A year ago, Bangladesh Central Bank was attacked. Its SWIFT networking credentials were stolen by malware specifically designed to do so. SWIFT is the messaging sytem is used between banks to transfer money and other assets. The attackers were able to get away with $81 million dollars.
The details are much more troubling. The malware had information about the spcific brand of printer the bank used. Thi meant the malware not only was targeting the SWIFT’S logging system but the BCB itself. And it was doing so with likely help from insiders.
Even more troubling is the context. This happened to in Vietnam and Ecuador as well. It is believed to be part of broader campaign to attack the biggest institutions.
The saving grace was that the Federal Reserve Bank of New York did not process all of the 35 payments because it could only confirm five. But this still meant $101 million was transferred. Had all of them process through, $951 million would have been taken out. Then, $81 million were sent to Philippine casinoes and $20 million to Pan Asia Bank in Sri Lanka, the latter having found the funds to be suspicious and did not release it. Less than a tenth of the originally stolen funds were actually stolen. The thing is, the denominator is so large that this theft still goes in history as being one of the largest bank robberies in history.
The consulting firms are all trying to provide actionable advice, but it is pretty clear has to get done: improve controls around insider information and communications, centralize financial crimes units, centralize data, improve cybersecurity, and develop transaction approval standards. Much easier said than done, though. Imagine trying to control the insider information flows while centralizing the data improve oversight across the data. The key to all of this is the one thing consulting firns are not really saying probably because it isn’t an area where they can compete: people. Training and education of the workforce for skills, awareness, experience, and encouraging action is where trust and competence is built. With it, everything else can be built.