Transfer techies at SWIFT tell Bangladesh Bank: Don't shift blame for $81m cyberheist SWIFT has firmly rejected Bangladeshi claims that mistakes on its part are to blame after $81m was looted from Bangladesh’s central bank. Bangladeshi officials claimed earlier this week that technicians from SWIFT had introduced vulnerabilities into the bank's network when connecting a Real-Time Gross Settlement (RTGS) system …
As well as network infrastructure weaknesses, the hackers behind the heist used custom malware specifically created to target SWIFT. The code even adjusted the SWIFT system’s printed reports to hide fraudulent transfers from the Bangladesh central bank account at the New York Federal Reserve Bank.
If the above is true then surely SWIFT can't possible deny all responsibility for the losses incurred.
Depends. More than likely it intercepted the report from swift and edited it. Or more likely still replaced it with a "business as usual" copy that looked superficially correct.
Again then it would be on Bangladesh Banks' procedure to reconcile the report to what was expected.
I suspect they just didn't bother, which isnt that usual.
Seems like a pretty sophisticated hack with some insider knowledge of what Bangladesh Bank's processes were. Slightly dubious that "malware" managed all this on its own. I'd be looking for the inside man/woman.
Depends how the printed reports were handled.
If "SWIFT printed reports" are sent to the bank over the SWIFT network and then printed locally, its quite possible that a piece of malware on the bank's computers intercepted and altered the report before it was printed. If that is what happened then the falsified report is nothing to do with SWIFT.
The bank's going to have a hard time demonstrating that their IT infrastructure was up to a generally accepted standard of security.
http://www.reuters.com/article/us-usa-fed-bangladesh-idUSKCN0XI1UO
Bonus quote of the week:
"There might have been a deficiency in the system in the SWIFT room," said the spokesman, Subhankar Saha, confirming that the switch was old and needed to be upgraded.
This post has been deleted by its author
This post has been deleted by its author
"wider use of two factor-authentication, among other security controls, is needed."
Naah - two factor authentication has been used for years for things like personal bank accounts and social media accounts - surely they don't need to do all that work for something as trivial as the central bank of an entire country.
This post has been deleted by its author
This post has been deleted by its author
Swift is already 2 factor authentication: You need to know the password, and you need to have (access to) the Swift terminal. That's what 2FA is, and that's what Swift is, and that's why the Swift terminal is locked in the Swift terminal room.
Not that 3FA is not a new idea, or a bad idea -- remember that nuclear launch requires 2 people, and 2 keys, and 2 codes -- but there are diminishing returns from more factors, and if the bank can't protect their passwords and systems and swift terminal, you have to wonder if adding a mobile phone or a key fob would have helped.
But once you have physical access to the Swift terminal, isn't it then pretty trivial to get hold of the password (eg a keylogger, or just a camera)?
Usually the physical part of the 2FA is some kind of security token which is kept apart from the computer until it's needed.
That said, keeping the only access terminal in a secure room with proper physical security would have helped in this case if they'd not also connected it to the main network.
Good morning my dear brothers and sisters in Christ, I am Mr Richy Walters, a reputable, legitimate and accredited money lender. I loan money to Christians and trust worthy people in need of financial assistance at 3% interest rate. Do you have a bad credit or are in need of money to pay bills? Let me take this medium to inform you that I assist beneficiary reliable as I'll be glad to offer you a loan from a minimum of $5000 and above.Please write with the below information. After the reply, you will be sent a loan application form to fill. (There are no credit check, 100% Guaranteed!) I hope you will allow me to be of service to you. Sincerely. Contact us via email:skypebankloanfirm@gmail.com
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
