Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Steal Bank's Crypto Credentials, But Are Foiled By Their Own Typo (reuters.com)

Posted by timothy on from the proofreading-is-chepa dept.

New submitter tlambert writes: Unknown persons stole Bangladesh Bank transfer credentials for payments via the international banking system, and then proceeded to start moving money to the Philippines and Sri Lanka. A human foiled the plot after ~$80M had been stolen with another $870M stopped, after they noticed the word 'foundation' misspelled in one of the requests. Bangladesh, meanwhile, is blaming the U.S. Federal Reserve for trusting their credentials. (Note: Bangladesh Bank isn't like Bank of America; it's the country's central bank.)

45 comments

  1. You always have to watch for fandamental errors by mykepredko · · Score: 2

    I got nothing to add after the pun in the subject line.

    --
    Mimetics Inc. Twitter
    1. Re:You always have to watch for fandamental errors by idbeholda · · Score: 1

      dankeykang.jpg

  2. Fraud by Anonymous Coward · · Score: 0

    Foreign people involved in fraud always mispell shit.

    1. Re:Fraud by sysrammer · · Score: 1

      Foreign people involved in fraud always mispell shit.

      ...or, at least, that's what they want you to think.

      --
      His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
  3. authentication fail by Anonymous Coward · · Score: 0

    Bangladesh, meanwhile, is blaming the U.S. Federal Reserve for trusting their credentials.

    Wat?

    1. Re:authentication fail by Anonymous Coward · · Score: 0

      Time to take the keys to the financial system away from the kids... Those darn kids

    2. Re:authentication fail by BronsCon · · Score: 1

      This. It's almost like they don't want anyone trusting their credentials ever. I'd be game for that, actually.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    3. Re:authentication fail by MachineShedFred · · Score: 1

      How dare you trust the credentials that were stolen from us! You should have known they were stolen, even though we didn't even know!

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    4. Re:authentication fail by WarJolt · · Score: 1

      That kind of capital is chump change for the Fed. For these foreign banks it's a lot of money. You'd expect that kind of money transfer to trigger some sort of alert before it goes through, but the Fed isn't in the business of bailing out foreign banks. I'm sure domestic banks is another story.

      There is always some engineer or IT guy with the keys to the kingdom at these banks with potentially more power than Janet Yellen.

    5. Re:authentication fail by niftymitch · · Score: 1

      Bangladesh, meanwhile, is blaming the U.S. Federal Reserve for trusting their credentials.

      Wat?

      The FBI wants into this... clearly they used and iPhone.

      --
      Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
    6. Re:authentication fail by BronsCon · · Score: 2

      And there are transaction rollback procedures in place in case that engineer or IT guy misbehaves. If Bangledesh Bank hadn't revoked the credentials, then why should the Federal Reserve bank not have trusted them? Your transaction credentials are your identity in the banking system; telling another bank not to trust your (valid and not revoked or reported compromised) credentials is effectively telling them not to trust you. I'll repeat myself: if that's what Bangledesh Bank wants, it's what they should get. they don't want their credentials to be trusted by foreign banks, let foreign banks not trust them, remove them from the world banking system, and see how long it takes them to take responsibility for their own security, fix the issue that allowed this in the first place, and come begging to once again participate in the world banking system. I give them a day or two to take responsibility and start begging, before being told to fix their shit and try again, a year or so to fix it (we're talking about government, i'm being generous), and another year to redevelop their relationships with the rest of the world banks.

      You don't play soccer without a cup, then blame the other players, take your ball, and go home when you get a cleat to the nuts. That's basically what Bangledesh is doing here.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  4. asshats by Anonymous Coward · · Score: 0

    "Bangladesh, meanwhile, is blaming the U.S. Federal Reserve for trusting their credentials" Are you serious? Fuck you, Bangladesh.

  5. RIP by Anonymous Coward · · Score: 2, Insightful

    A typo the source of an almost $1BILLION mistake? Someone's going to die behind this...

    1. Re:RIP by Noah+Haders · · Score: 3, Insightful

      Maybe they'll be hacked to death by a mob with meat cleavers in public in broad daylight. Oh wait that only happens to bloggers.

    2. Re:RIP by Anonymous Coward · · Score: 0

      I think you're under-estimating the type of people behind these kind of things. Someone, somewhere, is out of a lot of money because someone fucked up.

