
The Billion-Dollar Bank Job - ohaikbai
https://www.nytimes.com/interactive/2018/05/03/magazine/money-issue-bangladesh-billion-dollar-bank-heist.html
======
rishabhd
I have investigated multiple cyber incidents pertaining to swift transfers
including malware and insider collaboration, the ground reality at the most
institutions is that their infrastructure are poorly designed and are insecure
by default. In one of the bank's I visited, the Swift AGS was on the same vlan
as the rest of the network, including admin and receptionist's PC. No EDR,
basic AV, no application aware firewalls, no network baselining, improperly
configured AD events, 2 month log retention period, lack of standardized OS
golden images and pirated operating systems cracked using executables
downloaded from internet. Worst, AGS was managed through a PC accessible via
TeamViewer protected through a weak password. You may consider this as an
isolated case, but on ground, most of the banks only focus on CBS and security
takes a backseat, until something happens.

~~~
arca_vorago
You don't know how right you are about infrastructure in businesses. I've seen
the inside of hundreds of companies over the years... everything from 5 man
law firms to fortune 500, and it was a rarity to see good infrastructure.

It's a management problem, but it's also a problem because the people
responsible aren't doing a good job convincing management. Which is why I
think enginners/sysadmins/devs who have the ambition should start getting mbas
and going for the CTO/CIO position... which is the main executive position (if
it even exists) failing.

It's also why I'm working on my data science degree now. Execs don't like you,
they don't trust you, and they generally don't listen well... but they love
numbers and pretty graphs!

~~~
lovich
I mean, can you actually convince execs it's a good idea, no matter how
charismatic you are? As a citizen, an engineer, and a consumer I think
software and infrastructure security needs to be taken much more seriously due
to how much breaches hurt people.

But if I was an executive or shareholder? Why would I care? We've seen time
and time again how data breaches are just a blip in the stock price, the
government doesn't punish anyone for negligence, and if someone manages to
take serious money from you the government will go after them on your behalf.
Security is expensive, and the odds of you having a breach that actually hurts
you for more than a short period seem astronomically low.

We have more businesses saying they are shutting down or leaving the EU market
over the fact that they can't take user data without permission than we have
shutting down because they leaked all their users data or let hackers in
through complete negligence of any modern security practices

~~~
gruturo
> I mean, can you actually convince execs it's a good idea, no matter how
> charismatic you are? As a citizen, an engineer, and a consumer I think
> software and infrastructure security needs to be taken much more seriously
> due to how much breaches hurt people.

On SWIFT, yes, you can, thanks to their own reply to the Bangladesh incident:
a reasonably thorough set of security guidelines called CSP/CSCF (Customer
Security Program/Control Framework), compliance to which is now mandatory.
Network isolation, 2-factor authentication, secure VDI for access, physical
access controls, log retention, it's all in there. It's the perfect chance to
get money and people from management and sanitize the situation.

Actually if in May 2018 you don't already have a running project and resources
for compliance, you should be quite worried.

~~~
lifeisstillgood
Interesting - I got as far as here before hitting login

[https://www2.swift.com/uhbonline/books/a2z/customer_security...](https://www2.swift.com/uhbonline/books/a2z/customer_security_programme.htm)

is there a openly published version of this - it would be interesting to see
what best practise looked like

~~~
gruturo
I found an openly accessible link which gives you at least an overview of each
of the security controls. Everything else is behind a login prompt, sorry.

[https://www.swift.com/myswift/customer-security-programme-
cs...](https://www.swift.com/myswift/customer-security-programme-csp/security-
controls?tl=en#topic-tabs-menu)

------
thinkloop
\- Hackers gain access to Bangladesh's Central Bank computer network.

\- Over months they quietly observe user activity and credentials,
incrementally escalating their privelages until they gain access to a
connected SWIFT server

\- The attackers wait for the optimal weekend, which included a national
holiday, so that central bankers would be least available and able to
communicate.

\- On that weekend the attackers send a series of wires from Bangladesh, to
NY, to the Philippines, totalling near $1b

\- The attackers cover their tracks by deleting digital records on the
Bangladeshi systems and interfering with their printers

\- When the money arrives in the Philippines it is laundered through a complex
system of casinos involving Macau and North Korea

\- In the end "only" $81m was stolen, rather than $1b, because one of the
wires referenced an organization with the word "Jupiter" in its name, which by
dumb luck happened to be a word on an international blacklist due to a
completely unrelated company with a similar name that broke Iran sanctions,
triggering an investigation.

The main weakness seems to be that the Philippines does not enforce proper
kyc/aml and is therefore a haven for laundering - otherwise it would be
difficult to get the money to an actual human, even if SWIFT was coerced into
sending invalid transactions.

