Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Steal Bank's Crypto Credentials, But Are Foiled By Their Own Typo (reuters.com)

Posted by timothy on from the proofreading-is-chepa dept.

New submitter tlambert writes: Unknown persons stole Bangladesh Bank transfer credentials for payments via the international banking system, and then proceeded to start moving money to the Philippines and Sri Lanka. A human foiled the plot after ~$80M had been stolen with another $870M stopped, after they noticed the word 'foundation' misspelled in one of the requests. Bangladesh, meanwhile, is blaming the U.S. Federal Reserve for trusting their credentials. (Note: Bangladesh Bank isn't like Bank of America; it's the country's central bank.)

29 of 45 comments (clear)

  1. You always have to watch for fandamental errors by mykepredko · · Score: 2

    I got nothing to add after the pun in the subject line.

    --
    Mimetics Inc. Twitter
    1. Re:You always have to watch for fandamental errors by idbeholda · · Score: 1

      dankeykang.jpg

  2. RIP by Anonymous Coward · · Score: 2, Insightful

    A typo the source of an almost $1BILLION mistake? Someone's going to die behind this...

    1. Re:RIP by Noah+Haders · · Score: 3, Insightful

      Maybe they'll be hacked to death by a mob with meat cleavers in public in broad daylight. Oh wait that only happens to bloggers.

    2. Re:RIP by Koby77 · · Score: 2

      While the $1 billion theft was prevented, approximately $100 mil was still stolen. Not bad for a heist. Bangladesh is very angry, and will do anything at this point to blame others.

    3. Re:RIP by Razed+By+TV · · Score: 2

      Maybe, but I see something else: Hackers got 80 million that they can reinvest in training (like learning English) so they can be more effective in the future.

    4. Re:RIP by currently_awake · · Score: 1

      The whole point of banking credentials is so you can trust them. If the NSA wants to justify all their spying, this would make a good case to work on.

  3. modern security weakness is inbound signaling by jtayon · · Score: 1, Insightful

    Modern security especially for this kind of amount of money would really worth having an out of bond validation of money transfer.

    Not taxing transaction does not means that transactions should have non null costs. So de facto the minimal tax that should be imposed to money transactions on the internet MUST be a strong real authentication of the persons out of the internet plan to validate transactions.

    Else, we are just letting frauders have a good incentive to cheat. Especially since the victims are all forced to pay by subscribing insurance covering internet frauds thus internet payment actors have no incentive to stop the fraud since it is pumping their bebefits.

    1. Re:modern security weakness is inbound signaling by pla · · Score: 1

      especially for this kind of amount of money

      80 million shuffling between central banks amounts to chump change. Even the full billion would barely raise eyebrows (less than 1% of the GDP of Bangladesh).

    2. Re:modern security weakness is inbound signaling by Anonymous Coward · · Score: 1

      Losing 1% of your country's GDP would be a huge deal. That would mean 1 in 100 people being out of a job.

    3. Re:modern security weakness is inbound signaling by Barny · · Score: 2

      I am sorry, 1% of a country's GDP is ALWAYS a lot of money. Well, except Greece. But for most, transferring such a large sum to a foreign, private destination should be a huge red flag.

      --
      ...
      /me sighs
  4. Sounds like something Michael Bolton would do by NormalVisual · · Score: 3, Funny

    He always messes up some mundane detail.

    --
    Please stand clear of the doors, por favor mantenganse alejado de las puertas
    1. Re:Sounds like something Michael Bolton would do by jaxn · · Score: 1

      Ugh no moderation points. Funny nonetheless.

      --


      "Being alive is a crock of shit." --Kilgore Trout
  5. Bank of America? by darthsilun · · Score: 3, Informative

    (Note: Bangladesh Bank isn't like Bank of America; it's the country's central bank.)

    Bangladesh Bank is like the US Federal Reserve; it's the country's central bank.

    fixed that for you.

  6. Re:How deep is U.S. Fed involvement by Anonymous Coward · · Score: 1

    The Fed provides a variety of services to more than 200 foreign central banks, foreign governments and international official institutions.
    https://www.newyorkfed.org/aboutthefed/fedpoint/fed47.html

    Yes, remember when you bitch about "the bankers' that for most of the world, WE are the bankers

  7. The solution to these problems is... by Adeptus_Luminati · · Score: 2

    ... to create a private and permission based blockchain between banks a la R3CEV.COM with so far 46 banks. This way, when the keys get compromised, that hacker can be the richest person in the world.

