Bank Heist Exposes Staggering Security Flaws

By WallStreetDaily.com

If you like stories about daring bank heists, you’re gonna love this.

One of the greatest thefts of all time occurred earlier this year – one where the robbers managed to escape with an impressive $80 million haul.

And yet, it could’ve been avoided so easily.

The story is an unusual combination of sophisticated genius and a grossly negligent lack of security and oversight by bumbling bankers.

In fact, the robbers could’ve actually made off with $900 million more.

So what happened?

The Most Ridiculous Thing You’ll Hear All Year

Details are still emerging, but the basic story is that hackers got the passwords of Bangladesh’s central bank to SWIFT – the international payments system used for global interbank transfers.

Now, SWIFT is obviously a very secure system – or it was until last month.

It’s a closed system, which means you can’t access it from the internet. To get in, you have to have control of one of the computers connected to its network. That’s where the robbers’ sophistication comes in.

They spent weeks infiltrating the Bangladeshi computers, logging keystrokes, learning passwords, figuring out how to get from the internet to a SWIFT-connected computer.

Needless to say, far from an easy task.

But it was made much easier, thanks to some staggeringly stupid behavior on the part of the Bangladesh Central Bank.

Normally, a connection from a secure to a non-secure computer is protected by a firewall – software written into computers, switches, and routers that detects which connection attempts are legitimate and which aren’t.

As you probably know, firewalls are so common these days that if you go to Best Buy and buy the cheapest computer, it will have a firewall pre-installed on it.

Ready for the blindingly stupid part?

The central bank had no such firewalls!

In fact, Reuters reported that it used old switches, which sell for about $10 each.

I’m sorry… I know Bangladesh is a poor country, but it can afford better security than that when it’s protecting $1 billion.

A “SWIFT” Getaway

Once into the SWIFT system, the robbers started sending requests to transfer nearly $1 billion from the Bangladesh Bank account at the New York Federal Reserve to banks in Sri Lanka and the Philippines.

At first, bankers in New York approved the transfers. Why wouldn’t they? They came over a secure network from a trusted, known connection.

But they eventually became suspicious. Why?

Because some of the requests were to personal bank accounts. This is a red flag, since large central bank transfers are generally to other central banks, other bank “house accounts,” and occasionally to large companies like defense contractors.

The Fed employees started to hold up the transfers and used SWIFT to ask the Bangladeshis for more information. But nobody answered.

It turns out that the weekend in Bangladesh is on Friday and Saturday – and most of Bangladesh’s bankers had gone home by the time the request came in.

The robbers also complicated matters by shutting down Bangladesh’s SWIFT terminals so that the skeleton crew on Fridays was unable to get into the system and see the Fed requests.

But that crew was able to get into the system on Saturday – at which point, it asked the Fed to stop all payments until things were cleared up.

But of course, Saturday is the weekend in the United States, too – and nobody saw those requests until Monday.

By the time the scheme was discovered, it was mostly too late.

How a Typo Cost $20 Million

Over $100 million of fraudulent transfers had been approved and the money had been withdrawn from the destination accounts.

One eagle-eyed banker in Sri Lanka did allow about $20 million to be recovered – but only because the robbers spelled the word “foundation” incorrectly on the transfer order.

Yep, a spelling error cost our brilliant (but stupid) culprits another $20 million!

The other $80 million is still missing. But where?

It was quickly removed from accounts in the Philippines and – believe it or not – used to buy casino chips.

This is where the robbers got crafty again.

You see, in almost every country where casinos are legal, they’re required to cooperate with banking authorities on money-laundering matters. Except in the Philippines. So nobody knows who bought the chips. This was a weakness in the banking system that had been known for years.

But this crime may yet be solved.

Fixes for a Flawed System

After all, $80 million is a big haul. Especially when it comes in the form of casino chips!

So even if they’re sold in the streets at a discount, a stream of people coming in and cashing in millions of chips might lead authorities back to the culprits.

Regardless of how this tale ends, however, it points to several weaknesses in the international banking system – weaknesses that cost real money and undermine confidence in the banking system.

But there are improvements that could be implemented to prevent another heist:

• There’s no doubt that the Bangladesh central bank’s security systems appear to be inexcusably weak. It’s probably not the only financial organization there with porous security, either. Other banks must start demanding audits on the systems so that a weak link in the security chain doesn’t cause a catastrophic failure somewhere else along the line.

• People need to monitor transactions around the clock. If that means staffing the bank on Friday in countries where Friday is a weekend day, so be it. And there needs to at least be a skeleton crew on hand at all times when there’s the possibility of a transaction occurring.

• Computers need to be smarter. It was only when Fed officials became suspicious of the recipients of the money that the alarm was raised. Computers should flag this. For large transactions, the recipient’s bank should be asked whether the destination account is one where a huge influx of money would be unusual – and that bank should be able to answer instantly, with no human intervention. If a credit card company can flag suspicious transactions for even small amounts, it should be a no-brainer to design a smart computer system for multi-million-dollar transfers.

• Get tough with money-laundering regulations. The Philippines declined to apply its rules to casinos because it wanted the industry to grow. But how about if the country were removed from the international banking system entirely for a few months? It wouldn’t take long for it to figure out that a single industry’s growth is less important than being involved in global trade and banking transactions.

The story also highlights the critical need for greater cyber security in general – no matter where it is.

And there’s the problem.

How to Take Advantage of a Growing Global Problem

Spending on cyber security is sorely lacking – both on the part of governments, banks, and corporations.

Yet security breaches are shooting 60% higher per year.

We’ve already seen the consequences of widespread, devastating cyber attacks many times – be they at government departments, banks, retailers, or elsewhere. It cripples productivity, compromises safety and security, and damages trust and loyalty.

The U.S. government calls cyber security “one of the most serious economic and national security challenges we face as a nation.”

You can see why, given that 90% of business assets are already digital, data generation continues to soar, and billions are pouring into the Internet of Things.
Everything is eventually going to be connected to the internet – and therefore, vulnerable to attack.

Power grids, banks, hospitals, cars, airplanes, communication networks… the consequences of a crippling security hack are frightening.

And it’s not just possible… it’s likely.

This is a massive problem that needs serious attention… NOW.

In our latest monthly issue of Digital Fortunes, we showed how investors can take advantage of this situation for profits via a super-diversified, market-leading investment. Go check it out here.

To living and investing in the future,

Greg Miller

The post Bank Heist Exposes Staggering Security Flaws appeared first on Wall Street Daily.