~~~
chatmasta
> one of the wires referenced an organization with the word "Jupiter" in its
> name, which by dumb luck happened to be a word on an international blacklist

Really makes you think about what you should name your company! Imagine trying
to start a Venmo competitor called "Jupiter Pay" and discovering mid-launch
that all your payments are delayed due to an opaque process. Sounds a lot like
the problems people have when they share a name with some terrorist and try to
board a plane.

~~~
frockington
Or, for the reverse use case, you could start a company with a blacklisted
name and get it white listed for your use case. Use that company for money
laundering and flags maybe skipped over and attributed to the company name

------
chatmasta
I've read a few articles on this story, and this one was pretty good, until it
got to the North Korea attribution. Funny how FireEye is always around getting
paid while pointing the finger at the same group of belligerents... but sorry
no specifics, NDA and all that. (But of course the NDA doesn’t prevent the NYT
from broadcasting FireEye’s conclusion.)

FireEye's incentive is to deliver attribution, a "bad guy" for the breached
victim to shift the blame to. That's why major companies and governments hire
them after a breach; because they want answers, not necessarily the truth. If
FireEye said "sorry, we're not sure who did this," business would not go so
well for them.

Trouble is, _attribution is hard,_ and must be qualified by a degree of
certainty. FireEye _should be_ willing to say "we don't know" sometimes,
because that is often the truth! But monetary incentives obstruct their
ability and/or willingness to do so.

It's easy to find evidence when you don't know exactly what you're looking
for, everything could mean anything, and you’ll get paid for finding
something.

~~~
vuln
We saw this exact thing not too long ago with CrowdStike and the DNC. One
thing that still baffles me is why did the DNC choose a for profit consultant
over the United States Government. I guess when it's a private company that
you are paying you can cantrol the narrative.

When your job is to hammer nails everything starts looking like a nail.

~~~
heartbreak
The United States government came to the same conclusion that CrowdStrike did
[0]. And the USG presumably is able to get over the "attribution is hard"
problem with HUMINT and SIGINT sources that FireEye and CrowdStrike do not
have.

[0]
[https://www.dni.gov/files/documents/ICA_2017_01.pdf](https://www.dni.gov/files/documents/ICA_2017_01.pdf)

------
walrus01
perspective: have worked as a consultant for south asian mobile phone
carriers, in backbone network engineering

network security and IT security is incredibly lax and weak in pakistan, india
and bangladesh. It's an afterthought at best.

The people who are best qualified to implement real network+endpoint security
are not working for $21,000/year salaries in Dhaka, but have emigrated to the
USA/Canada/UK.

~~~
rishabhd
It is _the_ sad truth, unfortunately.

------
rectang
This is nothing compared to the what the white-collar criminals at the top
levels of Wells Fargo managed to expropriate from their customers.

------
omegagemo
Do any folks here know which companies actually have adequate security
measures in place as an example? I have heard of a couple that went all out on
security, but who has an amount you would consider reasonable for their size
and situation?

------
thankthunk
I thought the story would be about an actual billion dollar bank job, not a
potential billion dollar bank job.

[https://en.wikipedia.org/wiki/Moldovan_bank_fraud_scandal](https://en.wikipedia.org/wiki/Moldovan_bank_fraud_scandal)

