought.
Let’s talk about that 820 crore IMPS fraud attack at UCO bank between Nov 10 and 13, 2023. The fraud was executed based on failed inward remittances from 7 private banks, and credited no less than 41,000 accounts of UCO bank. Turns out while the receiving bank accounts were credited, there were no corresponding funds cleared into the UCO bank accounts. However, the originating bank accounts registered these as failed transactions.
This went on not for hours, but for days. Despite IMPS transaction data being shared every 4 hours. Anyway, it was spotted after 3 days and a lot of bleeding. Last I checked, INR 664 Crore was recovered by marking lien on the said accounts.
Not surprisingly, social media picked up on the chatter before the bank. And I watched at least one YouTuber posting about this trend and how people should quickly cash in. Predictably the scavengers went prowling in packs to pick at what they could ravage. Free money was literally raining on the UCO bank customers.
Root cause. There was a change made to the port number for IMPS transactions being incorrectly the port number for UPI and other transactions. And this was done in the production server by one of two suspected engineers, as per the change logs apparently without authorization. They worked in facility management of the software company hired by UCO bank to maintain its app. While the core banking system (CBS) credited the beneficiary account, but then it sent a failed response to the IMPS switch via Connect 24 to the remitting bank (Connect 24 which is middleware between CBS and IMPS app servers).
Incidentally a similar glitch happened last month with the Central Bank of Ethiopia and more than $40 Million was withdrawn or transferred to other banks. Students formed long lines at campus ATMs until the cops came in. Again the news had gone viral that at 1:00 am in the morning, free money could be drawn from ATMs or transferred using the bank’s app.
If I were a bank CRO reading this (in a way I am a budget version CRO for a start up :), here’s my 2 cents. Most fraud risk teams are looking for large 3rd party fraud while tracking claims & fraud inventory, chargebacks, return checks etc. They typically would not pick up 41,000 accounts that made quick in and out transactions of small amounts.
The vendor here pretty much had the keys to the kingdom. Single lone ranger insider attacks syndicated through 1000’s of accounts (almost Salami attack style) can’t be caught by fraud rules not designed to pick up insider fraud. Maybe it could have been caught at the point of unauthorized access. Change to privileges. Changes to production servers at odd times, this one was in the Diwali weekend too.
Sometimes you do need a big hole for that big cat. But another small hole for the small cats.