CLS Blue Sky Blog

PwC discusses Preventing the Next $100 Million Bank Robbery

Attackers last February reportedly stole $81 million from the Bangladesh Central Bank by obtaining and exploiting the bank’s credentials for the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network.[1] The attack – one of the biggest bank robberies in history – exploited weaknesses in cyber, fraud, and possibly insider threat controls, illustrating the need for banks to combine financial crime risk areas that were previously either siloed, or at best tenuously connected.

Specifically, the attackers exploited cyber weaknesses by designing custom malware tailored to bypass controls and network logging systems used by the Bangladesh Central Bank. The attackers also bypassed fraud controls by using the Bangladesh Central Bank’s credentials to gain unauthorized access to the SWIFT network[2] and by setting up fraudulent bank accounts to receive and transfer the stolen funds. Finally, the attackers used detailed information about the Bangladesh Central Bank (including the brand of printer used by the bank) to commit the theft, suggesting that insiders may have cooperated with the attackers.

The attack is believed to be a part of a broader campaign targeting multiple banks, with banks in Vietnam and Ecuador experiencing similar incidents. Therefore, banks should be preparing for this type of attack and should become more vigilant for schemes targeting funds transfer systems. To do so, banks can focus on integrating (or better coordinating) their cybersecurity, anti-fraud, and insider threat management programs. This will provide a clearer view of the threat landscape, allow banks to better detect suspicious transactions, and help streamline investigations.

Additionally, banks should enhance their existing cyber, fraud, and insider threat controls to better detect and prevent similar attacks. First, banks should implement into their cyber controls a monitoring program for funds transfer systems, and review their cyber detection, prevention, and response practices to determine whether they are sufficient to counter similar attacks. Banks should also enhance their fraud programs by using behavioral analytics to detect suspicious activity and by more broadly applying customer due diligence policies. Finally, banks should mitigate insider threats by limiting the number of people with access to funds transfer systems to those who need to have such access.

This post analyzes the Bangladesh Central Bank attack and provides our advice on what banks should be doing now.

Background on the attack

On February 4th, attackers used stolen credentials to send a series of payment instructions over the SWIFT network. The attackers initially sent 35 payment instructions totaling $951 million, but the Federal Reserve Bank of New York (New York Fed) only processed five of the payments, totaling $101 million.[3] The New York Fed did not process the remaining payments because it was unable to reconfirm the instructions with the Bangladesh Central Bank.

Of the $101 million reported to have been transferred, the attackers were able to successfully launder $81 million through casinos in the Philippines. The attackers attempted to divert the other $20 million to Sri Lanka, but the funds were recovered after the Sri Lanka-based Pan Asia Bank flagged the funds transfer as suspicious.

Even though not all of the money made its way to the attackers’ hands, the attack is one of the most successful bank robberies of all time. The success of this scheme is due to a combination of factors: exploiting weaknesses in cyber, fraud, and possibly insider threat controls; detailed knowledge of how banks interact with funds transfer systems; malware tailored for the specific target (and therefore not likely to be detected by broad-release anti-malware programs); and access not just to the funds transfer systems themselves but also to detection and response mechanisms. These factors combine to create a formidable threat that seems to be gaining momentum – effectively targeting entire business processes instead of individual systems.

Further details of the attack include:

What banks should be doing

Banks should begin preparing for this threat, and not wait until they are attacked. As an initial step, we recommend that banks investigate their current environment – beyond just traditional security log analysis – to determine whether they have already been attacked, or even just targeted, by this scheme.

Banks should also prepare for additional attacks as this scheme adapts and as additional attackers attempt to replicate its success. To do so, banks cannot rely upon standardized, automated cybersecurity systems alone. Rather, banks should integrate cyber, fraud, and insider threat management into a centralized program. Additionally, banks can apply lessons learned from the attack to enhance their cyber, fraud, and insider threat programs.

We recommend banks take the following steps:

Integrating financial crime areas

Cyber risk measures

Anti-fraud measures

Insider threat measures

ENDNOTES

[1] SWIFT is a network used by the financial sector to transfer funds. Most international funds transfers are made through the SWIFT network.

[2] It is unclear how the attackers obtained Bangladesh Central Bank’s credentials. PwC’s Financial crimes observer, Fraud: Email compromise on the rise (February 2016) discusses various methods that attackers use to obtain credentials to access bank accounts and payment systems.

[3] The New York Fed maintains accounts for approximately 250 foreign central banks (including the Bangladesh Central Bank) and provides payment services for such banks.

[4] For additional information regarding data analytics, see PwC’s Financial crimes observer, Bank fraud: Old defenses won’t stop new threats (April 2016).

[5] For more advice on implementing a cohesive case management system, see the Financial crimes observer cited in note 4.

[6] For our recommendations on enhancing cybersecurity prevention, detection, and response practices, see PwC’s A closer look, Cyber: Think risk, not IT (April 2015).

[7] For additional information regarding behavioral analytics, see the Financial crimes observer cited in note 4.

[8] For our recommendations on enhancing KYC and customer due diligence programs, see PwC’s Financial crimes observer, AML: Who is your customer? FinCEN wants you to know (May 2016).

[9] For additional information regarding the use of social engineering to bypass authentication controls, see the Financial crimes observer cited in note 2.

[10] For additional information regarding fraud risk assessments, see the Financial crimes observer cited in note 4.

The preceding post comes to us from PwC.  It is based on PwC’s Financial Crimes Observer that was published in June 2016 and is available here.

Exit mobile version