WASHINGTON, DC: It’s a big story that has stayed beneath the radar of most American media. Somehow, cyber criminals stole $81 million from Bangladesh’s central bank (its Federal Reserve). The theft surely qualifies as one of the biggest cyber heists ever. It’s also a reminder that the world’s financial systems remain vulnerable to cyberattacks from groups or countries more interested in making war — disrupting societies — than money.
Still, money is the big draw. “The financial system is the primary target of the most sophisticated cyber criminals,” says James Lewis, a cyber expert at the Center for Strategic and International Studies (CSIS), a Washington think tank. “This is where the biggest payoffs are. Banks are under constant siege [from hackers].”
Just what happened here isn’t clear. The money moved from Bangladesh’s account at the Federal Reserve Bank of New York to private accounts in the Philippines, from which it was channeled to other accounts, including those of some gambling operations and a casino. Authorities have been frustrated in following the trail further, because casinos there are not subject to the country’s anti-money-laundering laws. (This description of the heist relies heavily on excellent stories in The Wall Street Journal.)
The New York Fed has disclaimed any responsibility for the fraudulent transfers. In a statement, it said:
“There is no evidence of any attempt to penetrate Federal Reserve systems in connection with the payments in question. … The payment instructions in question were fully authenticated … in accordance with standard authentication protocols.”
Assuming the Fed’s defense survives scrutiny, it suggests — but doesn’t prove — an inside job at Bangladesh Bank (the central bank’s official name) and at least one bank in the Philippines. Were people bribed to reveal the access codes or to overlook suspicious transfers? Did the criminals plant people inside the bank to orchestrate the theft? We don’t know.
At a hearing in Manila, it was alleged that a branch manager at one Philippine bank had more than $400,000 loaded into her car. Another source of confusion is that the theft occurred in February but wasn’t revealed — even to other parts of Bangladesh’s government — until March. After the disclosure, the head of the country’s central bank resigned.
What is known is that the scheme’s ambition far exceeded the $81 million that was transferred to the Philippines. The original goal was apparently about $1 billion to be conveyed through 35 separate transfers. Most of those transfers were never made.
Why? By one press version, doubts emerged when a word was misspelled on one transfer document. (The word “foundation” was spelled “fandation.”) By another story, the fact that so much money was going to private accounts stirred suspicions. It’s unclear whether someone at the New York Fed stopped the transfers and, if not, who did. Nor is it clear whether another $20 million was sent to Sri Lanka and the transaction was reversed, or whether the money was never sent.
Bangladesh Bank has hired an American cybersecurity firm, FireEye Inc., to solve the various mysteries. Among its early findings, according to The Wall Street Journal, is that the hackers may have penetrated the central bank’s computer system for several weeks before the transfers occurred. Possibly, 32 computers were compromised. This may explain how the access codes were obtained.
Whatever the final story, there are larger lessons. For starters, the New York Fed’s sweeping denial of responsibility is beside the point. Whatever the Fed’s direct involvement, it failed to spot a phony transaction before the funds were sent. Why was this? Can screening be improved?
What’s ultimately at stake is a stable global financial system. Financial networks depend on trust that what’s deposited won’t vanish, and that transactions are legitimate and not falsified. The loss of trust threatens to undermine payments networks and the reliability of financial record keeping. If criminals could do this to Bangladesh Bank, what could organized terrorists or hostile states do to advanced nations’ financial networks?
The theft confirms that most electronic networks are no stronger than their weakest links. “This tells us a lot about complex systems,” says Adam Segal, author of the recent book, “The Hacked World Order.” “Vulnerabilities constantly pop up somewhere in the chain,” he notes. “More connectivity” — making networks more useful — “means more vulnerabilities” — making networks more defenseless. This dilemma defines the Internet Age.
(c) 2016, The Washington Post Writers Group