Friday, 11 March 2016

Insider Trading

Sometimes a story comes along, which can be easily read the other way ..... this is one is such a tale. Ostensibly the story is about a daring fraud and bank hack, 'foiled' in Bangladesh, but when examined more closely, there are a lot of tell-tale clues, that suggest that there is a lot more to this, than meets the eye.

Cyber Crime - You Never Know Where It Will Happen Next ....
You Never Know Where It Will Happen Next ....
 
It was reported that last month some 'Cyberthieves' targeted Bangladesh's Central Bank, and tried to get away with $1bn (£700m) in money, via bank transfers. 

They apparently used 'stolen credentials' to make the requests to transfer cash, look legitimate. They would apparently have succeeded, but for the fact that they were being greedy and making too many transfer requests in too short a period ... oh, and they couldn't spell correctly in English (BA Calcutta failed?). Not that the Bangladesh Central Bank spotted anything wrong, they were apparently totally unaware of the large volume of transfer requests being made against their plentiful funds. 
 
No, it was the foreign reserve banks (in Germany and USA), who were being asked to facilitate the fund movements through their systems, who started flagging up the suspicious volumes, and the spelling mistake in one of the requests. Once the alerts reached a loud enough volume, the Bangladesh Central Bank finally stopped the transfers, but even so, the 'hackers' behind the breach are believed to have got away with about $80m.

However its the details contained inside the story, that really should be raising alarm bells inside and outside of that country:

1) The Bangladesh Central Bank processes didn't flag any internal alert over the volume of transfers, nor the amounts being sucked out of their reserves.
2) Its reported that the gang must have 'spent time studying the internal processes of Bangladesh's Central Bank so they could convincingly pose as officials when requesting the transfers'.
3) The fund transfers were all being made into private accounts in Sri Lanka, and the Philippines, rather than other reserve banks (which I guess may not be too unusual in that part of the world, but would be anywhere else).
4) The Bangladesh government immediately rushed to publicly blamed the New York Fed for not spotting the suspicious transactions earlier, with Finance Minister Abul Maal Abdul Muhith saying that "The Fed must take responsibility" .... and that legal action against the US body to help recover the money. This is presumably because a lot of their countries reserve, is held in the US system (possibly because they can't trust themselves to keep it at home). However the The New York Federal Bank said its system had not been breached by the hackers, so it was not them who were responsible.

Efforts are now being made to freeze and return the $80m, from those private accounts in Sri Lanka and the Philippines .... what's the betting that somehow its all been lost?

So lets look at this again, but without the same spin as the original linked story.

(a) Some group with credentials from the Bangladesh Central Bank authorised a large number of fund transfers from the Bangladesh government reserves held in the USA, to private accounts in Sri Lanka and the Philippines
(b) In order to do this, the criminals also had to be fully conversant with the internal security processes of Bangladesh's Central Bank.
(c) They also had to have high enough authorisation, to be able to make the transfers without them being questioned inside Bangladesh's Central Bank.
(d) The Bangladeshi's accepted no blame, and instead rushed to blame the US banking system for 'not spotting the suspicious transactions earlier' .... actually they did, but the Bangladesh Central Bank only reacted after a series of transactions had been flagged as suspicious.

No Shit Sherlock .... Inside Job?
No Shit Sherlock .... Inside Job?

Now if I was of the 'No Shit Sherlock' mind cast ..... I would say that it stinks to high heaven of an inside job.
  • 'Stolen' credentials.
  • Security protocols known.
  • Internal Banking processes spied on and known.
  • Private Accounts used.
  • Slow central bank response.
  • No internal activity flags raised.
  • Undetected hack into the central bank (long enough to study bank systems, processes, security, and alert protocols and then bypass or spoof them).

I guess you pays your money and makes your choice, but I know where I would be looking for the criminals .... and it would not be in Sri Lanka and the Philippines (unless any current or recently former, bank employees have spent time in either of those countries).

9 comments:

  1. According to the BBC the head of the Bangladeshi central bank has resigned. He is named as Atiur Rahman and the money lost is now said to be £100m.

    http://www.bbc.co.uk/news/business-35809798

    ReplyDelete
    Replies
    1. There will be more to this story when it all comes out. Thanks for the comment.

      Delete
    2. Its being reported that another unamed bank has had a similar attempt made on it. The attackers had a "deep and sophisticated knowledge of specific operational controls" at the targeted bank, and could have been aided in their theft by "malicious insiders". Sounds like the same gang had insiders elsewhere.

      Delete
    3. Certainly does ... maybe more to come? Thanks for the comment.

      Delete
  2. FYI the Bangladshi's are still blaming the US Fed

    http://www.bbc.co.uk/news/business-35874531

    ReplyDelete
    Replies
    1. Not surprised. Got to keep too many asking questions back home. Thanks for the update.

      Delete
    2. Ah, now it turns out that the Bangladeshi National Bank skimped on network hardware and security software. The bank allegedly had no firewall, and used second-hand routers that cost just $10 to connect to the global financial networks.

      No doubt all their I.T. 'Experts' must be doing outsourced work for our banks and financial companies .... that's reassuring, isn't it?

      Delete
  3. The attackers had a "deep and sophisticated knowledge of specific operational controls" at the targeted bank, and could have been aided in their theft by "malicious insiders"

    ReplyDelete

All comments are welcomed, or even just thanks if you enjoyed the post. But please make any comment relevant to the post it appears under. Off topic comments will be blocked or removed.

Moderation is on for older posts to stop spamming and comments that are off topic or inappropriate from being posted .... comments are reviewed within 48 hours. I don't block normal comments that are on topic and not inappropriate. Vexatious comments that may cause upset to other commentators, or that are attempting to espouse a particular wider political view, are reviewed before acceptance. But a certain amount of debate around a post topic is accepted, as long as it remains generally on topic and is not an attempt to become sounding board for some other cause.

Final decision on all comments is held by the blog author and is final.

Comments are always monitored for bad or abusive language, and or illegal statements i.e. overtly racist or sexist content. Spam is not tolerated and is removed.

Commentaires ne sont surveillés que pour le mauvais ou abusif langue ou déclarations illégales ie contenu ouvertement raciste ou sexiste. Spam ne est pas toléré et est éliminé.