Instead of blaming the US Federal Reserve after $101 million went missing, Bangladesh should look in the mirror.
That’s the conclusion of cyber security experts after a breach that saw funds from Bangladesh's account at the New York Fed transferred to the Philippines and beyond. Attempts to withdraw another $850 million were foiled in part because the hackers misspelled the name of one of the recipients.
"Relying on poor spelling should not be a security policy," Andrey Dulkin, a senior director at CyberArk, a Jerusalem-based cyber security company, said in an e-mail. "If the Bangladesh Bank had been monitoring the activity of these accounts, it could've quickly identified the anomalous behaviour and not have been completely reliant" on third parties to flag suspicious activity, he said.
Bangladesh Finance Minister Abul Maal Abdul Muhith has lashed out at the Fed and his own central bank as the government leads a multi-country effort to retrieve the funds. Last week he accused the Fed of "irregularities" that led to the unauthorised money transfer and promised a legal battle. On Sunday, he called Bangladesh Bank's handling of the situation "very incompetent."
'Quite shocking'
There's little dispute that Bangladesh could've done more to prevent a bold heist that is turning into a cautionary tale for central banks around the globe. The issue is particularly urgent for developing countries like Bangladesh that have seen growth rates and foreign reserves jump in recent years.
"All central banks have since looked into their systems," Sri Lanka central bank Governor Arjuna Mahendran said in an interview with Bloomberg Television in Singapore on Tuesday. "The messaging system with the Fed is under scrutiny. The key is people. They get lazy, they develop bad habits."
Bangladesh should be "very concerned" about the risk of copy-cat attacks, said Victor Keong, a partner at consultant Deloitte Touche Tohmatsu Ltd. in Singapore.
"It is quite shocking," Keong said. "If a central bank can have such lapses – and it is the regulator – then those it regulates might not be so well protected."
While countries like Singapore, South Korea and Japan have introduced coherent cyber policies to protect their institutions, nations including Thailand and the Philippines needed to improve their defenses, according to 2015 rankings on "cyber maturity" published by the Canberra-based Australian Strategic Policy Institute, known as ASPI. Bangladesh, absent from the ranking in 2015, will be included this year.
Finger wagging
"It is interesting that the Bangladeshi government came and finger wagged at the Fed to deflect attention from their own bank," said Tobias Feakin, director of the national security program at ASPI.
The US, Canada, Norway, Brazil and Germany rank among the highest in a Global Cybersecurity Index published by ABI Research and the International Telecommunication Union. Toward the bottom are smaller less developed economies, including Cambodia, Cuba and Honduras.
A Fed spokeswoman said last week that instructions to make payments from the Bangladesh central bank's account followed protocol and were authenticated by the SWIFT codes system commonly used for international transactions. There were no signs the Fed's systems were hacked, she said.
'Weakest link’
Malicious software code, known as malware, had been introduced into the bank's systems in January without the knowledge of the bank's information systems staff, according to an official familiar with the Bangladesh Bank investigation. The hackers struck the systems on Feb 4, said the official, who declined to be named because he's not authorised to speak about the probe.
"We don't know how the malware got into the system, but there seemed already to be high-level understanding of how this bank operated and information about the people going in and out," said Feakin from ASPI. "With cyber, it will always be the case of targeting the weakest link."
Bangladesh Bank is investigating eight officials who carry out foreign exchange transactions by rotation, according to a Finance Ministry official who asked not to be identified because he's not authorised to speak about the probe. Some of the officials found the central bank's computer systems inoperative a day after the theft, but didn't immediately inform their supervisors, the official said.
Forensic team
Bangladesh Bank said the integration of all modern protection systems on its information technology platform to prevent future cyber attacks "was progressing fast."
Subhankar Saha, a spokesman for Bangladesh Bank, said it had no comment on the Finance Minister's remarks accusing it of incompetence. The central bank has set up a forensic team led by Rakesh Asthana, chief executive officer of World Informatix, a Virginia-based cyber security company. The bank also hired Mandiant, a unit of US-based cyber security firm FireEye Inc.
"Asia’s financial institutions face increasingly sophisticated cyber threat actors, and most need to improve their capabilities in order to better protect their systems," said Bryce Boland, chief technology officer for Asia Pacific at FireEye.
‘Bigger targets’
The Philippines is also helping out following reports that the money ended up in Manila. Authorities are preparing charges and hope to return some of the stolen cash, Teresita Herbosa, the chairman of the Securities and Exchange Commission, told reporters in Manila on Monday.
