The great 45 million ATM heist, why it is not surprising.

Background
In case if you do not know, last week several arrest were made in New York city in connection to sophisticated cybercrime attack where cyber criminals made with $45 million in ATM withdrawal scam involving prepaid debit cards. The arrested thieves were small part of a well organized global ATM theft that involved more than 2000 ATM machines across 26 countries in a matter of 10 hours time. You can read the detail news about this here on New York Times website. This most sophisticated and biggest cyber theft in history has Indian connection to it, read about this here on our Times of India website.

I am not at all surprised with the incident as this has been waiting to happen someday. Here are few reasons behind why I believe this is not surprising:

1. Today we see lot of core banking and financial domain software is developed by companies who are not at all following security practices or do not have any training of how hackers can operate. These critical applications are further not tested for any security loop holes. All the testing that takes place on such applications is about functionality testing, stress testing. No tester thinks or is trained to think of tests cases with a cybercriminal in mind. As such no security testing takes place.
2. Due to stiff competition, squeezed deadlines developers of such critical software hardly follow any secure development life cycle. When designing systems for such software that handles financial transactions the design itself has to be such that even if one of the developer plans to hack the system it should be impossible. It needs implementing secure designing practices from the early stage of system design. This is hardly followed by software developing companies.
3. The biggest mistake done when designing these systems is to underestimate the insider threat perspective. This leads to non-adequate measures or zero measures implemented against insider threats in the system.

I believe all the above three reasons has role to play in this recent biggest cyber theft in the history. For common man, no matter how much precaution one take while performing online transactions, things can still get stolen if server side things are not that secure. It is high time that government should set new security standards for developing such critical financial systems and make sure they are enforced.