April 20, 2018
April 18, 2018
Posted April 5, 2016
One of the biggest heists in Bangladesh’s history was announced last month. And according to several news reports, it was the poor spelling of the cyber criminals that first alerted the bank to the fraud! Not exactly the headlines a high tech bank want to be making right now and definitely a wake up call to financial institutions worldwide. No one is safe from cybercrime.
Bangladesh’s central bank saw millions wiped from its foreign currency reserves, kept in an account with the Federal Reserve Bank of New York. Speculation is rife across the hacking world over just how the group managed to pull this off. If it wasn’t for the inadvertent typo, losses that were estimated at around $100 million could have been exponentially larger had the proposed volume of transactions been processed. Potential losses were estimated at closer to $1 billion.
According to media reports, the gang planned to route the money to several private accounts in Sri Lanka and the Philippines. This was one of their mistakes. The large volume of transactions going to private accounts rather than other banks was flagged by the Federal Reserve Bank of New York around the same time that Deutsche Bank, who was helping with some of the transfers, apparently detected a spelling mistake on one of the transactions.
By this time much of the money had already been transferred, with some laundered through Filipino Casinos. Various news reports speculate that the group perhaps installed malware into the Bangladeshi bank’s computer system, perhaps a remote access Trojan (RAT) to spy on transactions or steal account credentials. The method is not totally clear. However, what we do know is that the the Federal Reserve Bank of New York were convinced enough to assume these transactions were legitimate, which points to some kind of identity theft of a legitimate account, until the sheer volumes started raising suspicions.
It’s a little crazy that it apparently took something as basic as volume control and accurate spelling to detect such monumental fraud. Particularly when solutions are available to detect this type of fraud, not matter how legitimate transactions appear.
Let’s speculate that the cyber criminals had intimate knowledge of the Bangladesh central bank’s transaction processes, and had stolen some live identity credentials so they could effectively pose as legitimate bank workers. What the bank needed to do was effectively authenticate who the ‘bank workers’ really were. To look at their digital identity, how they transacted, from what device and location, and make sure it was consistent with how their bank workers had transacted in the past.
This would most likely have alerted the bank to some high risk behavior. The fraudsters were probably transacting from unusual locations, perhaps using proxies or a VPN connection to cloak their presence, and were undoubtedly using different devices, potentially infected with malware. They may even have been part of a previously known fraud ring.
Perhaps too the fraudsters were using a RAT to piggy back on to legitimate banking sessions. But had the bank looked deeper behind the transaction data they might have unraveled a string of unusual attributes regarding devices, locations and behavior that did not tally with what they knew to be the trusted behavior of their bank employees.
ThreatMetrix is able to bring exactly this kind of intelligence to transactions, drawing on the largest repository of anonymized digital identities in the world. These are made up of identity information, device intelligence, behavior analytics and known global threat information in order to give financial institutions worldwide a clearer view of who their users really are. Trusted users are verified in real-time and therefore experience virtually no friction. Fraudsters on the other hand, need to watch their backs. This type of fraud could potentially have been detected the moment the first cyber criminal attempted his transfer, and might have saved the Bangladesh central bank a lots of heartache. And money!