Tag Archives: hacking central banks

As Secure as it Can Get: hacking the banks


A little-noticed lawsuit details a hacking attack similar to one that stole $81 million from Bangladesh’s central bank, saying cybercriminals stole about $9 million in 2015 from a bank in Ecuador…..…A third attack, from December 2015 at a commercial bank in Vietnam, was detailed last week by the Society for Worldwide Interbank Financial Telecommunication, or Swift. That bank detected the fraudulent requests and stopped the movement of funds, the central bank in Vietnam said.  In the January 2015 Ecuador hack, as with the Bangladesh case, hackers managed to get the bank’s codes for using Swift, the global bank messaging service, to procure funds from another bank, according to court papers.

The Ecuadorean bank, Banco del Austro, filed a lawsuit in New York federal court in 2016 accusing Wells Fargo & Co. of failing to notice “red flags’’ in a dozen January 2015 transactions and to stop them before the thieves transferred about $12 million, most of it to banks in Hong Kong.  Lawyers for the two banks didn’t immediately return phone calls asking to comment about the case and Swift’s complaints that they had failed to notify the messaging network….

There are similarities in method, including thieves accessing the bank’s system to log on to the Swift network through customer sites, and doing so after bankers’ hours, apparently to reduce the likelihood someone would ask questions about specific transactions…

According to that filing on behalf of Banco del Austro, or BDA, “For each of the unauthorized transfers, an unauthorized user, using the Internet, hacked into BDA’s computer system after hours using malware that allowed remote access, logged onto the Swift network purporting to be BDA, and redirected transactions to new beneficiaries with new amounts.” Using that method, just before midnight on Jan. 14, 2015, a payment order made to a Miami company for less than $3,000 was altered to send $1.4 million to an account in Hong Kong, according to the court filing. There were 12 suspect transfers carried out over a 10-day period in January 2015, according to the lawsuit.  BDA’s lawsuit argues Wells Fargo should have noticed several anomalies in the transfers and, at a minimum, asked questions about them.  “The unauthorized transfers were made in unusual times of the day, in unusual amounts, to unusual beneficiaries in unusual geographic locations,’’ the bank’s lawyers argued in the filing. “Despite the numerous anomalies in the unauthorized transfers, [Wells Fargo] inexplicably failed to block them and/or alert BDA of the suspicious activity.’’

Excerpts from DEVLIN BARRETT and KATY BURNE, Now It’s Three: Ecuador Bank Hacked via Swift, Wall Street Journal, May 19, 2016

The Heist: hacking central banks

federal reserve bank ny, Image from wikipedia

Hackers broke into the Bangladesh central bank’s computer systems in early February, 2016, according to the news service, which cited anonymous officials at the financial institution. The attackers stole the credentials needed to authorize payment transfers and then asked the Federal Reserve Bank of New York to make massive money transfers — nearly three dozen of them — from the Bangladeshi bank’s account with the Fed to accounts at other financial institutions overseas.  Four transfers to accounts in the Philippines, totaling about $80 million, worked. But then a fifth request, for $20 million to be sent to an apparently fictitious Sri Lankan nonprofit group, was flagged as suspicious by a routing bank because of the “fandation” error.

Bangladesh’s central bank was able to stop that transaction after the routing bank asked for confirmation. “The Sri Lankan bank did not disburse it immediately, and we could recover the full amount,” the central bank told the Financial Times.  The requests waiting to be processed — amounting to a total of between $850 million and $870 million, according to an unnamed official cited by Reuters — were also halted. So if it weren’t for that typo, the attackers might have escaped with a bigger payday. Bangladesh’s finance minister has blamed the incident on the Federal Reserve and said his government will “file a case in the international court against” the financial institution, according to the Dhaka Tribune. A New York Fed spokesman denied the accusation, telling The Washington Post in a statement that “there is no evidence of any attempt to penetrate Federal Reserve systems in connection with the payments in question” or that the institution’s systems were compromised. The spokesman said the payment instructions were “fully authenticated” using standard methods.

Excerpts from Andrea Peterson Typo thwarts hackers in $1 billion cyber heist on Bangladesh central bank, Washington Post, Mar. 11, 2016