The Bangladeshi Bank Fraud: How did it happen?

Cyber-attacks are common news in this era, you’re more likely to take a hit online than be mugged in the street.

What makes this story interesting is the lengths and preparation that were put into this heist (like any good film) and how it uncovered a weakness in a payment system that moves millions of payments around every day.

James Richardson, Head of market development for fraud and risk dives into the details of this heist and answers the questions that are on everyone’s lips.

Subscribe to The Payments Podcast    

Podcast transcript

Rich Williams: Gone are the days where you need 11 people and a Las Vegas casino to pull off a large heist. Now everything you need to get cash from a bank into your hands can be done by sitting behind a computer. I’m Rich Williams, host of the Payments Podcast. In this episode we ask how in 2016 a mysterious fraud syndicate were able to steal $80m from Bangladesh Central Bank and uncovered a weakness in a payment system that moves millions in transactions every day. Not only that, but they managed to get away with it.

Today I have with me James Richardson, head of market development for fraud and risk at Bottomline Technologies. Hello James.

James Richardson: Hi Rich.

Rich Williams: James, it really was one of the biggest heists of its kind, sending the media into an absolute frenzy. So I think before we begin, it’s important for us to understand how the hackers managed to infiltrate the Bangladesh Bank, and not only managed to successfully move $80m but to not get caught in the process.

James Richardson: Absolutely. If you look at actually what’s happened, and we’ll go into how in a moment, this is a highly customised cyber fraud. There are no two ways about it. This isn’t something that an organisation would have considered for a month. This would have taken a significant amount of time to plan and then execute, and you have to, if I use these words, applaud the execution of the fraudsters as to how they went about this.

You’re not talking about an organisation that go in guns blazing into a bank. Those guys are gone. This was looking at how you can exploit the weaknesses of a central bank, and in this case the Bangladeshi Central Bank.

So how they started off. Well, it’s believed that this was using malware that was most likely from an e-mail that went to an employee, and its purpose was very specific. I used the word ‘highly customised’ earlier and I would keep using that. It was customised to understand what printers the organisations were using. It was customised to understand what SWIFT connectivity and local infrastructure they are using, but it started with this malware. It started with an employee opening something that perhaps they shouldn’t have.

And then it was just a question of timing. It was waiting for the very specific moment that these fraudsters wanted to execute the frauds, and they awaited for a very specific weekend around the 4^th February 2016, deliberately because it was around a long weekend.

The frauds themselves would have involved started sending requests to withdraw funds from New York and send them onto Philippines and Sri Lanka. Malware itself, as I mentioned earlier, would have stopped the printer from working and it kept the fraudsters hidden, which is exactly what they’re interested in doing.

Rich Williams: The initial reports mentioned that the fraudsters tried to move more than $1bn. Is that correct?

James Richardson: Absolutely. $1bn fraud heist, so the fraudsters had a bad day. They went for $1bn and they only managed to get $80m. But when you look at that in the context of what they’ve done, that was largely successful, I would imagine, from their perspective. But it was the $1bn they were going after, you’re right, and it was caught thanks to a diligent Deutsche Bank clerk who picked up a spelling mistake on the account name on one of the transfers that were being pushed through.

So the queries that were sent to the bank weren’t picked up because of it being a weekend, and the malware that was deployed in the organisation deleted incoming SWIFT messages which then stopped confirmations that then went to the printer.

Rich Williams: So when did the bank actually realise what had happened?

James Richardson: So the Bangladeshi Central Bank realised this on the Saturday. They noticed SWIFT messages had stopped. They sent requests asking for payments to be stopped at that point. It’s a Saturday. That’s the weekend for the New York Fed, and the messages that they had sent were sent as normal rather than urgent, so it was just caught up in all the normal correspondence that go through in the SWIFT messaging system.

Rich Williams: And was RCBC, the recipient bank in the Philippines, not suspicious that all the money was being sent to accounts that had been dormant for months?

James Richardson: Well, I think they claim for fair reasons that they had no reason to be suspicious. But let’s focus on the facts: they ignored the messages and continued to move the money around, and most of it went into Philippine casinos, which according to current laws that are out there are quite lax, and they just didn’t have to report large deposits like these.

Rich Williams: So the hackers compromised the SWIFT payment system. Is that correct?

James Richardson: Actually no, and it’s really important to explain the differentiation here. So what was compromised was the local environment belonging to the Bank of Bangladesh. What wasn’t compromised was the SWIFT network itself, so it was legitimate and also fraudulent messages that originated from the Central Bank that went through into the SWIFT network.

Rich Williams: James, this is quite a sensitive question, but do you feel that fault or blame lies in any one particular area or with any one particular organisation?