    --
    No trees were killed in the making of this post; however, many trillions of electrons were horribly inconvenienced.
  8. Re:How deep is U.S. Fed involvement by requerdanos · · Score: 2

    Yes, remember when you bitch about "the bankers' that for most of the world, WE are the bankers

    I am not a banker. Never have been.

  9. ohhh... by nult · · Score: 1

    Things that make ya go ohhhhhhhhh! Im guessing the guy/girl who made the typo will be kicked out of their h@ck3r club..haha

    1. Re:ohhh... by rtb61 · · Score: 1

      More like insider job likely with the backing of corrupt intelligence services. Once you get to that level, you are will outside the scope of amateur hackers. By far the majority of high level hacks will be government intelligence contractors (the inherent nature of the people they recruit) and actual government agents, the more corrupt the government the far more likely that is to happen. So pretty much a solid indication of how much private interests must protect themselves from government invasion, especially as that invasion is global, the whole worlds governments, from the mostly honest to the mostly corrupt, all of them represent a risk. All it takes is one corrupt individual from the most honest government to shift the knowledge for a fee and a percentage to the most corrupt government and any back door becomes a front door (whether that back door was a bug or a secret insertion or a purposeful insertion).

      --
      Chaos - everything, everywhere, everywhen
  10. Re:authentication fail by BronsCon · · Score: 1

    This. It's almost like they don't want anyone trusting their credentials ever. I'd be game for that, actually.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  11. Bangladesh bank isn't like Bank of America by Opportunist · · Score: 1

    I fully expected that sentence to end with "they usually know how to spell security".

    Not because I know the BB, but I know the BoA.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  12. Re:authentication fail by MachineShedFred · · Score: 1

    How dare you trust the credentials that were stolen from us! You should have known they were stolen, even though we didn't even know!

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  13. Re:authentication fail by WarJolt · · Score: 1

    That kind of capital is chump change for the Fed. For these foreign banks it's a lot of money. You'd expect that kind of money transfer to trigger some sort of alert before it goes through, but the Fed isn't in the business of bailing out foreign banks. I'm sure domestic banks is another story.

    There is always some engineer or IT guy with the keys to the kingdom at these banks with potentially more power than Janet Yellen.

  14. Follow the money by Anonymous Coward · · Score: 2, Informative

    Here is what is going on at the receiving end.

    http://www.gmanetwork.com/news/story/558669/money/personalfinance/businessman-go-implicates-rcbc-officer-to-money-laundering-scheme

  15. Re:Fraud by sysrammer · · Score: 1

    Foreign people involved in fraud always mispell shit.

    ...or, at least, that's what they want you to think.

    --
    His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
  16. Re:authentication fail by niftymitch · · Score: 1

    Bangladesh, meanwhile, is blaming the U.S. Federal Reserve for trusting their credentials.

    Wat?

    The FBI wants into this... clearly they used and iPhone.

    --
    Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
  17. Re:authentication fail by BronsCon · · Score: 2

    And there are transaction rollback procedures in place in case that engineer or IT guy misbehaves. If Bangledesh Bank hadn't revoked the credentials, then why should the Federal Reserve bank not have trusted them? Your transaction credentials are your identity in the banking system; telling another bank not to trust your (valid and not revoked or reported compromised) credentials is effectively telling them not to trust you. I'll repeat myself: if that's what Bangledesh Bank wants, it's what they should get. they don't want their credentials to be trusted by foreign banks, let foreign banks not trust them, remove them from the world banking system, and see how long it takes them to take responsibility for their own security, fix the issue that allowed this in the first place, and come begging to once again participate in the world banking system. I give them a day or two to take responsibility and start begging, before being told to fix their shit and try again, a year or so to fix it (we're talking about government, i'm being generous), and another year to redevelop their relationships with the rest of the world banks.

    You don't play soccer without a cup, then blame the other players, take your ball, and go home when you get a cleat to the nuts. That's basically what Bangledesh is doing here.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  18. Holy crap, that was close! by sabbede · · Score: 1

    With credentials for the central bank, they could have collapsed the entire nation. Hell, they were going to steal almost a full 1% of the nation's GDP! 1% might not sound like much, but it would have been devastating.

  19. Common security key... by ripvlan · · Score: 1

    Good thing there wasn't a common security key like the FBI wants !!! :-P