    3. Re:RIP by Koby77 · · Score: 2

      While the $1 billion theft was prevented, approximately $100 mil was still stolen. Not bad for a heist. Bangladesh is very angry, and will do anything at this point to blame others.

    4. Re:RIP by Razed+By+TV · · Score: 2

      Maybe, but I see something else: Hackers got 80 million that they can reinvest in training (like learning English) so they can be more effective in the future.

    5. Re:RIP by currently_awake · · Score: 1

      The whole point of banking credentials is so you can trust them. If the NSA wants to justify all their spying, this would make a good case to work on.

  6. How deep is U.S. Fed involvement by Anonymous Coward · · Score: 0

    I was surprised to see the U.S. Federal Reserve involvement in Bangladesh.
    But then I was surprised to see the 2008 depth of involvement of US investment companies in foreign governments.

    Does the Fed have this kind of involvement with the banking system in many countries?

    1. Re:How deep is U.S. Fed involvement by Anonymous Coward · · Score: 1

      The Fed provides a variety of services to more than 200 foreign central banks, foreign governments and international official institutions.
      https://www.newyorkfed.org/aboutthefed/fedpoint/fed47.html

      Yes, remember when you bitch about "the bankers' that for most of the world, WE are the bankers

    2. Re:How deep is U.S. Fed involvement by requerdanos · · Score: 2

      Yes, remember when you bitch about "the bankers' that for most of the world, WE are the bankers

      I am not a banker. Never have been.

    3. Re:How deep is U.S. Fed involvement by Anonymous Coward · · Score: 0

      I never had sexual relations with my left hand .

      Oh Wait I you said ...

  7. modern security weakness is inbound signaling by jtayon · · Score: 1, Insightful

    Modern security especially for this kind of amount of money would really worth having an out of bond validation of money transfer.

    Not taxing transaction does not means that transactions should have non null costs. So de facto the minimal tax that should be imposed to money transactions on the internet MUST be a strong real authentication of the persons out of the internet plan to validate transactions.

    Else, we are just letting frauders have a good incentive to cheat. Especially since the victims are all forced to pay by subscribing insurance covering internet frauds thus internet payment actors have no incentive to stop the fraud since it is pumping their bebefits.

    1. Re:modern security weakness is inbound signaling by pla · · Score: 1

      especially for this kind of amount of money

      80 million shuffling between central banks amounts to chump change. Even the full billion would barely raise eyebrows (less than 1% of the GDP of Bangladesh).

    2. Re:modern security weakness is inbound signaling by Anonymous Coward · · Score: 1

      Losing 1% of your country's GDP would be a huge deal. That would mean 1 in 100 people being out of a job.

    3. Re:modern security weakness is inbound signaling by Barny · · Score: 2

      I am sorry, 1% of a country's GDP is ALWAYS a lot of money. Well, except Greece. But for most, transferring such a large sum to a foreign, private destination should be a huge red flag.

      --
      ...
      /me sighs
  8. Sounds like something Michael Bolton would do by NormalVisual · · Score: 3, Funny

    He always messes up some mundane detail.

    --
    Please stand clear of the doors, por favor mantenganse alejado de las puertas
    1. Re:Sounds like something Michael Bolton would do by jaxn · · Score: 1

      Ugh no moderation points. Funny nonetheless.

      --


      "Being alive is a crock of shit." --Kilgore Trout
  9. Bank of America? by darthsilun · · Score: 3, Informative

    (Note: Bangladesh Bank isn't like Bank of America; it's the country's central bank.)

    Bangladesh Bank is like the US Federal Reserve; it's the country's central bank.

    fixed that for you.

    1. Re:Bank of America? by Anonymous Coward · · Score: 0

      Darthsilun, thank you very much.

      I personally knew what was meant, but comparisons to the negation of something else is always difficult and are rarely useful. For example:

      Note: Bangledesh Bank isn't like Bank of America

      basically leaves open the possibility it is like a puppy, an angry group of loan sharks, a friendly grandmother, the esteemed law firm Dewey, Chetum, and Howe, and many others (limited only by one's imagination).

      As for the article, it is disturbing that India basically applies similar standards of quality to their National Reserve as they do to all the software development outsourced to them. It is almost a shame that they weren't defrauded at a massive scale, as it would be poetic justice.

