The Bangladesh Bank was attacked on two levels in February 2016. Clearly the IT security mechanisms were inadequate: Supposedly the central bank has no firewall and only obsolete network technology. The thieves entered the bank network by this door and obtained the access data for bank transfers. In the SWIFT Alliance Access client they were able to use this data to authorise themselves as the ordering party for the transactions. For the Fed, the central bank of Bangladesh appeared as the originator.
According to BAE Systems, the security gap also allowed the attackers to install malware that they had programmed themselves on the SWIFT Alliance server. This software manipulated the confirmation messages of the SWIFT network and deactivated the access protection for the database. The transactions that were executed were not logged correctly, so that the thieves’ tracks were covered.
The hacker attacks completely disabled SWIFT’s security mechanisms and opened up almost unlimited opportunities for the thieves. The total amount of all of the requested transactions was actually 951 million US dollars. An unusual typing error in one message caused an involved bank in Bangladesh to query the bank transfer. This alone revealed the entire fraud. However, the 81 million had already been transferred and had disappeared into Philippine casinos and private hands. As a result, Atjur Rahman, head of the central bank of Bangladesh, and his deputies were forced to resign in March 2016.
SWIFT itself has conceded that multiple fraudulent messages were sent via the network in recent months. In May 2016, a commercial bank was the victim of a similar case of fraud: Criminals broke into the IT systems, accessed user data and manipulated messages. Now updates are to close the security gaps in the SWIFT software.
Even though SWIFT stresses that the attack has not called the security of the network into question but rather that of the access system, the case illustrates the dilemma posed by closed international networks. They cannot be completely walled off no matter how much technical know-how is applied. Aside from the software of the network operator, the surrounding bank systems can also present vulnerabilities. Not to mention criminal employees aiding and abetting fraud. And once the attackers are inside, the whole world is in their hands. This creates an incentive. A procedure such as EBICS uses the open internet and applies a security concept that is mainly based on keys for cryptography and authentication. This can provide an alternative to a closed network.
In view of the potentially enormous damage, inter-bank and corporate customer payments must be protected comprehensively. Cyber-attacks such as the ones described here can be expected to increase. Ultimately, the security mechanisms for the procedure and the bank IT, and those for employees, must mesh without any gaps.
Michael Lembcke
