Two Canadian banks were in for a fix on May 28, 2018, after hackers gained access to account holders’ personal information, and threatened to sell it to interested parties unless a ransom was paid in XRP, Ripple’s native token.
Hackers Infiltrate Bank Systems with Ease
According to a report, Simplii Financial and Bank of Montreal (BMO) learned that personal information was stolen and over 100,000 customers had their personal data compromised. In a mail to the bank, the hackers said information such as account numbers, passwords, security questions, and answers, along with contact details were now in their possession.
The mail, which originates from a Russian email address, stated details on how the hackers were able to infiltrate the banks’ security systems.
As claimed, the hackers used a commonly used mathematical algorithm to gain partial access to customer accounts and were able to quickly validate numeric sequences, such as credit and debit card numbers. Subsequently, they gained complete access to the accounts, after getting possession of account numbers and validation emails in the same manner. The email stated:
“They were giving too much permission to half-authenticated account which enabled us to grab all these information. The bank was not checking if a password was valid until the security question were input correctly.”
Ripple Demanded as Ransom
The email stated that a total of $1 million must be paid to hackers in XRP, the native token of blockchain-based payments platform Ripple. Interestingly, the BMO tested the company’s RippleNet software in 2016 and reportedly uses the platform for cross-border payments.
“These profiles will be leaked on a fraud forum and fraud community as well as the 90,000 left if we don’t get the payment before May 28, 2018, 11:59 PM,” the hackers claimed.
Although the deadline has passed, the bank maintained that no ransom was paid to the hackers, as “their practice is not to make payments with fraudsters.” However, a total of $5 million in XRP was observed in the hacker’s wallet address when searched.
BMO Headquarters, Montreal
The banks notified customers about the theft shortly thereafter and said elaborate measures were being taken to ensure the situation is not repeated in the future. Simplii stated that the bank was already in talks with cybersecurity experts and law enforcement agencies for solving the matter, and introducing measures to “protect clients’ data and interests.”
While the bank offered the distressed customers free credit monitoring and other services, they expressed an undeniable underconfidence in the banks’ security system.