In order to carry out the attack on the central bank, hackers would've had to target Bangladesh Bank system administrators and application accounts that would enable an attacker to operate inside its network and execute high volume transfers, said Dulkin from CyberArk.
He said the attack on Bangladesh Bank was similar in nature to recent attacks carried out by the Carbanak gang, which stole as much as $1 billion from banks and other financial institutions and described in a Feb 2015 report by Kaspersky Lab, Russia's biggest maker of antivirus software.
"Attackers look for the credentials that would enable them to reach their goals," Dulkin said. "We can expect attacks of this nature to become more aggressive and cyber attackers in general to become bolder and more audacious, going after bigger targets for greater sums."
Bloomberg
Tue Mar 15 2016
Bank robbers successfully made five transfers out of the Bangladesh bank's account at the New York Fed. Of the $101 million they stole, $80 million ended up in accounts located in the Philippines, and $21 million went to Sri Lankan accounts.
The battle to reduce road deaths
In Malaysia, over half a million road accidents have been recorded so far this year.
Pro-Palestinian NGOs seek court order to stop Dutch arms exports to Israel
The Dutch state, as a signatory to the 1948 Genocide Convention, has a duty to take all reasonable measures at its disposal to prevent genocide.
How quickly can Trump's Musk-led efficiency panel slash US regulations?
Moves by Trump and his appointees to eliminate existing rules will be met with legal challenges, as many progressive groups and Democratic officials have made clear.
2TM: Consultations on PTPTN loans, admission to IPTA at MOHE booth
Consultations on PTPTN loans and admission to IPTA are among services provided at the Higher Education Ministry booth.
Kampung Tanjung Kala residents affected by flooded bridge every time it rains heavily
Almost 200 residents from 60 homes in Kampung Tanjung Kala have ended up stuck when their 200-metre (m) long concrete bridge flooded.
COP29 climate summit draft proposes rich countries pay $250 billion per year
The draft finance deal criticised by both developed and developing nations.
Bomb squad sent to London's Gatwick Airport after terminal evacuation
This was following the discovery of a suspected prohibited item in luggage.
Kelantan urges caution amidst northeast monsoon rains
Kelantan has reminded the public in the state to refrain from outdoor activities with the arrival of the Northeast Monsoon season.
Former New Zealand PM Jacinda Ardern receives UN leadership award
Former New Zealand prime minister Jacinda Ardern was given a global leadership award by the United Nations Foundation.
ICC'S arrest warrants for Netanyahu, Gallant an apt decision - PM
The decision of the ICC to issue arrest warrants against Benjamin Netanyahu and Yoav Gallant is apt, said Datuk Seri Anwar Ibrahim.
KTMB provides two additional ETS trains for Christmas, school holidays
KTMB will provide two additional ETS trains for the KL Sentral-Padang Besar route and return trips in conjunction with the holidays.
BNM'S international reserves rise to USD118 bil as at Nov 15, 2024
Malaysia's international reserves rose to US$118.0 billion as at Nov 15, 2024, up from US$117.6 billion on Oct 30, 2024.
Findings by dark energy researchers back Einstein's conception of gravity
The findings announced are part of a years-long study of the history of the cosmos focusing upon dark energy.
NRES responds to Rimbawatch press release on COP29
The Ministry of Natural Resources and Environmental Sustainability (NRES) wishes to offer the following clarifications to the issues raised.
Online Safety Bill and Anti-Cyberbullying Laws must carefully balance rights and protections
The Online Safety Advocacy Group (OSAG) stands united with people in Malaysia in the fight against serious online harms.
Malaysia's inflation at 1.9 pct in Oct 2024 - DOSM
Malaysia's inflation rate for October 2024 has increased to 1.9 per cent, up from 1.8 per cent in September this year.
Saudi Arabia showcases Vision 2030 goals at Airshow China 2024
For the first time, Saudi Arabia is participating in the China International Aviation & Aerospace Exhibition held recently in Zhuhai.
King Charles' coronation cost GBP 71mil, govt accounts show
The coronation of Britain's King Charles cost taxpayers GBP72 million (US$90 million), official accounts have revealed.
Couple and associate charged with trafficking 51.9 kg of meth
A married couple and a man were charged in the Magistrate's Court here today with trafficking 51.974 kilogrammes of Methamphetamine.
PDRM to consult AGC in completing Teoh Beng Hock investigation
The police may seek new testimony from existing witnesses for additional insights into the investigation of Teoh Beng Hock's death.