Cybercriminals recently attempted to make fraudulent transfers of money totaling nearly a billion dollars out of the Bangladesh Central Bank's account at the Federal Reserve Bank of New York. While most of the payments were detected as problematic and, therefore, blocked, approximately $81 million was successfully stolen – transferred to accounts in the Philippines from which it was funneled through local casinos.
A report from BAE Systems indicates that the crooks likely hacked not only into the bank but also into the international money transfer platform owned together by 3,000 financial institutions called SWIFT. SWIFT confirmed this week that it was aware of an ongoing malware attack targeting its infrastructure via its client software, and issued a special warning for financial institutions to be especially vigilant.
What is fascinating, however, is not just how significant the Bangladesh theft is becoming on a global scale, but how poor the bank’s information security apparently was at the time of the breach. According to an investigator at the bank, the bank was especially vulnerable because it did both not have firewalls and used second-hand, inexpensive switches to connect computers to the SWIFT global payment network.
You read that correctly: No firewalls. $10 used switches. To protect systems connected to a global funds transfer network.
The aforementioned two security weaknesses obviously put the bank at risk by making it much easier for hackers to break into the bank and attempt to make fraudulent money transfers using the bank’s SWIFT credentials – something that may end up putting people all over the world at risk as well.
This episode raises an important question: Would you have thought that a bank handling billions of dollars could be operating without well-configured firewalls – never mind without necessary firewalls altogether?
There is a tremendous lesson to be learned: Don’t assume anything when it comes to information security.