One of the peculiar things about computer security is how much the topic is written about and discussed (a huge amount) compared to how much is actually done (always less than you think). But what’s really peculiar is that enterprises, which you’d think would have better security than organizations in, say, the SMB space, often have serious security deficiencies. Case in point: The Bangladesh Central Bank.
In February this year, hackers managed to get into the Bangladesh Central Bank’s network and acquired the bank’s SWIFT credentials, codes that authorize interbank transfers. The hackers then used the credentials four times to transfer some $81 million to various accounts in the Philippines and Sri Lanka via the New York Federal Reserve but on the fifth attempt, the hackers misspelled the receiving account’s name (they spelled “Shalika Foundation” as Shalika “Fandation”)(du’oh).
Deutsche Bank, which was somehow involved in routing funds, noticed the spelling error and referred it back the Bangladesh Central Bank which immediately cancelled that and all subsequent transfers. Here’s the big thing about this exploit: Had the typo not been made or not noticed, the transfers would have resulted in the theft of $1 billion!
How, you might be wondering, did the hackers gain entry to the Bangladesh Central Bank? Many news sources blamed malware but it turns out that the answer is far more prosaic and infinitely more stupid. According to a BBC article, Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police's criminal investigation department, the Bangladesh Central Bank’s network didn’t have a firewall and used $10 second-hand dumb network switches to connect with the Swift network.
I probably don’t need to explain to you, dear reader, just how negligent and egregious the Bangladesh Central Bank network security failures were but what’s interesting (and disturbing) is that these kinds of deficiencies are thought to be common in financial institutions in emerging economies.
Not surprisingly, the Bangladesh Central Bank governor has resigned and the bank is now trying to sue the New York Federal Reserve and SWIFT for negligence. Good luck with that.
So, has your organization looked at its network architecture and defenses recently?