New details unearthed about how cybercriminals stole $81 million out of a Bangladesh Bank account at the Federal Reserve Bank of New York provide insight into how the theft occurred, some of the vulnerabilities that were exploited and what banks can learn from the incident.
The results of the investigation so far leave questions around how criminals were able to pull off such a feat and what other institutions can do to protect themselves.
Following is a breakdown of what we know, what we don’t, and what it means:
What We Know
Criminals used a cunning piece of malware that allowed them to compromise the Bangladesh Bank. The software that was mostly likely used is capable of not only bypassing validation checks and deleting traces of fraudulent transactions from computers, but also generating fake confirmation receipts and directing a local HP printer to print them, according to new details published on BAE’s blog on Monday.
The malware works by registering itself as a service and operating within an environment running Swift’s Access Alliance software and an Oracle database. That allows the malware to monitor activity for useful information related to Swift transactions. The program modifies Swift software to bypass validity checks.
“By modifying the local instance of Swift Alliance Access software, the malware grants itself the ability to execute database transactions within the victim network,” the blog states.
The malware can also delete transactions and modify a bank’s account balance in the Oracle database, thereby erasing all traces of fraudulent activity. It even prints out fake confirmations. The doctored copies help cover up the fraud.
But it was still a large cyberheist. Swift said in a statement that the mandatory software update it issued this week will help members “enhance their security and to spot inconsistencies in their local database records.” The organization also urged members to step up their security and anti-malware efforts to protect their systems, especially those used to access Swift.
But it wasn’t just the program that allowed criminals to steal so much – there was also a significant amount of human error.
The Wall Street Journal published a timeline of the attack and blamed “bankers’ hours” for the execution of four fraudulent wire transfers, which ended up being used to buy gambling chips at casinos in the Philippines.
The hackers timed their attack to exploit the weekend, which falls on Friday and Saturday in Bangladesh. On Thursday, Feb. 4, the New York Fed approved five transaction requests that appeared to come from the Bangladesh bank, according to the Journal’s timeline.
Later that night, the Fed sent the Bangladesh Bank queries about another 12 transfer requests from the hackers. At 11:30 that night, Bangladesh Bank officials found their Swift interbank-messaging terminal wasn’t working, likely because it was disabled by the hackers.
The next day (Friday), after 4:00 p.m., the Fed sent new messages to Bangladesh Bank questioning the transfer requests, including four of the five it had put through and 30 it had blocked that day. Because of its computer problems, the Bangladesh Bank didn’t see those messages from the Fed until 12:30 p.m. Bangladesh time, which was 1:30 a.m. in New York. Between 2:31 a.m. and 7:03 a.m. Eastern on Saturday, Bangladesh Bank sent three emails and a fax to the New York Fed, trying to get the payments stopped; those messages went unanswered. Bangladeshi officials also called the Fed office in New York several times, to no avail.
On Sunday, Feb. 7, Bangladeshi officials started up a backup server and saw dozens of messages from the Fed asking Bangladesh to reconfirm requests to transfer up to $950 million. By then, $101 million had already been wired out of the account to Sri Lanka and the Philippines. (One of the transactions was blocked by routing bank Deutsche Bank, which became suspicious when the hackers requested funds be transferred to the “Shalika Fandation.” The misspelling of “foundation” drove the bank to seek clarification from Bangladesh's bank, which immediately stopped the fraudulent transaction.)
What We Don’t Know
The most important questions -- how did hackers break into Bangladesh Bank computers in the first place, how did they create and send the Swift transactions, and who are the perpetrators -- have yet to be fully answered.
By all accounts, Bangladesh Bank was running light security. Bangladesh police told Reuters the bank used $10 routers with no firewalls. This would make it relatively easy for hackers to break in and steal Swift credentials.
The Brussels-based Swift network, which is owned by 3,000 financial institutions and used by 11,000, is private, and most banks set up their accounts to only allow transactions with certain parties. This means it should be hard for someone outside a bank to attack the network. But if a hacker breaks into a member bank, the cybercriminal can access its Swift software and authorized access to the Swift network.
Swift requires the use of a one-time password generated by a hardware token before authorizing a payment message. Experts say that generally, hackers know how to game this security method.
“One-time passwords generated by hardware tokens have been beaten for years by the fraudsters,” said Avivah Litan, vice president at Gartner. “They’ve even beaten dual authentication, when two separate users have to enter hardware token-generated one-time passwords by compromising those two separate user accounts in a similar manner.”
Hackers can divert the one-time password to themselves and enter it, and give the actual user a message telling them to come back later because the system is having problems.
“It’s frankly inexcusable to still rely on a one-time password alone to protect a high risk account,” Litan said.
What This Means for Banks
The tools, techniques and procedures used in the attack may allow the group behind this cyberattack to strike again, the BAE blog said. “All financial institutions who run SWIFT Alliance Access and similar systems should be seriously reviewing their security now to make sure they too are not exposed.”
Obviously, strong firewalls and tough authentication procedures would be high on the list. Air-gapping computers used for Swift transactions could also help.
Jonathan Sander, vice president with Lieberman Software, said banks need to be aware of counterparties’ security practices.
“If a new partner is using $10 routers and no firewalls to run critical IT systems that you will now be directly dependent upon, wouldn’t you want to know that before signing any contracts?” he said. “Basic cybersecurity practices will soon become as common sense to businesses partnerships as basic insurance coverage is today.”
As Avivah Litan noted, dual-factor authentication with a one-time password may no longer be enough to secure large transactions. Some day, biometrics or some other high-test authentication technology may be needed to secure international payments. And having staff check in on weekends about international wire transfers may also become a best practice.
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.