Hackers made off with $80 million from Bangladesh’s central bank last month and nearly swiped $20m more but the alarm was raised just in time, according to reports.
It’s still unclear exactly how cyber-criminals breached the Bangladesh Bank’s systems, but according to two senior officials there, once inside they stole credentials allowing them to make payment transfers.
With those in hand they then made a series of transfer requests with the New York Federal Reserve Bank over the course of a weekend in early February.
The New York Fed processed four of the three dozen requests, transferring a whopping $81m into accounts in the Philippines, according to Reuters.
The heist would have hit $1bn but a spelling mistake in the routing instructions raised the alarm and a fifth transfer of $20m was apparently stopped.
The New York Fed claimed its systems were not breached. The US authorities are understood to have offered to help the Bangladesh Bank find out what went wrong and recover the stolen funds.
FireEye’s Mandiant division is said to have been recruited to help with computer forensics in the case.
The hackers should have been stopped much sooner than they were, according to James Romer, EMEA chief security architect at SecureAuth.
“Organizations should strengthen their capabilities against cyber adversaries by layering adaptive authentication methods such as device recognition or analysis of the physical location of the user, which continually verify the true identity of the end user,” he argued.
“Not only will it maintain a simple user experience but it also makes any credentials, which have been stolen through a vulnerability such as this, ineffective when sold on or when used to access other sites by anyone other than the individual customer.”
Fidelis Cybersecurity CSO, Justin Harvey, claimed the case shows how important it is to protect powerful access credentials like the ones stolen.
“The financial services industry is one of the most regulated in the world, but that doesn’t mean it can’t be attacked by cyber-criminals. This latest hack is a clear reminder that compliance and adhering to banking regulations isn’t enough,” he added.
“Multi-layered security needs to be implemented, regularly updated and sophisticated monitoring solutions need to be in place to flag and – if necessary – quarantine suspicious behavior. At least the Federal Reserve Bank of New York’s provisions seemed to have saved the full £1bn from being stolen.”