Some Bangladesh Bank Officials Involved In Heist, Says Investigator

Ruma Paul, reporting for Reuters: Some Bangladesh central bank officials deliberately exposed its computer systems and enabled hackers to steal $81 million from its account at the Federal Reserve Bank of New York in February, a top investigator in Dhaka told Reuters on Monday. The comments by Mohammad Shah Alam of the Dhaka police are the first sign that investigators have got a firm lead in one of the world's biggest cyber heists. Arrests are soon likely, he said. On Thursday, the head of a Bangladesh government panel that investigated the heist said five bank officials were guilty of negligence but that they were only unwitting accomplices. Alam told Reuters his investigations had discovered that some bank officials had knowingly created vulnerabilities in the bank's connection to the SWIFT system, used for global transactions.Early this year, hackers targeted Bangladesh's central bank to get away with $1bn. At the time, it was reported that the gang behind the raid used stolen credentials to make requests to transfer cash look legitimate. If all the requests had gone unchallenged, the gang would have got away with about $1bn. However, the transfers were stopped when the volume of requests raised suspicions at other banks.

Amateurs...

[Ecuador]

Amateurs... If they had only been collecting the rounding errors from the transactions they would have eventually pulled that cool $1bn without anyone knowing...

Re:

[Yvan256]

The evil boss caught the employee because he made stupidly expensive, obvious purchases with his rounding errors.

Re:

[AchilleTalon]

They were transfering funds from their own account. There was nothing else to check for. They were authorized to make the transfer with their own (well, not their own, but the bank) money. I guess they believed they could held the Federal Reserve in New York responsible for a security hole or they believed they could vanish in the sky with the money before being catched. But in either case, it wasn't an insufficient funds or illegal instruments case. They were perfectly legit to make the transfer since they

Re:

[nitehawk214]

It is the same reason there is no security whatsoever behind paper checks. Bank's simply don't give a shit. It isn't their money.

Re:

[AvitarX]

We had our checks stolen at work.

The bank fully refunded the fraudulently cashed ones.

Re:

[nitehawk214]

It isn't the (eventual) recovery that is the problem. Its the fact that the system is so wide open that this can happen in the first place.

All someone needs is your account number and they can empty your account. The check does not even need your (or your business') name on it.

Banks simply have no interest in putting together a better system than the ancient check system.

Re:

[AvitarX]

Why was that a problem, it was quick recovery, and clearly the rare case of check fraud is cheaper than developing a new system.

All sorts of contracts are easy to breach, but our legal system keeps fraud fairly low in the scheme of things.

Re:

[nitehawk214]

It took a month of harassing the bank until they gave me my money back. In the meantime nearly every penny I had was gone. Luckily I make enough in a month to cover all my bills. In the end it was shaming them on social media that actually got a bank manager to call me.

Huh?

[Threni]

Not really IT news, and kind of obvious. I mean, i guess it involves IT equipment, but so does shopping. Is Slashdot eventually going to become a repository for every single story going?

Re:

[TWX]

At least there's an IT administration angle here. Compared to the dark days of Dice this is quite the improvement.

Re:

[hey!]

Slashdot is not has never been an IT news site. However this is definitely IT news. Systems need to be designed to prevent or detect collusion, and this kind of thing is a natural part of a system's risk assessment.

Obvious from the beginning

[AchilleTalon]

That was obvious from the beginning there was some kind of in side collaboration to crack the Swift network. This is not possible otherwise and it was surely not a security problem with the router as many said in February that may have open the door. Everything is encrypted from the beginning, there is nothing gain from a router hack if you don't already have the encryption keys.

Re:

[AchilleTalon]

Who? The Federal Reserve? It's not its money. The transfer order was legit. The Federal Reserve cannot refuse to transfer funds it is not actually owning. The Bangladesh bank can transfer it where ever it wants. It is not the Federal Reserve business to refuse or set any other conditions. They have no authority to rollback anything. In fact, a Swift transaction cannot be rolled back. You make another transaction to transfer funds from to original destination back to the original source if it is still at the

Reverse Karma?

[Tablizer]

They got burned by insourcing.

management finally getting punished.

[Gravis Zero]

five bank officials were guilty of negligence but that they were only unwitting accomplices. Alam told Reuters his investigations had discovered that some bank officials had knowingly created vulnerabilities in the bank's connection to the SWIFT system, used for global transactions.

Sure sounds like some bank officials wanted the typical security exemptions of management and that it really bit them in the ass this time. Bangladesh isn't known for it's leniency and frankly, I hope they throw the book at them.

Re:

[khz6955]

@Gravis Zero [slashdot.org]: "Sure sounds like some bank officials wanted the typical security exemptions of management and that it really bit them in the ass this time. Bangladesh isn't known for it's leniency and frankly, I hope they throw the book at them."

If they were inside accomplices then why the need to hack the Windows desktops that performed the SWIFT transactions?

Re:

[Gravis Zero]

If they were inside accomplices then why the need to hack the Windows desktops that performed the SWIFT transactions?

do you not know what an unwitting accomplice is? the internet has answers. [answers.com]

Re:

[account_deleted]

Comment removed based on user account deletion

Vulnerabilities in bank's connection to the SWIFT

[khz6955]

"some bank officials had knowingly created vulnerabilities in the bank's connection to the SWIFT system, used for global transactions."

I thought the vulnerabilities were introduced by emailing them malware that reprogrammed their Windows desktops to perform unauthrorzed transactions and prevented the Oracle database from printing out an acknowlegment of the transactions. The hack consisted of altering two bytes [archive.is] in a running Windows process [blogspot.co.uk].

Re:

[FeelGood314]

Correct. The hack wasn't on the SWIFT network. No one broke SWIFT's security or forged transactions. They used legitimate authorized systems to send valid commands to the SWIFT network. It was the Bangladesh central bank's security and audit systems that were by-passed.