$10 Router, No Firewall Blamed In $80M Bangladesh Bank Hack

Earlier this a year, a spelling mistake in an online bank transfer prevented nearly $1 billion heist at Bangladesh's central bank and the New York Fed. The hackers, however, still had managed to steal about $80 million. Bangladesh government blamed the New York Fed for not spotting the suspicious transactions earlier. As it turns out, they should also be taking some blame, if not all. An anonymous reader writes: Bangladesh's central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT global payment network, an investigator into one of the world's biggest cyber heists said. The shortcomings made it easier for hackers to break into the Bangladesh Bank system earlier this year and attempt to siphon off nearly $1 billion using the bank's SWIFT credentials, said Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police's criminal investigation department.

Make the 81M come of the VP's bonus

[Joe_Dragon]

Make the 81M come of the VP's bonus.

That $10 switch seems alot of like some cost reduction yahoo is calling the shots and does not want to pay for the needed costs to due it right.

Re:Make the 81M come of the VP's bonus

[anegg]

Ok - after reading the article, I think they might not have had any security architecture whatsoever. No compartmentalization of data flows. No firewall. Probably no monitoring. And judging from the comments, no traffic accounting/auditing capability.

It seems like they had no understanding of the IT risks at all.

Re:Make the 81M come of the VP's bonus

[l0n3s0m3phr34k]

That article is crap lol. This article is far more interesting... Like how one of the security researches was abducted for several days, "malware was specifically designed to hijack access to the Swift network", Bangladesh Finance Minister A.M.A Muhith saying local banking officials were "100 percent" involved in the scandal, Rizal Commercial Banking Corporation (RCBC) President and CEO Lorenzo Tan ordering people to "move the money", how much of it has already been converted into Chinese casino chips, etc. This would make a great movie, it's so convoluted and messed up lol. It's even got "a man previously linked to illegal drug operations, Kim Wong, as the mastermind." per Philippines Senator Sergio Osmeña.

Confusion?

Headline states $10 router, but story states $10 switches. Who's not paying attention?

Re:Irrelevant information

[ledow]

I work in a school.

Our switches cost 2000 GBP each, and we have a firewall that costs on the same order. They have features you cannot get on anything cheaper (RADIUS, et al are "freebie" features nowadays - we're talking direct MDM on the switch and all kinds of security).

The question is not "was the $10 switch to blame?" but "why would you ever use a $10 switch anyway?" These people are storing money thousands of times more than anything we ever have to deal with, for thousands more customers than we will ever have, with thousands of times more budgets than I will ever see.

And their stuff isn't even from the "19" rack networking" section of the catalogue. It's from the "bargain buys for home uses to 'double up' their network cables" section.

Additionally, I'm bound by PCI DSS standards which demand things like firewalls and antivirus EVEN IF there's no need for them. I promise you. And IDS and IPS and separated networks and all kinds of security. That's just to TAKE a credit card payment to pass onto the bank. The banks themselves aren't then doing more?

It's got nothing to do with what could be true at the bank. It's about not even trying to follow industry best practices, let alone actually getting close to them.