News of the cyber heist of some $81m from the account of Bangladesh’s central bank at the New York Fed broke during the first Certificate in Digital Money course. It attracted much attention among students and even more from cyber-crime and digital banking followers worldwide–as a very visible example of just how fast and easily large sums of digital money can move; and how important (and difficult) effective risk management is, especially for central banks. A slew of articles speculated on how the crime was perpetrated, tracing the transfers through to accounts in a Filipino bank, from which substantial amounts were reportedly cashed out via a casino. Investigations have been underway in both countries, and heads have rolled, including the Governor of Bangladesh Bank and most recently the head of the Filipino Bank RCBC on the receiving side. The full details of how the crime was perpetrated have not been confirmed publically (that I have seen, anyway), and there has been much ongoing speculation about each leg of the process:
–first, how the funds came to be transfered using SWIFT instructions from a central bank’s account to individual accounts, whether by insiders with access or hackers who managed illicit entry to protected systems;
–then, how part at least of the funds were cashed out without trace via casinos which are not subject to money landering laws in the Philippines as banks are.
The controversy on the first leg deepened recently when Bangladeshi investigators alleged that weaknesses in SWIFT’s systems enabled the breach. The reputational threat prompted SWIFT this week to a rare public statement–as a policy, SWIFT normally does not comment directly on the business of its members–in which it angrily denied that its systems were at fault in anyway, as opposed to the control environment in which the Bangladesh Bank controlled access. Bangladesh investigators have affirmed their claim. To be credible, especially in the face of SWIFT’s denial as a global infrastructure entity which specializes in message and network integrity for its members, the claim would have to be made fully public.
If nothing else, the revelation of all the sordid details should aid global learning about risk management in this area: bank heists remain as inevitable in the cyber era as they have been in the cash era, but at least greater awareness of the threat and knowledge of the countermeasures should reduce the chances that the same type of theft can be successfully perpetrated twice.
By David Porteous