Wanted: Bank Robber, Gun Not Required

If you remember the old saying that something vital was as safe as “money in the bank” you’ll want to update your assumptions.

As we reported earlier this year, in February hackers gamed the international intra-bank transfer system known as SWIFT for a cool $101 million. Pretending to be Bangladesh’s Central Bank, the thieves conned the U.S. Federal Reserve into sending money to a string of casinos in the Philippines.

Setting aside the question of whether someone should have found it odd that a central bank was wiring money directly to foreign casinos, it’s still not clear how the bandits made off with their haul. As of this writing, with all the international resources of the FBI on the job, only $20 million has been recovered. That means there are hackers on a yacht somewhere soaking up the sun and living large on $81 million funneled right out of the international banking system.  The scariest part?  The only thing that stood between the criminals and their initial goal of getting away with more than one billion was someone finally noticing a simple typo in one of the transfer requests.

The fact that the bogus transactions haven’t been traced yet, despite virtually the entire banking world looking for them, says as much about the security of our financial systems as it does about the skill of the hackers. If our central banks, which one would think would be the most secure institutions on the planet, are this vulnerable, what does that say about the rest of our banking systems? How many losses have gone unsolved, undisclosed or undiscovered one can only guess.

An Inside-Out Job

The FBI is claiming the bad guys had inside help, which is the go-to conclusion when investigators can’t figure out how thieves pulled off a heist. Why they picked the Bangladesh Central Bank (BCB) is less of a mystery. Turns out security was laughably lax at the bank, which had no firewall and was using a ten dollar network setup at the time it was compromised.

In its defense, the SWIFT software and system is incredibly hard to hack into—from the outside.  But once the thieves had direct access to it, having gotten through the BCB’s non-existent network security, they were able to hack into SWIFT from within the Bangladesh bank’s system and even use malware to send authenticated settlement notices. When confirmations were received from a server in Egypt, the malware even covered its tracks, deleting both the confirmation and transaction records.

Shady Partners

It’s also somewhat less than a mystery why the hackers decided to send the money to the Philippines. The funds transfers were sent to the Rizal Commercial Banking Corp. held by two Chinese nationals who organize gambling junkets to Macau and the Philippines. The money was then transferred to a string of casinos and from there to a series of international bank accounts. Philippine casinos are exempt from money laundering regulations and were under no obligation to report the suspicious transactions. Two officers at Rizal are facing charges when one of them got caught taking $427,000 out of one of the thieves’ transfer accounts.

The Real Forehead-slapper

Now we get word that, just last week, yet another bank, this time in Vietnam, was discovered to be infected with the same malware used in the Bangladesh attack. This time no one’s saying how the intrusion was discovered, or how much money the thieves stole; a silence that implies the haul was probably substantial.  Why the SWIFT system hadn’t been patched against the known threat of the very malware used in the previous attack is another mystery. None of those questions are particularly flattering for the international banking system, or reassuring to bank customers.

And the Next Weak Link?

SWIFT is based in Brussels and is a bank-owned cooperative. The finger-pointing started within days, with authorities in Bangladesh accusing the SWIFT system of failing to patch known software vulnerabilities, and SWIFT retorting that the issue was lax security on the part of the bank. SWIFT maintains it was simply processing properly formatted settlement instructions.

What we know for certain is that SWIFT system security was only as strong as its weakest link. We know that $81 million is still missing and the fact that it has been missing this long lowers the likelihood it will ever be found.

The far bigger story here is that the safeguards underlying the world’s banking systems are clearly vulnerable to a well-crafted attack. It’s doubtful thieves are going to confine their ambitions to Bangladesh and Vietnam; it seems more likely that your bank, and mine, are in some criminal’s sights at this very moment, our brokerages as well.  Any widely known store of digital, hackable wealth is vulnerable.  The question becomes, do you protect yourself now, or wait until a catastrophic theft occurs?  Or, to be more precise, until you’re finally notified a theft has occurred?  Or do you take a portion of your wealth off the table, and put it in a physical asset no thief can hack.