Bank robbery used to be a very simple affair. All you needed were a few fast horses, a handful of men or women who were quick on the draw, and some black hats and bandanas to hide behind. Since these attacks were purely physical, banks had simple defenses. Strong vaults and locks kept the money relatively safe. In today’s world of digital wire transfers, real-time trading, global financial markets and online payment systems, the rules have changed significantly. Building physical or virtual walls around valuable assets no longer guarantees that criminals are kept out.
This is made clear by the recent hack of the central bank of Bangladesh, which nearly resulted in over $1 billion being siphoned out of the country’s accounts. This attack had likely been going on for several years and was only discovered when a spelling error by the cybercriminals in one of the transactions triggered suspicion. While the Federal Reserve Bank of New York, where Bangladesh Bank has a current account for international settlements, blocked most of the transfers, about $81 million ended up in the Philippines, where it will likely go unrecovered after transfers to casinos and offshore gambling sites around the world.1 It still remains unclear how the culprits got into the country’s central bank, or how they were able to manipulate wire transfers using the central bank’s Society for Worldwide Interbank Financial Telecommunication (SWIFT) accounts with banks in the U.S. What’s clear is that the attack was both highly sophisticated and complex. After all, the SWIFT system is considered to be one of the most secure systems in the world, with end-to-end encryption and dedicated communication channels.2 And instead at the end of that paragraph add: And it looks like this is likely not the end, as several similar hacks involving SWIFT are just now surfacing.
It’s not the first time this type of advanced persistent threat (APT) has hit the banking industry. In 2014, the Carbanak hack infiltrated upwards of 100 institutions across 30 countries and resulted in nearly $1 billion in losses. Like the Bangladeshi attack, the Carbanak attackers were slow, methodical, and patient. It’s estimated that they spent an average of six months inside each victimized bank. They used malware and email phishing attacks on targeted employees to gain access to their workstations. Once inside, they methodically escalated user credentials, infecting hundreds of machines, ultimately working their way to the payment administrators. They also exploited computer video cameras and microphones to watch clerks’ screens and work habits so they could be mimicked to reduce suspicion. Once in, they inflated account balances and siphoned off the surpluses, infiltrated ATM systems and forced them to dispense cash to mules, and leveraged online banking and e-payment systems to transfer funds.3 The Bangladeshi hackers seem to have used similar techniques, but they went even further and erased the transfers they initiated in order to hide their tracks.4
The level of sophistication of these hacks make it clear that fortifying banks and other critical infrastructures with hardened firewalls and malware scanners can no longer be the first and only line of defense. Financial institutions should take a more holistic view of data security requirements. Those can be managed by a comprehensive information lifecycle governance framework that includes clear roles and responsibilities, geographic compliance requirements, asset inventory and reporting, data classification and handling, and next-generation technical solutions, such as network analytics and risk fusion centers.
One key element of a solid information life-cycle governance framework is the identification of data flows inside and outside the organization, then mapping them to the organizational control environment. A risk assessment should then be conducted to identify control gaps, and an implementation road map should be developed to mitigate risks outside the organization’s risk appetite.
Cybersecurity is no longer an IT problem, solved with IT tools alone. It should be viewed and treated as a business problem addressed with business tools by the board, with a unified plan across the enterprise. Otherwise the bank robbers will continue riding off, uncaught, into the sunset with no trace left behind.
The opinions expressed are those of the author and do not necessarily reflect the views of AlixPartners, LLP, its affiliates, or any of its or their respective professionals or clients.
1 Bangladesh bank hackers fail in bid to net $1bn,” BBC.com, March 10, 2016, http://www.bbc.com/news/technology-35773061.
2 Michael Corkery, “Hackers’ $81 Million Sneak Attack on World Banking,” The New York Times, April 30, http://www.nytimes.com/2016/05/01/business/dealbook/hackers-81-million-s….
3 David E. Sanger and Nicole Perlroth, “Bank Hackers Steal Millions via Malware,” The New York Times, February 14, 2015, http://www.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-….
4 Aaron Pressman, “Bangladesh Bank Hackers Infected Popular Messaging Program,” Fortune, April 26, 2016, http://fortune.com/2016/04/25/bangladesh-bank-hackers-messaging/.
David White is a director at AlixPartners LLP, where he advises clients on information governance, information security and privacy, and electronic discovery. He can be reached at firstname.lastname@example.org.