Thieves no doubt took advantage of Simplii and BMO banks’ weak security systems as the two Canadian banks fell victim to a recent cyber attack. The hackers managed to steal the information of 90,000 users, including their names, addresses, account numbers, balances, and passwords.
They threatened the banks that they will reveal the stolen data to fraudulent parties or even the black market unless the lenders pay an amount of a million dollars in Ripple cryptocurrency.
It was not specified if the value of their one million dollar request was in US dollars or Canadian dollars.
According to CBC News, a Russian-based e-mail was sent on May 28 containing the following statements:
“We warned BMO and Simplii that we would share their customers informations if they don’t cooperate.”
“These […] will be leaked on fraud forum and fraud community […] if we don’t get the payment before May 28 2018 11:59PM.”
In the e-mail, the criminals claimed that they used a particular algorithm that gave them half-access to the accounts.
Once they gained access, they then requested a reset of the password as real account users, and that was enough for them to uncover the security question and finally access the account.
The e-mail said:
“They were giving too much permission to half-authenticated account which enabled us to grab all these information, [and the bank] was not checking if a password was valid until the security question were input correctly.”
After the deadline, it was not clear if banks paid the money requested, but an amount of USD 5 million was already available in the crypto wallet where the criminals requested the payment to be sent.
CBC News contacted the banks attacked by the hackers to confirm if any amount of money was really paid.
“Our practice is not to make payments to fraudsters, we are focused on protecting and helping our customers.”
As for the other victim, Simplii bank says it is now working on its security measures:
“We are continuing to work with cybersecurity experts, law enforcement and others to protect our Simplii clients’ data and interests.”