It was the cyberheist heard around the world — and one that’s been creating quite the stir since it happened in February.
That cyberheist, of course, is the case of the missing $81 million from the cyberheist at the central bank of Bangladesh through its account at the New York Fed. That $81 million was stolen from Bangladesh’s account at the New York Fed through the use of official government codes and stashed into a Philippines personal bank account. The remaining $20 million was routed to a Sri Lankan bank.
Since then, there’s been plenty of finger pointing regarding which organization or agency was responsible for the hack and what could have been done to prevent such a cyber attack. There’s also been increased scrutiny on the vulnerabilities of 10,000+ financial institutions that run financial transactions across the SWIFT network.
To get an industry insider’s take on this subject, PYMNTS recently caught up with Sunil Madhu, CEO and President at Socure. Catch the conversation here:
PYMNTS: Are you familiar with the recent $81 million Bangladesh cyberheist? If so, based on what you know about the incident, how could have the Bangladesh banks been able to possibly avoid the untraceable theft from occurring?
SM: When this happened, both the Bangladesh Central Bank and the Federal Reserve Bank in New York had security lapses that enabled the theft. Hackers broke into Bangladesh’s Central Bank and employed malware/spyware to spy on the SWIFT money transfer system, obtained credentials needed for payment transfers from Federal Reserve Bank of New York, and then transferred large sums to fraudulent accounts based in the Philippines and Sri Lanka. If it wasn’t for the incorrectly capitalized message that was noticed by someone handling the request at the Fed, the theft wouldn’t have been stopped and the losses would have been much greater.
Bangladesh’s Central Bank should have employed better perimeter security and data analytics to monitor for abnormal behavior from malware/spyware on their network. The Fed has bigger issues because it intrinsically trusts the credentials supplied to it from the banks attached to it over SWIFT, which is an antiquated rails for payments. I’m certain they can do better to authenticate requests before processing payments of this magnitude and frequency.
. . . . . . . . . . . . . . . .
PYMNTS: Generally speaking, how much more/less prepared do you think U.S. banks would be in preventing a multimillion dollar cyberheist compared to international banks?
SM: From this attack in 2013 they apparently don’t fare better. Banking attack surfaces are so massive that solving for these threats is not quick, easy or cheap.
. . . . . . . . . . . . . . . .
PYMNTS: What online security measures do you believe all banks should have in place? Also, if a bank can’t handle putting all those security measures in place, what are one or two vitally important ones that should be addressed?
SM: The trick is to use machine learning across disconnected security systems to learn what abnormal patterns of behavior means to an organization. Today many of these security measures are a quilt-work of systems that are silos of information and weaving through those systems after watching them for a while to learn the processes at work makes attacking the underlying silos of systems easier because it is in effect an insider threat. There are point solutions … such as using micro-kernels and containers to isolate host machines’ boot volumes so that malware installations (if any) are simply blown away periodically as the machine images are reset periodically. One can also baseline the power utilization of the host machines in their “normal” working state and look for deviations from the normal since malware would alter the behavior of the host, which would change the power consumption signature of the machine.
. . . . . . . . . . . . . . . .
PYMNTS: If the same malware is used to steal money from 12 banks, do you think that’s because the malware is simply too invasive to be easily detected, or are banks just underprepared?
SM: Fighting malware the way we do today is a cat-and-mouse game where the mouse is always a step ahead. Technologies can change, but processes are [more difficult] to change. If the malware is fashioned around consistent processes across these banks, then the banks will fall short of proactively being able to stop it. So an effective strategy would be to model what is the “normal” state of information flow between different systems that are part of a business process and then look for outliers from that normal that might indicate a threat.
. . . . . . . . . . . . . . . .
PYMNTS: If you were investigating these cyber crimes, how would you go about trying to track down the person/people responsible for the hacks?
SM: I’d use the same strategy that the CDC uses to trace how a virus spreads through human populations globally. First, disassemble the malware to figure out what it’s programmed to accomplish when it infects a host. Then trace the infected hosts. Then find out every other host system that those systems have connected to recently and examine each of those hosts to see how the malware could have propagated itself all the way back to the initial point of contact. And then examine all the connection logs at the point of ingress to figure where the attack came from on the internet. And then get the FBI to contact the ISPs connected to those remote connections to figure out where the attack might have originated. Also look at where the money was being moved to and trace back from there as well to geographic “points of convergence.”
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More