The February 2016 Bangladesh Bank heist will be remembered as the one of the most audacious (and successful) payment fraud operations in history. It struck at the heart of the banking world, impacting one of the very foundations upon which the international fund transfer process has been built – (The Society for Worldwide Interbank Financial Telecommunication’s (SWIFT) system). And yet, it was a spelling error that saved the international banking system an estimated $850 million.
The heist illustrates that with the right access a well-planned payments fraud operation is simple and can prove extremely lucrative. The payment fraud activity itself poses pertinent questions:
1. Foremost, how did it happen?
2. What is SWIFT doing about it?
3. How big is the modern-day hacking problem?
The operation in early February succeeded in siphoning a substantial amount of money from the international banking system before an eagle-eyed operative at Deutsche Bank spotted an error: a request for funds from a Sri Lanka-based non-profit called the Shalika Foundation, was received with “foundation” misspelled as “fandation”. It, and 30 other similar requests, were stopped immediately, but not before the SWIFT system had been hit for $81 million.
A key point here is that SWIFT’s core payments messaging system was not breached but the hackers exploited a now-evident vulnerability (together with great timing) between the connections of member banks to the SWIFT system.
A statement from SWIFT explained how the hackers exploited vulnerabilities in banks funds’ transfer initiation environments, before messages were sent over SWIFT:
“The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process. In a second step, they have found ways to tamper with the statements and confirmations that banks would sometimes use as secondary controls, thereby delaying the victim’s’ ability to recognise the fraud.”
Ominously the statement asserts that the “attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks – knowledge that may have been gained from malicious insiders or cyber-attacks, or a combination of both.”
The Bangladesh heist was not an isolated incident
International payment fraud is a constant problem that shows no signs of abating.
In mid-May SWIFT also acknowledged that the Bangladesh Bank heist was not an isolated breach as they revealed that a second major bank had been affected by the same heist malware, this time targeting a PDF Reader.
“We have now learnt more about a second instance in which malware was used – again directed at banks’ secondary controls, but which in this instance targets a PDF Reader used by the customer to check its statement messages. Forensic experts believe this new discovery evidences that the malware used in the earlier [February 2016] reported customer incident was not a single occurrence, but part of a wider and highly adaptive campaign targeting banks.”
As a Senate investigation into the heist concluded in the Philippines (to where the vast majority of the $81 million siphoned in the heist was rerouted) two Reuters reports have shed some light on what may have happened.
The first indicates that Bangladesh’s Criminal Investigation Department wants to interview the SWIFT technicians who connected a new bank transaction system just months before the February heist. Investigators believe the technicians introduced some vulnerabilities when they connected SWIFT to Bangladesh’s first real-time gross settlement (RTGS) system. RTGS interbank settlement occurs throughout the day, rather than just at the end of the day as has traditionally been the case. It is possible that the SWIFT technicians introduced vulnerabilities into the Central Bank systems when they implemented the RTGS project, but this may be nothing more than a convenient line of investigation for the Bangladeshi authorities. Time will tell.
The second report quotes the Bangladesh Ambassador to the Philippines, in giving evidence to a Senate investigation in Manila, as stating that a high-level Bangladeshi central bank official’s computer was used by the hackers.
“One of our bank officials who is in the group that makes payments, that passes the payment instructions, his computer was hacked,” Ambassador John Gomes was quoted as telling the Philippine Senate probe. “It was a Friday when the attack happened and the Bangladesh central bank is totally shut down. It was all sealed and no one goes to the bank on that day.”
The hackers not only understood the systems used to access SWIFT, but they also knew that payments staff at the Central Bank were in the habit of leaving their terminals logged in when they were not at work. That level of inside knowledge is impressive.
Payment fraud – sophisticated functionality
In the aftermath of this heist the British online security company BAE Systems stated in a company blog that they had “identified tools uploaded to online malware repositories that we believe are linked to the heist. The custom malware was submitted by a user in Bangladesh, and contains sophisticated functionality for interacting with local SWIFT Alliance Access software running in the victim infrastructure.”
BAE Systems added that “the tool was custom made for this job, and shows a significant level of knowledge of SWIFT Alliance Access software as well as good malware coding skills.”
The wider lesson, according to BAE Systems, is that criminals are conducting more and more sophisticated attacks, particularly in the area of network intrusions. This malware was bespoke for the attack on the SWIFT Alliance Access software, SWIFT’s main payment messaging interface with 2,000 installations worldwide exchanging millions of files every day.
So, what was SWIFT’s proposed solution to this malware threat? SWIFT stressed again that “the key defence against such attack scenarios remains for users to implement appropriate security measures in their local environments to safeguard their systems – in particular those used to access SWIFT – against such potential security threats. Such protections should be implemented by users to prevent the injection of malware into, or any misappropriation of, their interfaces and other core systems.”
The Bangladesh Bank heist has been a sobering lesson for banking executives and underlines the fact that cyber and data security are critical to every bank’s reputation.
This well-crafted, and well-timed, hack shows that payment fraud can impact even the most sophisticated users of the international payment network. Remember the organisations involved here: the Federal Reserve Bank of New York (the recipient of the fraudulent requests), Bangladesh Bank (where the requests originated), Rizal Commercial Banking Corporation in the Philippines (the destination for the bulk of the fraudulent transactions) – all part of the SWIFT system, heralded as one of the world’s most secure international payment networks.
The mounting cost of payment fraud
Unlike this attack on banking security, most payment fraud operations, of course, target consumers and some of the more sophisticated payment frauds can be incredibly hard to avoid or detect.
Right now, for example, there is a Trojan malware named GozNym running rampant across international banking systems. It is a mutant unification of the famous Gozi and Nymaim malwares.
The architect of the Gozi Trojan malware was recently sentenced to three years imprisonment by a New York court on computer hacking and fraud charges. Nikita Kuzmin (28), a Russian citizen, created Gozi but also created a new marketplace for renting and use of the malware’s source code. Kuzmin was also ordered to repay $7 million, a figure that is believed to be a pittance in relation to how much the Gozi Trojan cost the international banking system.
In April 2016 GozNym was used to steal $4 million from U.S. and Canadian financial institutions and its architect(s) are now setting their sights on Europe. GozNym will claim more victims in the months ahead as chief security officers struggle to keep up.
In 2015 a CNN report – quoting Symantec and Verizon analysis – stated that there were 317 million pieces of malware created in one year, almost one million a day. Some win (all it takes is one click by an untrained employee on a malware-infected email) and some don’t, but those that succeed add up to astronomical amounts lost to payment fraud. Indeed, companies are estimated to lose $400 billion to hacking every year and are due to hit $170 billion in cyber-security costs by 2020.
Costs are rising as the attacks continue to increase. Time to ask yourself: how secure is your company’s data?
Fexco Corporate Payments uses major partner banks to distribute global payments safely and securely. Our online solution uses secure encryption and system users have authorisation restrictions that keep their information and funds protected. For a more secure & efficient payments experience for your business, call us today (Ireland: 1800 246 800 UK: 0800 840 2887) or register online without an obligation to trade.