The trend is moving from opportunistic crime to Hollywood-scale attacks. ” — Adrian Nish of the Cyberthreat Intelligence team at BAE Systems referring to recent attacks on bank computers

Three daring digital attacks on banks across the globe during the course of a little more than a year have woken up top officials from complacence and near slumber. The modus operandi seemed similar, borrowing from Ocean’s Eleven , the famous 2001 movie, in which a convict, immediately on release from prison, organises a gang to break into the systems of three casinos in Las Vegas.

Although the film — the first of an inimitable trilogy — was a comedy par excellence, we cannot be amused that the underworld could learn so effectively from it and execute plans, proving to be a nightmare to security experts, both in law enforcement and in financial institutions.

Well worked out Of the three attacks now known widely across the banking sector, the one that has been most exhaustively reported by the international media took place in February this year in neighbouring Bangladesh.

The country’s central bank lost about $81 million due to the ingenuity and skill displayed by criminals (till now unidentified) who compromised the bank’s links to SWIFT (Society for Worldwide Interbank Financial Telecommunication) and issued 35 instructions transferring funds (amounting to $951 million) mainly to the Philippines and Sri Lanka. It is said that casinos in the former were the main beneficiaries.

The money involved was transferred from the Bangladesh bank’s account with the New York Federal Reserve Bank. When the latter got suspicious about the instruction seeking transfer of such a mindboggling amount, it tried to contact officials in Dhaka, but with little success because it was a weekend there, and no one was available to clarify matters. As a result, the NY Federal Reserve Bank, after complying with five of the instructions, put the remaining 30 on hold. This prudence helped stave off a major disaster. It was obvious that the gang behind the fraud had done its homework for striking at the most opportune moment when bank vigil was its lowest.

Other victims The Bangladesh episode was closely followed by a similar attack on a bank in Vietnam, the latest of the reported heists. It has now come to light that another victim under similar circumstances — it happened a year ago — was Banco del Austro of Ecuador, which lost $12 million through illegal transfers to banks in New York, Los Angeles, Dubai and Hong Kong.

According to an analysis, the gangs involved in all these attacks possibly separately created a malware to circumvent the local bank’s security system, and thereafter gained access to the SWIFT messaging system, from where it got fraudulent cash transfer instructions sent to the large bank (NY Federal Reserve Bank), where the smaller local bank (Bangladesh Central Bank) had an account. Thus, total outsiders managed to gain illegal access to the SWIFT network, when such access was restricted only to banks and other financial institutions that had subscribed to SWIFT. (It is believed that SWIFT has a membership of about 10,000 spread across 200 and odd countries.)

While SWIFT itself was not directly attacked, entry to its messaging system for crooks was compromised by the laxity of a few member institutions. As is commonly known, any organisation or system — digital or otherwise — can only be as strong as its weakest link. This is true with regard to SWIFT as well. Here, it has been established that some slack organisations such as the Bangladesh Central Bank unwittingly provided fodder to international gangs ever on the prowl to make a quick buck by being negligent in securing their online systems.

Cyber security experts must be intrigued as to how such digital attacks take place despite all the technological advances made by this discipline over the years. This is analogous to the continued worries of public officials over breaches reported now and then in the areas of dignitary protection and aviation security. Plane crashes and assassinations of VIPs continue to take place, despite several measures taken by experts and officials.

Creative solutions We must remember that there is no way we can be totally rid of such incidents. But we can certainly reduce their frequency and intensity through imaginative planning and precautions.

One way is to study each failure in depth and learn from the mistakes made. While SWIFT itself has gone into the recent mishap with a great sense of responsibility, the Bangladesh Police and BAE Systems — Britain’s famous defence contractor — have also come out with their findings. The consensus is that the Bangladesh bank had provided poor firewall protection to its computers and employed a used switch worth just $10. The hackers gained access to the Alliance Access Server meant only for member banks to establish connection to SWIFT’s messaging platform. Also, they targeted the PDF reader used by the Bangladesh bank to confirm payments.

This indicated intimate knowledge of the bank’s internal practices, something which raises suspicion of collusion by bank insiders. The loyalty of some of the latter had obviously been subverted through monetary rewards. The hackers also manipulated the printer at the bank, as a result of which the irregular transfers from the NY Federal Reserve Bank account did not figure in the printouts scrutinised regularly by the bank to make sure its instructions to the New York bank had been complied with.

Although the malware used was custom-built to sustain the operation against the Bangladesh bank, experts fear the same could be used again, elsewhere in the world. This is why it is critical to take several protective measures. It is believed that multiple firewalls and isolating machines used to interface with SWIFT by positioning them in cordoned-off sections of a bank could greatly reduce unauthorised access and opportunity to introduce malware.

Ultimately, there is no substitute for a constant lookout for disloyal elements within a bank. Attention to social engineering gaps should at the same time complement technology. There is now a very porous system that one can hardly rely on. This is why concerns over computer security and its loopholes will continue to haunt top bank managers.

The writer is a former CBI director who is currently Corporate Security Adviser with Tata Consultancy Services Ltd

comment COMMENT NOW