Slashdot Mirror

← Back to Stories (view on slashdot.org)

Some Bangladesh Bank Officials Involved In Heist, Says Investigator (reuters.com)

Posted by msmash on from the how-it-all-happened dept.

Ruma Paul, reporting for Reuters: Some Bangladesh central bank officials deliberately exposed its computer systems and enabled hackers to steal $81 million from its account at the Federal Reserve Bank of New York in February, a top investigator in Dhaka told Reuters on Monday. The comments by Mohammad Shah Alam of the Dhaka police are the first sign that investigators have got a firm lead in one of the world's biggest cyber heists. Arrests are soon likely, he said. On Thursday, the head of a Bangladesh government panel that investigated the heist said five bank officials were guilty of negligence but that they were only unwitting accomplices. Alam told Reuters his investigations had discovered that some bank officials had knowingly created vulnerabilities in the bank's connection to the SWIFT system, used for global transactions.Early this year, hackers targeted Bangladesh's central bank to get away with $1bn. At the time, it was reported that the gang behind the raid used stolen credentials to make requests to transfer cash look legitimate. If all the requests had gone unchallenged, the gang would have got away with about $1bn. However, the transfers were stopped when the volume of requests raised suspicions at other banks.

26 comments

  1. Amateurs... by Ecuador · · Score: 3, Insightful

    Amateurs... If they had only been collecting the rounding errors from the transactions they would have eventually pulled that cool $1bn without anyone knowing...

    --
    Violence is the last refuge of the incompetent. Polar Scope Align for iOS
  2. Heard of "Check 21"? by Anonymous Coward · · Score: 0

    See subject: That's where banks no longer verified vs. "NSF" (insufficient funds or illegal instruments) on checks - so if you as the depositor cash one YOU are liable.

    * NOW, think about this - It'd actually be possible for banks themselves to be BEHIND such machinations "making bank" on them @ YOUR EXPENSE (if you're stupid enough to NOT check for it being NSF or part of a fraudulent series of say, money orders). Think about it - they could be setting clients up making these things happen.

    Banks justify this negligence putting the risk on you the client of said by saying "it speeds up transactions" (yea for them good or bad, not you).

    After seeing this debacle? It wouldn't surprise me IF banks are doing THIS crap, this exact way & negligence + a bogus law helps it happen.

    APK

    P.S.=> I used to be a loss prevention mgr. ages ago (before my comp. sci. related career) & I spent a good portion of a day verifying these things (checks or money orders) & had a scammer try it on me (selling a vidcard on postaroo for $50 & he sent me $5,000 in bogus Western Union money orders I did a check on w/ WU myself, they were part of a known stolen series of these - So I blew him into the FBI immediately, he was caught & that was that - served him right)... apk

    1. Re:Heard of "Check 21"? by AchilleTalon · · Score: 2

      They were transfering funds from their own account. There was nothing else to check for. They were authorized to make the transfer with their own (well, not their own, but the bank) money. I guess they believed they could held the Federal Reserve in New York responsible for a security hole or they believed they could vanish in the sky with the money before being catched. But in either case, it wasn't an insufficient funds or illegal instruments case. They were perfectly legit to make the transfer since they were accessing their own Swift account and network to transfer funds from their own accounts.

      --
      Achille Talon
      Hop!
    2. Re:Heard of "Check 21"? by nitehawk214 · · Score: 1

      It is the same reason there is no security whatsoever behind paper checks. Bank's simply don't give a shit. It isn't their money.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    3. Re:Heard of "Check 21"? by AvitarX · · Score: 1

      We had our checks stolen at work.

      The bank fully refunded the fraudulently cashed ones.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    4. Re:Heard of "Check 21"? by nitehawk214 · · Score: 1

      It isn't the (eventual) recovery that is the problem. Its the fact that the system is so wide open that this can happen in the first place.

      All someone needs is your account number and they can empty your account. The check does not even need your (or your business') name on it.

      Banks simply have no interest in putting together a better system than the ancient check system.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    5. Re:Heard of "Check 21"? by AvitarX · · Score: 1

      Why was that a problem, it was quick recovery, and clearly the rare case of check fraud is cheaper than developing a new system.

      All sorts of contracts are easy to breach, but our legal system keeps fraud fairly low in the scheme of things.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    6. Re:Heard of "Check 21"? by nitehawk214 · · Score: 1

      It took a month of harassing the bank until they gave me my money back. In the meantime nearly every penny I had was gone. Luckily I make enough in a month to cover all my bills. In the end it was shaming them on social media that actually got a bank manager to call me.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
  3. Huh? by Threni · · Score: 1

    Not really IT news, and kind of obvious. I mean, i guess it involves IT equipment, but so does shopping. Is Slashdot eventually going to become a repository for every single story going?

    1. Re:Huh? by TWX · · Score: 1

      At least there's an IT administration angle here. Compared to the dark days of Dice this is quite the improvement.

