‘CEO fraud’ and Bangladesh Bank
IN a surreal digital theft that befits a high-octane movie thriller, we were recently informed of the daring heist at Bangladesh Bank in which nearly a billion dollars were siphoned off last month.
As if this was not enough, the theft took place over several days early February through a series of about three dozen electronic fund transfers from the bank to New York Federal Reserve for a total amount anywhere between $850 million to $870 million.
All of the looted amount made through dozens of transfers would have been cashed had it not been due to a spelling error in a $20 million check made to a Sri Lankan NGO. The error prompted the routing bank, Deutsche Bank, to seek clarification from the Bangladesh central bank, which stopped the transaction. But the mystery hackers still managed to swipe $80 million, one of the largest recorded bank thefts in history.
The news struck the headlines in the foreign press, particularly in the UK and the US, but what was possibly more puzzling to everyone is how a spelling error stopped a bank heist than the actual massive pilferage of funds from a central bank.
The news highlighted the ability of a spelling error to stop the attempted digital robbery. It is through further investigation that news agencies came to know of the successful transfer of at least $80 million to the Philippines. All major news agencies referred to this latest heist as another instance of CEO fraud, a growing threat to world financial institutions that had cost globally $2 billion in the last two years.
So what is actually a CEO fraud, and how does the attack work? The scam is referred to as a CEO fraud because the perpetrator or perpetrators pose electronically as the chief executive or senior financial official of an institution they are targeting.
For an attacker to successfully pull it off, they need to know a lot of information about the company they’re targeting. Much of this information is about the hierarchical structure of the company or institution they’re targeting. They’ll need to know who they’ll be impersonating.
Although this type of scam is known as “CEO fraud”, in reality it targets anyone with a senior role — anyone who would be able to initiate payments. They will need to know their names and their email addresses. It would also help to know their schedule and when they will be travelling or will be on vacation.
Experts say the criminals managed to breach Bangladesh Bank systems and stole the credentials of its senior officials for online payment transfers. (The Federal Reserve of New York stated that the transfers had valid digital credentials of Bangladesh Bank.)
Frauds and scams that target corporations and financial institutions have happened before, but probably it is the first time a central bank was successfully targeted.
The most sobering aspect of the heist is the divine intervention in foiling of the robbery in its entirety in the form of a spelling error. It saved the bank much of the heist amount, and it could possibly recover some of the eighty million dollars that got away. It is also possible that with the help of international cybersecurity experts, that the bank has engaged, the source of the breach can be identified as well as corrections made in the bank’s system to prevent future breaches.
But the most unsettling part is the apparent revelation to the government by the bank’s news of the breach and heist after a month of its occurrence. There may be defence of some kind or the other for this delay, but it will be ludicrous to assume that the bank authorities chose to go hush-hush, lest the news adversely affects the financial market.
A serious crime of this magnitude is not a paltry incident of burglary in a government office that may not warrant waking up the minister at night and reporting it to him. It is a major incident of financial loss just not to the bank, but the country of which the bank is a financial guard. Keeping news hidden from the government is like a house guard concealing the news of theft in the house from his master.
The original hacking of Bangladesh Bank happened between Feb 4 and 5 when the bank’s offices were shut. Security experts said the perpetrators had deep knowledge of the Bangladeshi institution’s internal workings, likely gained by spying on bank workers.
This is not to say that some bank employees could be complicit, because the CEO fraud, as said earlier, does not necessarily require direct assistance of employees of the institution. They only need to follow the workers closely.
Perhaps in time, we will come to the bottom of this heist and find ways to prevent such occurrences in the future. But these will concern computer systems and digital security apparatus. What these will not do is change the human guards who watch over the institutions and their behaviour and determine how to react responsibly in crisis situations and own up to mistakes. This requires training and change of management of a different kind; one of accountability and leadership and courage to take responsibility for mistakes.
The Daily Star / Bangladesh
Published in Dawn, March 16th, 2016