A comical typo saved the Bangladeshi central bank from losing as much as $1bn to hackers, but of the $101mn stolen, $81mn is yet to be found.
Hackers broke into Bangladesh Bank’s computer systems in early February, stole the credentials needed to authorise payment transfers via the SWIFT interface and asked the Federal Reserve Bank of New York to make massive money transfers from the Bangladeshi bank’s account with the Fed to overseas accounts. Four transfers to the Philippines totalling about $80mn worked. But a fifth, for $20mn to be sent to a fictitious Sri Lankan non-profit group, was flagged as suspicious by a routing bank in the country because of the “fandation” (instead of “foundation”) error.
The requests waiting to be processed - amounting up to $870mn - was thus halted.
Now the Bangladeshi central bank is in turmoil. Its governor as well as top officials have resigned; the country’s leading cybercrime experts have been kidnapped, and the Federal Bureau of Investigation is assisting the Bangladeshi authorities amid suggestions of insider help for the theft.
There are lessons to be learnt: Central banks make fat targets. Those in the developing world, with lots of new capital but not as much digital fortification, are especially at risk. Bangladesh has some $28bn in foreign currency reserves with alarmingly rickety fences around it: A hacker’s dream. Officials at Bangladesh Bank also kept quiet for more than a month, a grim reminder of how crucial information sharing is.
Even after a successful heist, preventing hackers from moving the money requires global co-operation. The thieves in this case laundered much of the cash through casinos in the Philippines where casinos are exempted from otherwise strict anti-money-laundering requirements.
The heist has shown that the SWIFT messaging system is not 100% impregnable too. While, Brussels-based SWIFT, a co-operative owned by some 3,000 global financial institutions, can advise members to follow certain minimum security standards, there is no organisation with regulatory oversight of how central banks and other financial institutions secure their networks, according to IT experts.
The puzzling episode should serve as a wakeup call for the Gulf region, one of the most securely connected in the world, to dig deeper to counter the ever mutating cyber security threats. Depending on the country, from a quarter to more than half of the organisations in the region have said they faced viruses and other malware, phishing and software vulnerabilities in the past year, according to a Kaspersky Lab report last April.
Despite the irreversibly speeding up “Internet-of-Things” technology, the fact remains that even the most secure IT installations in the world are not always beyond a breach. But cyber security, though prosaically boring, is everyone’s responsibility. (“I am not a technical person,” explanation from the now ex-governor of Bangladesh Bank can’t help.) Making better use of encryption, access controls and strong verification systems with constant updating can help, but nothing can substitute for training and vigilance.
Hackers only have to get lucky once, but the financial world needs be on alert round the clock.
Related Story