Slashdot Mirror
Some Bangladesh Bank Officials Involved In Heist, Says Investigator (reuters.com)
Ruma Paul, reporting for Reuters: Some Bangladesh central bank officials deliberately exposed its computer systems and enabled hackers to steal $81 million from its account at the Federal Reserve Bank of New York in February, a top investigator in Dhaka told Reuters on Monday. The comments by Mohammad Shah Alam of the Dhaka police are the first sign that investigators have got a firm lead in one of the world's biggest cyber heists. Arrests are soon likely, he said. On Thursday, the head of a Bangladesh government panel that investigated the heist said five bank officials were guilty of negligence but that they were only unwitting accomplices. Alam told Reuters his investigations had discovered that some bank officials had knowingly created vulnerabilities in the bank's connection to the SWIFT system, used for global transactions.Early this year, hackers targeted Bangladesh's central bank to get away with $1bn. At the time, it was reported that the gang behind the raid used stolen credentials to make requests to transfer cash look legitimate.
If all the requests had gone unchallenged, the gang would have got away with about $1bn.
However, the transfers were stopped when the volume of requests raised suspicions at other banks.
Amateurs... If they had only been collecting the rounding errors from the transactions they would have eventually pulled that cool $1bn without anyone knowing...
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
Not really IT news, and kind of obvious. I mean, i guess it involves IT equipment, but so does shopping. Is Slashdot eventually going to become a repository for every single story going?
That was obvious from the beginning there was some kind of in side collaboration to crack the Swift network. This is not possible otherwise and it was surely not a security problem with the router as many said in February that may have open the door. Everything is encrypted from the beginning, there is nothing gain from a router hack if you don't already have the encryption keys.
Achille Talon
Hop!
They got burned by insourcing.
Table-ized A.I.
They were transfering funds from their own account. There was nothing else to check for. They were authorized to make the transfer with their own (well, not their own, but the bank) money. I guess they believed they could held the Federal Reserve in New York responsible for a security hole or they believed they could vanish in the sky with the money before being catched. But in either case, it wasn't an insufficient funds or illegal instruments case. They were perfectly legit to make the transfer since they were accessing their own Swift account and network to transfer funds from their own accounts.
Achille Talon
Hop!
It is the same reason there is no security whatsoever behind paper checks. Bank's simply don't give a shit. It isn't their money.
I'm a good cook. I'm a fantastic eater. - Steven Brust
We had our checks stolen at work.
The bank fully refunded the fraudulently cashed ones.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
five bank officials were guilty of negligence but that they were only unwitting accomplices. Alam told Reuters his investigations had discovered that some bank officials had knowingly created vulnerabilities in the bank's connection to the SWIFT system, used for global transactions.
Sure sounds like some bank officials wanted the typical security exemptions of management and that it really bit them in the ass this time. Bangladesh isn't known for it's leniency and frankly, I hope they throw the book at them.
Anons need not reply. Questions end with a question mark.
"some bank officials had knowingly created vulnerabilities in the bank's connection to the SWIFT system, used for global transactions."
I thought the vulnerabilities were introduced by emailing them malware that reprogrammed their Windows desktops to perform unauthrorzed transactions and prevented the Oracle database from printing out an acknowlegment of the transactions. The hack consisted of altering two bytes in a running Windows process.
It isn't the (eventual) recovery that is the problem. Its the fact that the system is so wide open that this can happen in the first place.
All someone needs is your account number and they can empty your account. The check does not even need your (or your business') name on it.
Banks simply have no interest in putting together a better system than the ancient check system.
I'm a good cook. I'm a fantastic eater. - Steven Brust
The evil boss caught the employee because he made stupidly expensive, obvious purchases with his rounding errors.
Why was that a problem, it was quick recovery, and clearly the rare case of check fraud is cheaper than developing a new system.
All sorts of contracts are easy to breach, but our legal system keeps fraud fairly low in the scheme of things.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Correct. The hack wasn't on the SWIFT network. No one broke SWIFT's security or forged transactions. They used legitimate authorized systems to send valid commands to the SWIFT network. It was the Bangladesh central bank's security and audit systems that were by-passed.
Comment removed based on user account deletion
It took a month of harassing the bank until they gave me my money back. In the meantime nearly every penny I had was gone. Luckily I make enough in a month to cover all my bills. In the end it was shaming them on social media that actually got a bank manager to call me.
I'm a good cook. I'm a fantastic eater. - Steven Brust