Don't Blame the Fed: Bangladesh Seen at Fault for Bank Heistby and
`Relying on poor spelling should not be a security policy'
Finance minister has called central bank `very incompetent'
Instead of blaming the U.S. Federal Reserve after $101 million went missing, Bangladesh should look in the mirror.
That’s the conclusion of cyber security experts after a breach that saw funds from Bangladesh’s account at the New York Fed transferred to the Philippines and beyond. Attempts to withdraw another $850 million were foiled in part because the hackers misspelled the name of one of the recipients.
“Relying on poor spelling should not be a security policy,” Andrey Dulkin, a senior director at CyberArk, a Jerusalem-based cyber security company, said in an e-mail. “If the Bangladesh Bank had been monitoring the activity of these accounts, it could’ve quickly identified the anomalous behavior and not have been completely reliant” on third parties to flag suspicious activity, he said.
Bangladesh Finance Minister Abul Maal Abdul Muhith has lashed out at the Fed and his own central bank as the government leads a multi-country effort to retrieve the funds. Last week he accused the Fed of “irregularities” that led to the unauthorized money transfer and promised a legal battle. On Sunday, he called Bangladesh Bank’s handling of the situation “very incompetent."
There’s little dispute that Bangladesh could’ve done more to prevent a bold heist that is turning into a cautionary tale for central banks around the globe. The issue is particularly urgent for developing countries like Bangladesh that have seen growth rates and foreign reserves jump in recent years.
“All central banks have since looked into their systems," Sri Lanka central bank Governor Arjuna Mahendran said in an interview with Bloomberg Television in Singapore on Tuesday. “The messaging system with the Fed is under scrutiny. The key is people. They get lazy, they develop bad habits."
Bangladesh should be “very concerned" about the risk of copy-cat attacks, said Victor Keong, a partner at consultant Deloitte Touche Tohmatsu Ltd. in Singapore.
“It is quite shocking," Keong said. “If a central bank can have such lapses -- and it is the regulator -- then those it regulates might not be so well protected.”
While countries like Singapore, South Korea and Japan have introduced coherent cyber policies to protect their institutions, nations including Thailand and the Philippines needed to improve their defenses, according to 2015 rankings on “cyber maturity" published by the Canberra-based Australian Strategic Policy Institute, known as ASPI. Bangladesh, absent from the ranking in 2015, will be included this year.
“It is interesting that the Bangladeshi government came and finger wagged at the Fed to deflect attention from their own bank,” said Tobias Feakin, director of the national security program at ASPI.
The U.S., Canada, Norway, Brazil and Germany rank among the highest in a Global Cybersecurity Index published by ABI Research and the International Telecommunication Union. Toward the bottom are smaller less developed economies, including Cambodia, Cuba and Honduras.
A Fed spokeswoman said last week that instructions to make payments from the Bangladesh central bank’s account followed protocol and were authenticated by the SWIFT codes system commonly used for international transactions. There were no signs the Fed’s systems were hacked, she said.
Malicious software code, known as malware, had been introduced into the bank’s systems in January without the knowledge of the bank’s information systems staff, according to an official familiar with the Bangladesh Bank investigation. The hackers struck the systems on Feb. 4, said the official, who declined to be named because he’s not authorized to speak about the probe.
“We don’t know how the malware got into the system, but there seemed already to be high-level understanding of how this bank operated and information about the people going in and out,” said Feakin from ASPI. “With cyber, it will always be the case of targeting the weakest link.”
Bangladesh Bank is investigating eight officials who carry out foreign exchange transactions by rotation, according to a Finance Ministry official who asked not to be identified because he’s not authorized to speak about the probe. Some of the officials found the central bank’s computer systems inoperative a day after the theft, but didn’t immediately inform their supervisors, the official said.
Bangladesh Bank said the integration of all modern protection systems on its information technology platform to prevent future cyber attacks “was progressing fast.”
Subhankar Saha, a spokesman for Bangladesh Bank, said it had no comment on the Finance Minister’s remarks accusing it of incompetence. The central bank has set up a forensic team led by Rakesh Asthana, chief executive officer of World Informatix, a Virginia-based cyber security company. The bank also hired Mandiant, a unit of U.S.-based cyber security firm FireEye Inc.
“Asia’s financial institutions face increasingly sophisticated cyber threat actors, and most need to improve their capabilities in order to better protect their systems,” said Bryce Boland, chief technology officer for Asia Pacific at FireEye.
The Philippines is also helping out following reports that the money ended up in Manila. Authorities are preparing charges and hope to return some of the stolen cash, Teresita Herbosa, the chairman of the Securities and Exchange Commission, told reporters in Manila on Monday.
In order to carry out the attack on the central bank, hackers would’ve had to target Bangladesh Bank system administrators and application accounts that would enable an attacker to operate inside its network and execute high volume transfers, said Dulkin from CyberArk.
He said the attack on Bangladesh Bank was similar in nature to recent attacks carried out by the Carbanak gang, which stole as much as $1 billion from banks and other financial institutions and described in a Feb. 2015 report by Kaspersky Lab, Russia’s biggest maker of antivirus software.
“Attackers look for the credentials that would enable them to reach their goals,” Dulkin said. “We can expect attacks of this nature to become more aggressive and cyber attackers in general to become bolder and more audacious, going after bigger targets for greater sums.”