From left to right: Simon Piff, Vice President, Enterprise Infrastructure, IDC Asia/Pacific; and Anand Bindumadhavan, Head of Services & Support Asia Pacific, SWIFT, at the CIO Conference Singapore 2017.
No organisation today is safe from cyber attacks.
Last February, the central bank of the Bangladesh reported that its systems had been breached and hackers used the SWIFT messaging network to order the transfer of nearly US$1 billion from its account. Even though most of the transaction didn't go through, nearly US$81 million ended up in bank accounts in the Philippines.
"This goes to show that even though the Bangladesh Bank regulates and influences banks on their security efforts, it unfortunately became a victim of a cyberattack [too]," said Anand Bindumadhavan, Head of Services & Support Asia Pacific, SWIFT, at the CIO Conference Singapore 2017.
Even though the SWIFT network, core messaging services and software were not compromised, SWIFT collaborated with companies like BAE Systems to investigate the incident "to understand what exactly happened," said Bindumadhavan.
SWIFT announced findings from the investigation on 13 May 2016. It was found that attackers first exploited vulnerabilities in the bank's funds transfer initiation environments. This may not have been too challenging as the Bangladesh Bank were using "cheap security devices," and "their firewalls were not functioning at full capacity as they didn't have proper licences", shared Bindumadhavan.
Thereafter, the attackers obtained valid operator credentials that have the authority to create, approve, and submit SWIFT messages from customers' back-offices or from their local interfaces to the SWIFT network. Since this bypasses the primary risk controls that Bangladesh Bank had in place, the attackers then submitted fraudulent messages by impersonating the operators from whom they stole the credentials.
Finally, the attackers tampered with statements and confirmations that the bank used as a secondary control, to hide their criminal activities.
According to forensic experts that SWIFT worked with, the attackers showed sophisticated knowledge of specific operational controls within the Bangladesh Bank. Such information could have been provided by malicious insiders, or gained from previous cyber attacks that the central bank was not aware of, or a combination of both.
When asked for advice on how to prevent a similar incident from happening, Bindumadhavan asserted that banks should not take security for granted, and must be aware of what is happening outside and inside their organisation.
To be aware of happenings in the industry, banks should take cues from the hacking community and share more information with each other. "Hacking is an organised activity - there's a whole bunch machinery, and organised and sophisticated people running around who exchange information and share intelligence more than banks do."
Sign up for CIO Asia eNewsletters.