Tech

Bangladesh bank heist made possible through poor security

If you use second-hand switches and fail to implement a firewall, you're asking for trouble.

Written by Charlie Osborne, Contributing Writer April 24, 2016 at 11:46 p.m. PT

Bangladesh's major bank was an easy target for cyberattackers to steal $80 million due to almost non-existent security measures, according to an investigator.

Speaking to the Reuters news agency, Mohammad Shah Alam, head of the Forensic Training Institute at the country's criminal investigations department, said there was no firewall to speak of and second-hand, cheap switches were used to connect computer systems to SWIFT, a messaging system used by banks and financial institutions worldwide.

Security

The attack took place in February this year. A group of cyberattackers managed to infect the bank's central systems with what is thought to be a surveillance-based Trojan in order to watch employees and transactions for several weeks.

After learning how the organization worked, the group stole the Bangladeshi bank's SWIFT code and made a series of rapid transaction requests for cash to be sent from the country's New York-based Federal Reserve account to entities across Asia, mainly located in the Philippines and Sri Lanka.

It was only when a spelling mistake in one payment request was spotted by a US employee that the scheme was flagged up and all other transactions were stopped. If this small error had not been spotted, the amount stolen would have climbed to at least $1 billion.

Shah Alam noted that if adequate security measures were in place, it would have been more difficult to conduct the heist, which allowed attackers -- who are still at large -- to plunder Bangladesh's US account.

In March, the head of the Bangladeshi central bank Atiur Rahman resigned in the wake of the attack.

The situation is a prime example of a financial institution which has access to a huge amount of funds but has placed absolutely no importance on protecting itself from the rising threat of cyberattacks.

To make matters worse, the switches used to connect PC systems were $10 bargain-bucket accessories, which has made investigator's lives a lot more difficult. If the switches had been of a reasonable quality -- perhaps a few hundred dollars a pop -- then law enforcement would have more of a chance to find out what the hackers did to break in, and potentially trace where they did it from.

Former member of the World Bank security team Tom Kellermann told the publication that the problem is not just limited to Bangladeshi's central bank, as there are a "handful" of other financial institutions in other countries which are just as insecure.