A typo by hackers resulted in the theft of a mere $80 million instead of $1 billion from the Bangladesh central bank back in February. But what is more worrying is the way that the hackers gained access. Investigators have discovered that the bank had no firewall and were using cheap second-hand routers that cost $10 to connect to global financial networks. The head of the bank resigned and the Finance Minister has called the bank’s approach to cyber security “very incompetent”.
The lack of sophisticated equipment also will make it more difficult for investigators to figure out exactly what happened as there will be a lack of information logging on the devices. And it also means that there would not have been network segmentation, meaning once the hackers had access, they had access to everything instead of just one part of the network. Good network security involves segmenting the network into working areas (think POS, Administration/Management, Guest Network, etc). And of course, good network security also involves the use of a firewall.
FireEye, the security firm helping investigate the theft, believes that malware with keystroke capabilities was covertly installed and in the bank systems for several days before the theft occurred. The thieves were able to gather operational data and steal codes that allowed them to process transactions but a spelling error in one of the transactions lead the theft to be discovered and stopped additional millions from going out the door to the thieves.
It is baffling that a bank that has access to billions of dollars would not invest in the most basic cyber security protections. SWIFT, the secure financial messaging service, whose service was used to transfer the funds but not directly breached, said that in response to the hack that they would be checking with banks to ensure they are implementing recommended security strategies. While SWIFT is able to recommend security practices, there is no organization with regulatory oversight to ensure that financial institutions are securing their computer networks.
While it was reported in late March that the Bangladesh central bank was considering legal action against the Federal Reserve Bank of New York, the new information that has surfaced about the lack of cyber security investment is bound to make that case a lot harder.
Modern banks need to realize that they can’t just invest all their security budgets in physical security. In today’s digitized and connected world, everyone needs to consider network security as well as physical security. Not having a firewall on a network is the physical equivalent of leaving the front door of the business open when no one is around. For a financial institution not to have basic cyber security protection in place is not only dangerous but also egregious.
And I can’t help but close with a great quote from the Head of the Bangladesh Police Forensics Training Institute.
It could be difficult to hack if there was a firewall.
Mohammad Shah Alam