Back in February 2016, thieves stole US$81m from the Bangladesh Bank with the possible involvement of an insider. No one broke in, no one wore masks or walked into a bricks and mortar building carrying weapons.
Scripted in Hollywood?
The audacious plot originally set out to steal $951m by sending instruction through the Society for Worldwide Interbank Financial Telecommunication (SWIFT) financial messaging system. Swift is the internationally-recognised identification code for banks around the world used for global wire transfers.
Gone are the days of Butch Cassidy and stick up kids physically removing cash in swag bags. Thefts on this monumental scale are no longer Hollywood scripts but the reality of operating a supposed trusted financial institution. Though strict regulatory compliance is now a part of the financial industries DNA, how could this happen?
No one was hurt except the reputation of the bank itself which is the central bank of Bangladesh and a member of the Asian Clearing Union. “SWIFT is trying coerce its banking members into prioritising cyber security by threatening to share confidential information about security lapses that banks want to keep private” said Shane Shook, an independent security consultant who advises central banks.
The plot, the damage and the insider?
Five transactions were issued by hackers, worth $101 million and withdrawn from a Bangladesh Bank account at the Federal Reserve Bank of New York succeeded, with $20 million traced to Sri Lanka which has since been recovered. A further $81 million was sent to the Philippines of which only $18m has been recovered to date. The Federal Reserve Bank of New York blocked the remaining thirty transactions, amounting to $850 million, at the request of Bangladesh Bank.
The February 2016 cyber attack on the Bangladesh Central bank is not the first of its kind. In 2013, the Sonali Bank of Bangladesh was also successfully targeted by hackers who stole $250,000. In 2015, two other hacking attempts were recorded, a $12 million theft from Banco del Austro in Ecuador in January and a further attack on Vietnam's Tien Phong Bank in December that was not successful. In all of these cases, the perpetrators are suspected to have been assisted by insiders within the targeted banks, who were aided in taking advantage of weaknesses within the SWIFT global payment network. In total as many as 11 hacks have been linked with attacks on banks' SWIFT payment messaging systems.
So is it now open season on the networked financial community and is the apparent success of these breaches the green light, the ultimate challenge for organised hacking groups.
Reuters reported that SWIFT this week sent letters to its banking members advising them to “bolster” their security systems as new cyber theft attempts, many of which have been successful, have surfaced since June. Reuters also quote "Customers’ environments have been compromised, and subsequent attempts made to send fraudulent payment instructions," according to the disclosure. "The threat is persistent, adaptive and sophisticated - and it is here to stay." All of the victims shared one thing in common, weaknesses in local security that attackers exploited to compromise local networks and send fraudulent messages requesting money transfers.
By using the term “local networks” potential compromises in the network perimeter which raises the question were these attacks really aided by an insider bypassing access protocols to SWIFT messaging systems? If the response to this question has a hint of yes, then clearly with the right tools and procedures, if insiders are involved it’s only a question of time before they’re cornered.
The authorities have spoken...
On Monday, six U.S. senators urged G20 nations to agree when they meet at a summit this weekend on a “coordinated strategy to combat cyber-crime at critical financial institutions.”
In April this year, the Bank of England ordered UK financial institutions to detail actions to secure computers connected to the SWIFT system, whilst in May the European Banking Authority said that domestic authorities should stress test banks for cyber risks. The Federal Reserve and other U.S. agencies told banks in June to review procedures against fraudulent money transfers.