James Richardson: I think that is a tough question to answer. If you look at the facts, it was the Central Bank of Bangladesh that have lost cash, right? And clearly that’s going to be pain felt across the organisation, and as ever in a situation like this, all parties are going to be pointing towards each other saying, “What could you have done differently to avoid the issue happening in the first place?”

I think if you look at the Bangladesh Central Bank, we know that there were some security controls that could have perhaps been implemented that may have helped in this process. For sure that’s kind of widely discussed.

I think also if you look at, say, SWIFT off the back of this, this was largely perceived as the moment that helped launch the Customer Security Programme, and that we’re kind of nearly two years into this initiative now and as a result of this cyber fraud that we’ve been talking through today, the whole of the SWIFT community have to declare that they have improved their security controls across the organisation by December of this year.

So I think you look at different areas and you can see how the industry is moving on and has adapted, and I think the lesson really is this could have happened to any bank frankly. It was this particular organisation may have been identified for certain weaker controls, however the fraudsters identified them. But I think what’s important is for all banks to learn the very harsh lesson, and we’ve seen more of this happen ever since.

Rich Williams: Did the Bangladeshi Central Bank manage to recoup any of the losses as a result of this sophisticated cyber-attack?

James Richardson: So no. I think they’ve currently been unable to get some of that money back from what we’re aware of. They are still trying to get around $15m which has been left in the casinos, but the rest has gone.

I think it just goes to show with any organisation, irrespective of whether you’re a corporate or whether you are a bank or whoever you are, if you’re able to lose such a large amount of money then what are the chances of recovery? You think about the payment landscape that we live in now. It’s about immediate payments. It’s faster payments in the UK. It’s instant payments elsewhere in the world, but once it’s gone it’s gone.

So what’s important, what’s critical from a lessons’ learned perspective is making sure that you have prevention upfront before the money goes out the door, before the money goes into payment networks.

Rich Williams: Do you think we’ll ever see anything similar or even on the same scale as this at some point in the future?

James Richardson: I think absolutely we will. Why do I say that? I think that we are seeing across the industry the action from banks and corporates actually in helping raise their defences when it comes to payment security, but not everywhere.

I think you've got to ask yourself, if you’re implementing security defences to help protect your money based on an event from two years ago, are you really staying ahead of the fraudsters? Are you really thinking about the frauds that are likely? Your weakest points as an organisation, are you really thinking about what those are now and implementing the right level of defences that match the frauds that are really emerging in today’s world?

So absolutely I think we’re going to see more, and we have seen more. We’ve seen more since this publicised story of the Bank of Bangladesh. We’ve seen at least a dozen stories this year alone, and all of them are above $10m.

I do wonder actually whether we’re just being desensitised to it. We’re seeing them so often, so frequently, the numbers are so big, the frequencies so much. Are organisations actually taking action?

Rich Williams: And are there any specific recent examples that you can give us James?

James Richardson: Yes, absolutely. If you take India’s Cosmos Bank, they lost just over $15m, a very similar cyber-attack, not to the same scale as the story that we’ve been talking through today and perhaps not through exactly the same ins into the organisation. But $15m is still a large amount of money, and remember of course that eight months before this reported incident, which is fairly recent, that Cosmos Bank were also hit with three fraudulent remittances that came up to nearly $2m, and that went through the SWIFT messaging network.

Rich Williams: Thanks James for your insight into those questions today. So I think all of this begs the question, why are banks and organisations not learning from this and still falling victim to such attacks?

James Richardson: It’s a good question. Again, I think the answer is they probably are, but very slowly. I think it’s everyone’s job across the industry, whether you’re a challenger bank, you’re a large tier one bank or not, you know, it doesn’t matter who you are, whether you’re a corporate, and I’ll throw that into the mix, you’ve got to learn from this. And whilst I think a lot of the frauds that we’ve seen, geographically they’ve been spread in similar areas, that’s just because it’s the weakest link of the chain today.

What I’m hoping to see is that organisations wake up, they implement the right levels of controls, they implement the right level of leading technology that’s going to defend themselves properly and they provide quality education for their staff to challenge payments that just don’t feel right. And frankly look at the fraudulent attempts that are taking place today, and that is your start point for looking at what your controls need to be. If you’re looking at things from a few years ago, you’re looking at the wrong start point.

Rich Williams: So I think this really goes to show that nobody can afford to just sit back and wait to become a victim of cyber fraud, and actually it’s very easy to not recognise those weaknesses and threats until you've actually become hit by something like this. James, thank you very much for your time today and thank you all for listening to the Payments Podcast. Please be sure to check out some of our other episodes, and we’ll be seeing you very soon.