A traditional Chinese New Year celebration with volumes of ‘prosperity and good luck’ money gifts, asynchronous working days across 2 time zones, procedural and regulatory vulnerabilities, straight-through automated processing – these were among the elements that contributed to delays in detecting and responding to the Bangladesh Central Bank cyber break-in, and allowed sophisticated well-organized criminals to successfully launch their attacks on the payment system linking the Bangladesh Central Bank, The Federal Reserve Bank of New York and a network of commercial and correspondent banks, and almost carried off a haul of US$1billion – had not 2 words raised red flags and stopped 31 out of the 35 fraudulent transactions, but not before US$81million made their way into the casino industry in Philippines.
What do we know so far?
The attack combined the modern technique of hacking into computers with malware and old-fashion money laundering skills.
Investigations by the authorities suggested that preparatory work may have begun as long as a year ago in May 2015 with the opening of bank accounts in the Philippines bank (Rizal Commercial Banking Corporation), after which the bank accounts were left dormant without any transactional activity till the attack in February 2016.
The introduction of the malware into the Bangladesh Central Bank was likely to have taken place at least a month prior to the attack. Audit trails suggested the possibility of trial runs being conducted beforehand. According to the Bangladesh Police Criminal Investigation Department, the computer network at the Bangladesh Central Bank was not adequately secured – an unprotected firewall combined with weak password, and unused ports and remote access channel which were not adequately hardened – opened up entry points and allowed the criminals to penetrate the network perimeter.
Procedural vulnerabilities where contingency plans in an event of breakdown of equipment (in this case the cross-border payment SWIFT software and the printer which would have listed payment instructions) and alternate communication channels failed to kick-in, and prevented the rapid detection and response to the breach. Additionally, timeliness of response was complicated not only by time zone differences but also asynchronous workweeks between Bangladesh and New York…Click HERE to read full article.