Criminals in Bangladesh heist likely studied bank's inner workings
By Jim Finkle
BOSTON (Reuters) - The perpetrators of a $100 million digital heist at Bangladesh's central bank had deep knowledge of the institution's internal workings, likely gained by spying on bank workers, security experts said.
Unknown hackers breached Bangladesh Bank in early February, stole credentials for payment transfers and then ordered transfers out of a Federal Reserve Bank of New York account held by Bangladesh Bank, according to Bangladesh Bank officials.
Bangladesh government officials blamed the Fed for the attack when they disclosed the loss. The New York Fed responded on Tuesday saying there was no evidence its systems were compromised in the attack, one of the biggest bank thefts in history.
The Fed said it followed normal procedures when responding to requests that appeared to be from Bangladesh Bank, which were made and authenticated over SWIFT. Belgian-based SWIFT, a member-owned cooperative that banks use for account transfer requests and other secure messages, declined to comment on specifics of the case.
Security experts said that to pull off the attack, cyber criminals had to first gather information about Bangladesh Bank's procedures for ordering transfers, so that the fraudulent requests would not raise red flags.
In addition to stealing credentials for processing transfers, the hackers likely spied on Bangladesh Bank staff to get a deep understanding of the central bank's operations, according to experts in banking fraud.
Kayvan Alikhani, a senior director with security firm RSA, said that in addition to user names and passwords for accessing SWIFT, the hackers likely needed to obtain cryptographic keys that authenticated the senders.
Such certificates can be copied and used by impostors if they are not properly secured, he said. Continued...