Cosmos Bank SWIFT Attack from Forensic Angle


Indian Banking sector was shocked when Cosmos Bank admitted to the ATM Heist of $11 Million and SWIFT Attack which caused the loss of another $2.5 Million to the bank due to the presence of the malware. Looking at the information available in the electronic media about the statements given by the Chairman of the Cosmos Bank, there are three primary elements of the whole heist. This article discuss these three elements in detail in the wake of the fraud.

Data Theft

According to the preliminary information available in Public domain, there are more than 15000 ATM Withdrawals, made from different countries without validations on 11/08/2018 in only 7 hours. In order to carry out the ATM Withdrawals, besides the software code planted in Malware, there is a need to have Debit cards. Money can be withdrawn only if the Debit cards are present with the master mind of the fraud. Embossed plastic cards are available easily in the market, but the information stored in the magnetic stripes is not. In order to get this information, there must have been some data theft incidence.

  • Data Theft could be as simple as stealing the bank’s data in the pen drive and handing it over to the outsiders
  • Data theft may have occurred through the incidence of hacking or through the presence of the virus in the systems of the bank but have gone un-noticed and un-reported.
  • Data theft may have occurred through a third party payment processor which have access to the sensitive information.

In order to narrow down the modus operandi, Digital forensic audit needs to be done which focus on the possibilities of internal compromise and external attacks. This would also be important in order to get the Insurance claim if the Bank is insured against such attacks, else $13.5 million is a big blow to the bank.

ATM Withdrawals

Data theft is the first chapter in the league of this ATM heist. However, when the mastermind of this fraud was in possession of the sensitive data of the account holders, the information was probably copied to the magnetic stripes and the Debit cards of the Account holders were cloned. Now, the media information reveals that the withdrawals were made from the different countries. Which means the operation was well orchestrated and the withdrawals were synchronised and monitored throughout the world. Various agents in the different countries would have withdrawn the money at same time. While withdrawing the money from the account of the customer, now a days the banks send the SMS to the account holders. The press statement have no mention of the complaints from the customers, which means the SMS were not sent through the banking channel. It is a smart malware which had attacked the computer system that allows banks to settle cash dispensation requests raised at ATMs.

Once a request is raised by swiping of the card at an ATM, it is transferred to the Core Banking System of the bank using a “switch”. After checking the available credit in the individual account, the Core Banking System either allows or rejects request. Acceptance or rejection is transmitted back to payment systems via the “switching”. This is the most important aspect of the ATM withdrawal operations, where the Proxy Switch was created by the malware and the balances were not checked with the Core Banking System. Which means there are certain accounts in the bank which are used in the process of the ATM heist which may not even have balance, but the withdrawals were processed.

National Payment Corporation of India (NPCI) runs India’s biggest network of shared ATMs called National Financial Switch.

SWIFT Attack

In last few months, this is second time when the name of SWIFT is in news for the wrong reasons. It was in discussion when the employees of Punjab National Bank misused the same to favor the infamous fraudster Nirav Modi. Now the SWIFT is in news due to the transfer of $2.5 million to the Hongkong based companies. In order to loot the hard cash of the bank, help of the insider used to be a of a great help.

CA Mayur Joshi
CA Mayur Joshi is a Forensic Accounting evangelist in India. He is the co-founder of Indiaforensic and is author of 7 books on forensic accounting, fraud investigations and money laundering.