Fifty-one of First Bank's ATMs were turned into putty for criminals, freely dispensing cash after being infected with malware. From July 9 to the early hours of July 11, an international ring composed mostly of eastern European nationals collected NT$83.27 million from the suddenly generous machines, shocking Taiwanese society.

Police cracked the case within seven days, arresting three of the culprits still in Taiwan, and have since recovered all but about NT$5 million of the money. In searching for the cause of the crime, investigators found four types of malware and one malicious command file in First Bank's computer system.

Surveillance videos show that when the thieves were in front of the ATMs, they did not insert a bank card or enter information on the keyboard, leading investigators to conclude the ATMs were manipulated from afar through the malicious software.

In fact, the malware seems to have made its way into First Bank's system through the telephone system of its London branch. Even more telling is speculation that First Bank's branches in Vietnam and Cambodia were also hacked.   

So how exactly did the malware infect the 51 ATM machines in Taiwan? Could it be that the model of the 51 ATM machines attacked made by Germany-based Wincor Nixdorf has been cracked by hackers?

That still remains a mystery to this day.

Many ATMs Out of Service in Near Term

Of First Bank's ATMs, 438, or more than half the total, are the model that was attacked in the heist. Because of concerns that the ATM model is vulnerable, First Bank Vice President Yeh Chung-huei said the machines would be phased out of service as the bank conducts a comprehensive information security check.

Even as details become somewhat clearer as to what happened, the many unknowns have people in Taiwan's financial services sector very worried. "We would have preferred that this was an inside job. The problem would have been much more straightforward that way," confides an IT executive in the financial sector.  

Attacking the Bank's Internal System

Asked how the malware got into First Bank's system, the executive, who spoke on condition of anonymity because he is not authorized by his company to speak publicly about security issues, said that aside from getting help from the inside, the hackers may have gone through the bank's network to get malware into the specific model ATMs they were targeting.

A few weeks before the heist occurred, First Bank carried out an ATM software upgrade. Software upgrades are normally implemented by having technicians transmit the new software to the ATMs due for the upgrade. That new software is normally sent by the ATM vendor to the client in a sealed package, without revealing the software's source code.  

In other words, the possible links used to embed malware in the system include: the ATM vendor's source code was compromised; when the software was sent, the sealed packet was destroyed and the code rewritten; or First Bank's network was hacked into long before the heist in Taiwan occurred, and when the bank's internal network transmitted the new software, the malware was sent with it.  

The executive explained that many malwares today primarily collect information, so while they spread viruses, they do not block normal commercial operations and are not easily detected.

"All of these softwares are extremely difficult (to deal with)," the executive says.

What banks can do to protect themselves is conduct internal scans, and update ATM software. Just as important is strengthening employee education to keep them from opening attachments from unknown origins.

"Information security in the financial sector is not just a matter for the information security division; it's something all bank employees must pay attention to," he says. 

"We are still investigating if the hackers controlled the computer of a particular employee or hacked into certain computers," says Lin Cheng-hsien, an official with the New Taipei Investigation Bureau, suggesting that the problem may have originated at various points in the system.

What's scary to investigators and bankers is that one of the malwares used in the heist was specifically designed to automatically delete all of the malwares and destroy any trace of their existence. They were only recovered with the help of the Investigation Bureau.

The First Bank ATM heist very well may have been the first time a Taiwanese financial institution was the victim of a major international hacking attack. The question for Taiwanese banks now is how to prevent repeats in the future.

Translated from the Chinese by Luke Sabatier