{"id":88760,"date":"2016-04-27T07:14:11","date_gmt":"2016-04-27T11:14:11","guid":{"rendered":"http:\/\/countingpips.com\/?p=88760"},"modified":"2016-04-27T07:14:11","modified_gmt":"2016-04-27T11:14:11","slug":"bank-heist-exposes-staggering-security-flaws","status":"publish","type":"post","link":"https:\/\/www.investmacro.com\/forex\/2016\/04\/bank-heist-exposes-staggering-security-flaws\/","title":{"rendered":"Bank Heist Exposes Staggering Security Flaws"},"content":{"rendered":"
April 27, 2016<\/div>
\r\n<\/div><\/div>

By WallStreetDaily.com<\/u><\/a> \"bangladesh-central-bank-hacked\"<\/p>\n

If you like stories about daring bank heists, you\u2019re gonna love this.<\/p>\n

One of the greatest thefts of all time occurred earlier this year \u2013 one where the robbers managed to escape with an impressive $80 million haul.<\/p>\n

And yet, it could\u2019ve been avoided so easily.<\/p>\n

The story is an unusual combination of sophisticated genius and a grossly negligent lack of security and oversight by bumbling bankers.<\/p>\n

In fact, the robbers could\u2019ve actually made off with $900 million more.<\/p>

\r\n
\r\n

Free Reports:<\/p><\/div>\r\n

\r\n

<\/a>\r\n\t Get Our Free Metatrader 4 Indicators<\/u><\/b><\/a> - Put Our Free MetaTrader 4 Custom Indicators on your charts when you join our Weekly Newsletter<\/p>

\r\n
\r\n
\r\n

<\/a>\r\n\t Get our Weekly Commitment of Traders Reports<\/u><\/b><\/a> - See where the biggest traders (Hedge Funds and Commercial Hedgers) are positioned in the futures markets on a weekly basis.<\/p>

\r\n<\/div>\r\n

\r\n
<\/div>\n

So what happened?<\/p>\n

The Most Ridiculous Thing You\u2019ll Hear All Year<\/h2>\n

Details are still emerging, but the basic story is that hackers got the passwords of Bangladesh\u2019s central bank to SWIFT \u2013 the international payments system used for global interbank transfers.<\/p>\n

Now, SWIFT is obviously a very secure system \u2013 or it was until last month.<\/p>\n

It\u2019s a closed system, which means you can\u2019t access it from the internet. To get in, you have to have control of one of the computers connected to its network. That\u2019s where the robbers\u2019 sophistication comes in.<\/p>\n

They spent weeks infiltrating the Bangladeshi computers, logging keystrokes, learning passwords, figuring out how to get from the internet to a SWIFT-connected computer.<\/p>\n

Needless to say, far from an easy task.<\/p>\n

But it was made much easier, thanks to some staggeringly stupid behavior on the part of the Bangladesh Central Bank.<\/p>\n

Normally, a connection from a secure to a non-secure computer is protected by a firewall \u2013 software written into computers, switches, and routers that detects which connection attempts are legitimate and which aren\u2019t.<\/p>\n

As you probably know, firewalls are so common these days that if you go to Best Buy and buy the cheapest computer, it will have a firewall pre-installed on it.<\/p>\n

Ready for the blindingly stupid part?<\/p>\n

The central bank had no such firewalls!<\/p>\n

In fact, Reuters reported that it used old switches, which sell for about $10 each.<\/p>\n

I\u2019m sorry\u2026 I know Bangladesh is a poor country, but it can afford better security than that when it\u2019s protecting $1 billion.<\/p>\n

A \u201cSWIFT\u201d Getaway<\/h2>\n

Once into the SWIFT system, the robbers started sending requests to transfer nearly $1 billion from the Bangladesh Bank account at the New York Federal Reserve to banks in Sri Lanka and the Philippines.<\/p>\n

At first, bankers in New York approved the transfers. Why wouldn\u2019t they? They came over a secure network from a trusted, known connection.<\/p>\n

But they eventually became suspicious. Why?<\/p>\n

Because some of the requests were to personal bank accounts. This is a red flag, since large central bank transfers are generally to other central banks, other bank \u201chouse accounts,\u201d and occasionally to large companies like defense contractors.<\/p>\n

The Fed employees started to hold up the transfers and used SWIFT to ask the Bangladeshis for more information. But nobody answered.<\/p>\n

It turns out that the weekend in Bangladesh is on Friday and Saturday \u2013 and most of Bangladesh\u2019s bankers had gone home by the time the request came in.<\/p>\n

The robbers also complicated matters by shutting down Bangladesh\u2019s SWIFT terminals so that the skeleton crew on Fridays was unable to get into the system and see the Fed requests.<\/p>\n

But that crew was<\/em> able to get into the system on Saturday \u2013 at which point, it asked the Fed to stop all payments until things were cleared up.<\/p>\n

But of course, Saturday is the weekend in the United States, too \u2013 and nobody saw those requests until Monday.<\/p>\n

By the time the scheme was discovered, it was mostly too late.<\/p>\n

How a Typo Cost $20 Million<\/h2>\n

Over $100 million of fraudulent transfers had been approved and the money had been withdrawn from the destination accounts.<\/p>\n

One eagle-eyed banker in Sri Lanka did allow about $20 million to be recovered \u2013 but only because the robbers spelled the word \u201cfoundation\u201d incorrectly on the transfer order.<\/p>\n

Yep, a spelling error cost our brilliant (but stupid) culprits another $20 million!<\/p>\n

The other $80 million is still missing. But where?<\/p>\n

It was quickly removed from accounts in the Philippines and \u2013 believe it or not \u2013 used to buy casino chips.<\/p>\n

This is where the robbers got crafty again.<\/p>\n

You see, in almost every country where casinos are legal, they\u2019re required to cooperate with banking authorities on money-laundering matters. Except in the Philippines.<\/em> So nobody knows who bought the chips. This was a weakness in the banking system that had been known for years.<\/p>\n

But this crime may yet be solved.<\/p>\n

Fixes for a Flawed System<\/h2>\n

After all, $80 million is a big haul. Especially when it comes in the form of casino chips!<\/p>\n

So even if they\u2019re sold in the streets at a discount, a stream of people coming in and cashing in millions of chips might lead authorities back to the culprits.<\/p>\n

Regardless of how this tale ends, however, it points to several weaknesses in the international banking system \u2013 weaknesses that cost real money and undermine confidence in the banking system.<\/p>\n

But there are improvements that could be implemented to prevent another heist:<\/p>\n