Lessons from the Bangladesh Central Bank Heist
By now, you’ve probably heard about the massive cyber attack that hit Bangladesh’s central bank last month, resulting in the loss of $81 million through fraudulent transfers to accounts in the Philippines. Although the size and scale of this cyber heist was unprecedented, cybercrime targeting ACH (Automated Clearing House) financial transactions is nothing new. Financially motivated hackers regularly target ACH systems.
But the Bangladesh attack was noteworthy because it called attention to the Society for Worldwide Interbank Financial Telecommunication or SWIFT, the financial messaging services system that many of the world’s banks rely on to coordinate and communicate about automated financial transfers. According to its website, SWIFT’s messaging services are used by more than 11,000 financial institutions in more than 200 countries. The system is designed to enable “secure, seamless and automated financial communication between users” via a standardized protocol.
In the Bangladesh Bank cyber-heist, hackers apparently found a way to access the bank’s computer network, used malware to target computers that process and authorize transactions, and ultimately stole credentials allowing them to remotely send messages with transfer instructions through the bank’s SWIFT terminal. According to news reports, the hackers’ “payment instructions” were authenticated by the SWIFT message system, making it harder for recipients of the messages to detect the fraud.
Following the Bangladesh Bank incident, SWIFT issued emergency advice to the world’s banks on cybersecurity, urging them to review their own security controls. On March 21, SWIFT issued a written advisory and began calling banks to encourage them to “reinforce their local operating environments.”
This attack is a reminder of the persistent threat presented by hackers attempting to access automated systems that can authorize immediate transfers of huge sums of money. The incident also highlights the ever-growing need for heightened security and the need for strong security protocols throughout an organization. As the saying goes, you’re only as safe as your weakest link, and that was indeed the case for the Bangladesh central bank. The ongoing investigation into the Bangladesh bank’s system and procedures indicates that the bank’s internal SWIFT system may have been made more vulnerable after it was linked to a common payment platform meant for the country’s commercial banks. Again, it’s a reminder that any device linked to your computer system has the potential to create a new vulnerability.
And financial regulators have reported that “the financial industry’s reliance on third-party service providers for critical banking and insurance functions [is] a continuing challenge” to cybersecurity. For many companies, these third parties include dozens of vendors and business partners. As you’re thinking about your organization’s cybersecurity and controls, it’s important to also evaluate the risks posed by third parties with access to your systems.