A generic background image tangentially related to the post

Lessons learned from the Bangladesh Bank hack

Eric Tabor  |  May 11, 2016

Share: Share on FacebookTweet about this on TwitterShare on LinkedInGoogle+

Years ago, bank robberies were a very physical affair. Criminals donned ski masks and shot automatic weapons in the air, shouting for tellers to step away from the silent alarm buttons. That said, it would appear thieves have decided that this is just a little too much work. Hacking banks in order to steal money allows for the same reward without having to deal with a hostage negotiator.

In fact, the most recent cyberattack levied against Bangladesh Bank shows just how lucrative these schemes can be. The hackers involved in this scenario made away with around $81 million, which is more loot than any ski-masked thug could ever carry away. However, perhaps the most interesting part of this whole debacle is that this is nowhere near what the culprits originally intended to get. Investigators have discovered that the original plan was to take close to $1 billion when all was said and done, according to Ars Technica.

Unfortunately for the individuals involved, a simple typo wrecked what could have been the biggest criminal act of all time. A transaction meant for the Shalika Foundation was spelled as “Fandation,” which tipped employees off that something was afoot. Regardless, this is still a massive undertaking that demands intense review.

“Bangladesh Bank isn’t completely free of blame.”

How did they get in?

To understand how this whole scheme began, it’s important to comprehend how Bangladesh Bank sends and receives funds. Institutions like this rely on SWIFT software, which basically creates a private network between a large number of financial organizations. This lets them send money to each other without having to worry about hackers – or so the banks thought.

Gaining access to the transactions within this network was basically impossible, unless someone were to be able to compromise a bank’s internal IT systems. This is exactly what the criminals did.

However, Bangladesh Bank isn’t completely free of blame here. The only reason that hackers were able to gain entry was because the financial institution was relying on old second-hand switches that cost about $10 each. Considering how much was at stake, pinching pennies in such a crucial department seems incredibly irresponsible in hindsight. What’s more, the bank didn’t even have a firewall set up to keep intruders out.

Once hackers bypassed this low level of security, they were given free rein to do as they pleased. Accessing Bangladesh Bank’s network allowed them to move on to SWIFT, as the cheap switches didn’t keep these two separate. However, the really interesting part of this whole criminal act was how they took the money without anyone noticing.

Why weren’t they discovered sooner?

In order to make off with the cash, the criminals had to access a piece of software called Alliance Access. This is used to send money, which allowed the hackers to increase transactions in order to make a profit. However, Alliance Access also records transactions. This was a big problem for the thieves, as they couldn’t make money if someone knew they were stealing it.

To fix this, the hackers simply inserted malware that disrupted the software’s ability to properly regulate the money that was being moved. On top of that, this malicious code also modified confirmation messages about the transactions. This allowed the criminals to continue to operate in obscurity, racking up millions of dollars without anyone being the wiser. In fact, they would have gotten close to $1 billion if one of these altered reports didn’t have a spelling error.

A small error cost these hackers hundreds of millions. The hackers could have made so much more money if they’d checked their spelling.

However, understanding so much about how Bangladesh Bank’s system worked has pointed investigators to the notion that this was an inside job. In fact, The Hill reported that “people familiar with the matter” know that a major suspect is a person who works at the bank. No one has been named yet, but getting an employee in on the job certainly makes sense.

Network assessments are a must

Regardless of whether or not this turns out to be an inside job, the fact still remains that Bangladesh Bank was incredibly vulnerable to a hack like this. Relying on cheap network switches is bad enough, but not having any sort of firewall is a major hazard that modern institutions simply cannot allow.

This is why every company should consider receiving a network assessment from ISG Technology. Our skilled experts know how to spot glaring vulnerabilities such as these, and can suggest fixes to ensure the security of private data.

The following two tabs change content below.
a6d0cc4b8ddefee4a797baec68da4dac?s=80&d=identicon&r=g

Eric Tabor

Chief of Staff | Vice President- Strategy & Operations at ISG Technology
Eric joined ISG Technology in 2012 bringing with him experience from ISG’s parent company, Twin Valley Telephone, Inc. He is a member of the Twin Valley senior management team that managed the company’s organic and acquisition growth strategies resulting in the company tripling in size from 2005-2010. Prior to joining Twin Valley he held sales and operations leadership roles at Southwestern Bell/SBC in multiple Midwest locations. He holds a B.A. in Mass Media and Communications from Washburn University. Eric currently resides in Olathe, KS with his wife and their two children.
About

Eric joined ISG Technology in 2012 bringing with him experience from ISG’s parent company, Twin Valley Telephone, Inc. He is a member of the Twin Valley senior management team that managed the company’s organic and acquisition growth strategies resulting in the company tripling in size from 2005-2010. Prior to joining Twin Valley he held sales and operations leadership roles at Southwestern Bell/SBC in multiple Midwest locations. He holds a B.A. in Mass Media and Communications from Washburn University. Eric currently resides in Olathe, KS with his wife and their two children.

Posted in Blog, Cloud Hosting, Continuity, Finance, Security Tagged with: , , , ,
Menu