Hackers Steal Bank's Crypto Credentials, But Are Foiled By Their Own Typo

New submitter tlambert writes: Unknown persons stole Bangladesh Bank transfer credentials for payments via the international banking system, and then proceeded to start moving money to the Philippines and Sri Lanka. A human foiled the plot after ~$80M had been stolen with another $870M stopped, after they noticed the word 'foundation' misspelled in one of the requests. Bangladesh, meanwhile, is blaming the U.S. Federal Reserve for trusting their credentials. (Note: Bangladesh Bank isn't like Bank of America; it's the country's central bank.)

You always have to watch for fandamental errors

[mykepredko]

I got nothing to add after the pun in the subject line.

RIP

A typo the source of an almost $1BILLION mistake? Someone's going to die behind this...

Re:RIP

[Noah+Haders]

Maybe they'll be hacked to death by a mob with meat cleavers in public in broad daylight. Oh wait that only happens to bloggers.

Re:RIP

[Koby77]

While the $1 billion theft was prevented, approximately $100 mil was still stolen. Not bad for a heist. Bangladesh is very angry, and will do anything at this point to blame others.

Re:RIP

[Razed+By+TV]

Maybe, but I see something else: Hackers got 80 million that they can reinvest in training (like learning English) so they can be more effective in the future.

Sounds like something Michael Bolton would do

[NormalVisual]

He always messes up some mundane detail.

Bank of America?

[darthsilun]

(Note: Bangladesh Bank isn't like Bank of America; it's the country's central bank.)

Bangladesh Bank is like the US Federal Reserve; it's the country's central bank.

fixed that for you.

The solution to these problems is...

[Adeptus_Luminati]

... to create a private and permission based blockchain between banks a la R3CEV.COM with so far 46 banks. This way, when the keys get compromised, that hacker can be the richest person in the world.

Re:How deep is U.S. Fed involvement

[requerdanos]

Yes, remember when you bitch about "the bankers' that for most of the world, WE are the bankers

I am not a banker. Never have been.

Follow the money

Here is what is going on at the receiving end.

http://www.gmanetwork.com/news/story/558669/money/personalfinance/businessman-go-implicates-rcbc-officer-to-money-laundering-scheme

Re:modern security weakness is inbound signaling

[Barny]

I am sorry, 1% of a country's GDP is ALWAYS a lot of money. Well, except Greece. But for most, transferring such a large sum to a foreign, private destination should be a huge red flag.

Re:authentication fail

[BronsCon]

And there are transaction rollback procedures in place in case that engineer or IT guy misbehaves. If Bangledesh Bank hadn't revoked the credentials, then why should the Federal Reserve bank not have trusted them? Your transaction credentials are your identity in the banking system; telling another bank not to trust your (valid and not revoked or reported compromised) credentials is effectively telling them not to trust you. I'll repeat myself: if that's what Bangledesh Bank wants, it's what they should get. they don't want their credentials to be trusted by foreign banks, let foreign banks not trust them, remove them from the world banking system, and see how long it takes them to take responsibility for their own security, fix the issue that allowed this in the first place, and come begging to once again participate in the world banking system. I give them a day or two to take responsibility and start begging, before being told to fix their shit and try again, a year or so to fix it (we're talking about government, i'm being generous), and another year to redevelop their relationships with the rest of the world banks.

You don't play soccer without a cup, then blame the other players, take your ball, and go home when you get a cleat to the nuts. That's basically what Bangledesh is doing here.