Digital heist of $100 million rattles banking industry


News

page image

Massive breach of transfer systems has central bank–and everyone–scrambling for answers

By Frank Cummings, CEO of AML Partners

If you’re in the financial services industry, your water-cooler conversations this morning probably include the $100 million digital heist involving the Central Bank of Bangladesh and the NY Fed—via a transfer request through the SWIFT network. It’s both a fascinating and frightening story, the depths of which are not yet known.

News reports started surfacing late Monday, but details remain scarce. According to reports in the New York Times and the Wall Street Journal, hackers allegedly used the Bangladesh bank’s SWIFT code to engineer the transfer of funds from the bank’s account at the New York Fed to accounts in the Philippines.

Authorities in Bangladesh are demanding that the New York Fed should take responsibility, but the Fed responded via Twitter that “regarding hacking reports, there is no evidence of attempts to penetrate Federal Reserve systems & no evidence Fed systems were compromised.” A Fed representative asserted further that “the payment instructions in question were fully authenticated by the Swift messaging system in accordance with standard authentication protocols.”

A Reuters report yesterday focused on likely security lapses at the central bank of Bangladesh and predicted that the hackers had “deep knowledge of the institution’s inner workings” by way of spying on workers and stealing credentials and cryptographic keys for SWIFT-network transfers. Belgium-based SWIFT is declining to comment on details of the heist but like the NY Fed it is asserting that there is no evidence that its system was hacked.

All of us in the industry will no doubt pay close attention as details emerge over time. The SWIFT network is ubiquitous among world financial institutions, and it is well trusted. But this type of hack—whether it was an extended internal vulnerability at the central bank of Bangladesh or whether the problems are larger than that—will lead to a lot of sleepless nights for a lot of banking professionals.

Perhaps it is time to think about adding additional layers of protection against this type of criminal penetration of the financial system. One idea would be allowing compliance officers to put a dollar limit on a transaction that stops it from going out of that institution so that other checks can be triggered. Given that all transactions must go through a sanctions filter prior to leaving a financial institution, that could be the last check before the hackers succeed.  That is being added to AML Partners’ Surety-Eco Sanctions screening system right now, and it will be available for a system update to our customers in a week.

No doubt there will be a lot of ideas emerging to combat this new and growing threat to the integrity of the global financial system. And there will also be a lot of sleepless nights for some industry professionals.