    2. Re:Bank of America? by Anonymous Coward · · Score: 0

      The Federal Reserve is neither federal nor a reserve. It is a private corporation owned by wealthy people given financial powers by the government. It is as federal as Federal Express.

    3. Re:Bank of America? by Anonymous Coward · · Score: 0

      India? Uh....

    4. Re:Bank of America? by Anonymous Coward · · Score: 0

      It is however, the central bank, which is all that was being claimed and all that is relevant.

    5. Re:Bank of America? by Anonymous Coward · · Score: 0

      It is 'Federal' if its head gets to be appointed by the President

  10. The solution to these problems is... by Adeptus_Luminati · · Score: 2

    ... to create a private and permission based blockchain between banks a la R3CEV.COM with so far 46 banks. This way, when the keys get compromised, that hacker can be the richest person in the world.

    --
    No trees were killed in the making of this post; however, many trillions of electrons were horribly inconvenienced.
  11. ohhh... by nult · · Score: 1

    Things that make ya go ohhhhhhhhh! Im guessing the guy/girl who made the typo will be kicked out of their h@ck3r club..haha

    1. Re:ohhh... by rtb61 · · Score: 1

      More like insider job likely with the backing of corrupt intelligence services. Once you get to that level, you are will outside the scope of amateur hackers. By far the majority of high level hacks will be government intelligence contractors (the inherent nature of the people they recruit) and actual government agents, the more corrupt the government the far more likely that is to happen. So pretty much a solid indication of how much private interests must protect themselves from government invasion, especially as that invasion is global, the whole worlds governments, from the mostly honest to the mostly corrupt, all of them represent a risk. All it takes is one corrupt individual from the most honest government to shift the knowledge for a fee and a percentage to the most corrupt government and any back door becomes a front door (whether that back door was a bug or a secret insertion or a purposeful insertion).

      --
      Chaos - everything, everywhere, everywhen
  12. Bangladesh bank isn't like Bank of America by Opportunist · · Score: 1

    I fully expected that sentence to end with "they usually know how to spell security".

    Not because I know the BB, but I know the BoA.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  13. Blame America First by Anonymous Coward · · Score: 0

    Yes, it's totally America's fault that Bank of Bangladesh couldn't keep their crypto keys secure.

  14. Bitcoin users not affected by Anonymous Coward · · Score: 0

    Someone "hacks into a bank and steals all the money"? I thought this sort of thing was impossible with traditional banks because the charge can just be reversed?

    Bitcoin users not affected. :-)

    1. Re:Bitcoin users not affected by Anonymous Coward · · Score: 0

      Actually this is a real possibility with bitcoin too..

      What's needed is a dual auth-chain where you select to do a transaction and then let a second device/person authorize the actual transaction... Possible in bitcoin but not in use to any big degree..

      But anway... for any transaction from a big bang i was surprised that it did not require dual signing of the transaction... One by the person that wants to do it and one for someone that does the actual transaction approval.. Throw in that the transaction would need to contain a signature from the bank-employee that wanted to do the transaction... Ie something like:
      1. Bank-employee signs transaction with a smartcard or other remotely accessible device.
      2. Transaction approver approves and signes off on the transaction. Also with a smartcard etc.
      3. If both employee and transaction approveer signatures match then the bank signs the full chain.
      4. Receiving bank would then validate all 3 signatures.

      If you want ot add a bit of extra security the owner of the account would also have to sign the transaction at step 0..

      All certs in use would be signed with the CA certificate of the bank, and the CA certificate should never be kept online.

  15. Follow the money by Anonymous Coward · · Score: 2, Informative

    Here is what is going on at the receiving end.

    http://www.gmanetwork.com/news/story/558669/money/personalfinance/businessman-go-implicates-rcbc-officer-to-money-laundering-scheme

  16. Banks by Anonymous Coward · · Score: 0

    I would trust their bank long before I would trust Bank Of America.

  17. Holy crap, that was close! by sabbede · · Score: 1

    With credentials for the central bank, they could have collapsed the entire nation. Hell, they were going to steal almost a full 1% of the nation's GDP! 1% might not sound like much, but it would have been devastating.

  18. Common security key... by ripvlan · · Score: 1

    Good thing there wasn't a common security key like the FBI wants !!! :-P