      --
      Do not look into laser with remaining eye.
    2. Re:Huh? by hey! · · Score: 1

      Slashdot is not has never been an IT news site. However this is definitely IT news. Systems need to be designed to prevent or detect collusion, and this kind of thing is a natural part of a system's risk assessment.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  4. Obvious from the beginning by AchilleTalon · · Score: 2

    That was obvious from the beginning there was some kind of in side collaboration to crack the Swift network. This is not possible otherwise and it was surely not a security problem with the router as many said in February that may have open the door. Everything is encrypted from the beginning, there is nothing gain from a router hack if you don't already have the encryption keys.

    --
    Achille Talon
    Hop!
    1. Re: Obvious from the beginning by Anonymous Coward · · Score: 0

      How is this possible? How can they not know where the money was transferred to? Why can't the transfer be rolled back? This isn't cash and it isn't decentralized in the Bitcoin sense either. I don't get it.

    2. Re: Obvious from the beginning by AchilleTalon · · Score: 1

      Who? The Federal Reserve? It's not its money. The transfer order was legit. The Federal Reserve cannot refuse to transfer funds it is not actually owning. The Bangladesh bank can transfer it where ever it wants. It is not the Federal Reserve business to refuse or set any other conditions. They have no authority to rollback anything. In fact, a Swift transaction cannot be rolled back. You make another transaction to transfer funds from to original destination back to the original source if it is still at the destination. There was many destinations btw. They probably transferred multiple times the money from many accounts until the bank has no more authority to get it back or it becomes too hairy giving some time to people to actually withdraw in cash the money.

      --
      Achille Talon
      Hop!
    3. Re: Obvious from the beginning by Anonymous Coward · · Score: 0

      Baloney. $80 million or $8 million.

    4. Re: Obvious from the beginning by Anonymous Coward · · Score: 0

      SWIFT is designed to provide nonrepudiation on funds allocation, not even transfer. Basically, many large banks hold each others' money. SWIFT creates a method for transferring that money without the hassle of wires. Bangladesh central bank's SWIFT authorized the movement of the money in had deposited at the Fed.

  5. Reverse Karma? by Tablizer · · Score: 1

    They got burned by insourcing.

    --
    Table-ized A.I.
  6. management finally getting punished. by Gravis+Zero · · Score: 1

    five bank officials were guilty of negligence but that they were only unwitting accomplices. Alam told Reuters his investigations had discovered that some bank officials had knowingly created vulnerabilities in the bank's connection to the SWIFT system, used for global transactions.

    Sure sounds like some bank officials wanted the typical security exemptions of management and that it really bit them in the ass this time. Bangladesh isn't known for it's leniency and frankly, I hope they throw the book at them.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:management finally getting punished. by khz6955 · · Score: 1

      @Gravis Zero: "Sure sounds like some bank officials wanted the typical security exemptions of management and that it really bit them in the ass this time. Bangladesh isn't known for it's leniency and frankly, I hope they throw the book at them."

      If they were inside accomplices then why the need to hack the Windows desktops that performed the SWIFT transactions?

    2. Re:management finally getting punished. by Gravis+Zero · · Score: 1

      If they were inside accomplices then why the need to hack the Windows desktops that performed the SWIFT transactions?

      do you not know what an unwitting accomplice is? the internet has answers.

      --
      Anons need not reply. Questions end with a question mark.
  7. Vulnerabilities in bank's connection to the SWIFT by khz6955 · · Score: 2

    "some bank officials had knowingly created vulnerabilities in the bank's connection to the SWIFT system, used for global transactions."

    I thought the vulnerabilities were introduced by emailing them malware that reprogrammed their Windows desktops to perform unauthrorzed transactions and prevented the Oracle database from printing out an acknowlegment of the transactions. The hack consisted of altering two bytes in a running Windows process.

  8. Don't care what anyone thinks, I liked it... by Anonymous Coward · · Score: 0

    Amateurs... If they had only been collecting the rounding errors from the transactions they would have eventually pulled that cool $1bn without anyone knowing...

    I saw a docudrama about something similar to this once. It went well until the evil boss caught the employee and convinced him to build an evil supercomputer.

    As I recall, it almost turned out quite badly.

    1. Re:Don't care what anyone thinks, I liked it... by Yvan256 · · Score: 1

      The evil boss caught the employee because he made stupidly expensive, obvious purchases with his rounding errors.

  9. Re:Vulnerabilities in bank's connection to the SWI by FeelGood314 · · Score: 1

    Correct. The hack wasn't on the SWIFT network. No one broke SWIFT's security or forged transactions. They used legitimate authorized systems to send valid commands to the SWIFT network. It was the Bangladesh central bank's security and audit systems that were by-passed.

  10. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  11. But Bangladesh is just like white countries! by Anonymous Coward · · Score: 0

    The Jew media keeps telling me so, over and over...

    What, you mean Bangladesh is a corrupt, shit encrusted third world HELLHOLE because of the RACE of the people who live there? Never! It's the LANDMASS itself that makes them corrupt, ugly, pointless, futile wastes of space. It must be! The TV said so!