News broke in February that hackers were able to steal no less than $81 million from the Bank of Bangladesh in what MANY described as a perfect heist. Well, maybe it wasn’t perfect, as a silly spelling mistake prevented the culprits from walking away with nearly $1 billion. But the sophisticated attack worked almost flawlessly as the hackers were able to take advantage of the backbone of financial transactions, after infiltrating the bank’s systems.
It turns out that the Bangladesh attack wasn’t an isolated event. Hackers have attacked other banks as well in the past using the same methods. New reports show that some of these attacks could have been prevented, but only if only banks were willing to share more details about these attacks with the SWIFT organization. Apparently, the financial institutions aren’t just worried that they’re going to lose the trust of customers, but also that they might generate additional inquiries into their security systems from local regulators. And nobody wants that.
The Bangladesh heist wasn’t even the first one, and it likely won’t be the last. Two others have been discovered in recent months; an unsuccessful attack in Vietnam using the same technique was thwarted in December last year, months before the Bangladesh bank was hit. But in mid-January 2015, more than a year before hackers stole the $81 million from Bangladesh, the Banco del Austro (BDA) in Ecuador was the victim of a similar attack.
Over a period of 10 days, criminals used SWIFT credentials swiped from a bank employee to modify transaction details, including sums and recipients, for 12 transfers amounting to over $12 million. The security of SWIFT itself was not breached, but hackers used advanced malware to steal credentials and cover their tracks.
The crime remained a secret for a long time, Reuters and The Wall Street Journal report, but BDA decided to sue Wells Fargo, the bank that approved the transfers. It turns out that SWIFT had no idea about the security breach, as neither BDA nor Wells Fargo shared details about it with the Belgian body that oversees wire transfers.
SWIFT is urging partner banks to disclose similar attacks so that better defenses can be set up. But what’s clear so far is that hackers have found ways to take advantage of this secure money transfer system that banks take for granted. And financial institutions are helping them by not disclosing hacks to SWIFT or to other banks.
If a wire comes through via the SWIFT messaging system, banks act according to the information received and honor the transfer. That’s what Wells Fargo is arguing in its defense, which seeks to have the case dismissed. BDA, meanwhile, says that Wells Fargo should have seen the flags and stopped the transactions.