
How Hackers Stole $100M from the New York Fed - jayess
http://www.zerohedge.com/news/2016-03-10/incredible-story-how-hackers-stole-100-million-new-york-fed
======
conductr
First job out of college was at JP Morgan treasury division. Was surprised
when working on SWIFT system I had read so much about, it was literally just a
fax to TIFF system. Basically just an image viewer.

At the time, 10 years ago, we didn't even have ability to parse or OCR the
images. I was really disappointed in how low tech this was, and how easy it
would have been to make it better.

Perhaps I only saw a piece of it, and it did have more going on. But I always
thought "what's preventing someone from faxing in a false trade?" We would
execute any trade that got faxed in if the letter head and account numbers
looked normal.

------
zhte415
Worked at a bank. Usually stayed late/came early/irregular hours. Therefore
had access code to the key safe, for confirming everyone put their keys in the
key safe.

But this was for front office and back office. Access to all keys. Small team,
10 people.

That's important.

Knew how much we had in the petty cash bank account. Usually around USD 40MM.
Liquidity usage, etc. Also had access to the cheque book (via key locked
cabinet), where via sealed internal mail, cash payment requests (cheque) were
sent to the banking department.

Speaking to a friend in the banking department, he remarked that whitelists of
authorised payment receivers where being introduced. Being introduced? "Sure,
if a payment request comes in, and it is authorised correctly (signature, in
case of cheques), we send it ASAP." "Do you telephone the signer to verify?
No." "Any transaction limits?" "No." This was 2005.

Could have walked away with USD 40MM - then fled rapidly to another country.
But didn't. Well, did go to another country.

2 factor authentication is essential, and whitelists too - a central bank
doesn't change their account number. The FED seems to have had neither.

------
markbnine
I find ZH amusing.. In some ways I think it's the anti hackers news.. Hyper
negative about the future.. Constant hate for new tech.. (Fear of skynet)..
The system is always rigged and the little guy will never succeed... Posts by
Right coast angry ex-traders.. The comments are inane...the cherry picked
stories out of left field but plausible. Etc. The one place the two sites do
often intersect is the fear and loathing of government surveillance.. I vote
to give ZH stories a fair shake...

~~~
jahmed
I read it every day. If only to contextualize the other news sources I read.
FWIW I throw in some infowars when something big happens so I can see how
certain segments will try to spin something.

------
JumpCrisscross
I tried corroborating the claim that the hackers were Chinese. Couldn't find a
reliable source. Anyone have anything? For future reference, Zero Hedge is a
low-quality source.

~~~
dang
It's a penalized site on HN, but this article was vouched for by established
users. If there's a more substantive article for this particular story, we can
change the URL, but so far the only other one we saw was merely about a
spelling mistake. Occasionally the low-quality source has the higher-quality
article.

~~~
jackgavigan
Reuters: [http://www.reuters.com/article/us-usa-fed-bangladesh-typo-
in...](http://www.reuters.com/article/us-usa-fed-bangladesh-typo-insight-
idUSKCN0WC0TC)

Bloomberg:
[http://www.bloomberg.com/news/articles/2016-03-09/the-1-bill...](http://www.bloomberg.com/news/articles/2016-03-09/the-1-billion-
plot-to-rob-fed-accounts-leads-to-manila-casinos)

~~~
tristanj
The zerohedge article has more information than either of those articles. It
uses those two as sources, plus some Philippine newspapers. Right now it gives
a fairly effective summary of the situation. Switching to either of those
would be a downgrade, in my opinion.

~~~
jackgavigan
The zerohedge article is misleading (e.g. "And yes, it does appear that
hackers managed to bypass the Fed's firewall") and lacks any semblance of
objectivity.

------
downandout
So SWIFT, the backbone of international monetary transfers, doesn't have some
sort of automated way to verify that requests are legitimate? It would seem to
me that once a request is received, the only secure thing to do would be to
send a hash of the request back to a known system belonging to the originator
to verify that the request was authorized.

If SWIFT security is really as bad as this incident seems to suggest, I'm
shocked that more fraudulent transfers don't occur.

~~~
trumpd
At least in consumer usage, SWIFT transfers are "push", not pull as you may be
used to with American ACH. So the concept of verifying a request doesn't make
sense.

It sort of sounds (from the public information) like the Bangladeshi bank's
credentials were compromised and used to make fraudulent transfer requests to
the NY Fed.

That's not really a problem with SWIFT. Arguably the NY Fed should have
flagged the requests as suspicious, but that's probably a best-effort kinda
thing.

------
gotchange
From the Filipino source here:

[http://business.inquirer.net/207742/100-m-laundering-via-
ph-...](http://business.inquirer.net/207742/100-m-laundering-via-ph-banks-
casinos-probed)

> a total of $100 million that was brought into the country’s banking system,
> sold to a black market foreign exchange broker, transferred to at least
> three large local casinos, sold back to the money broker and moved out to
> overseas accounts.

Here's how I think that this heist went and I am just speculating here based
solely on the info in the report:

\- They first wired the money to multiple accounts of a secondary financial
institution (Remittance or FX business) which is characterized by heavy and
frequent transactions so as not to raise suspicions.

\- They collected the money with the help of the facilitator in that
organization.

\- They exchanged the dollars into pesos and likely in counterfeit bills at
very lucrative rates just to account for the risks hoping for more rewards
from the operation.

\- They took the money and deposited them in the casinos for ships settling
debts and laundering the money in the process.

\- They traded the chips for authentic cash from the casinos and then went
back to their FX broker to exchange it back in USD.

\- Finally, they reached out to their man at the FX/remittance business to
have the funds wired overseas to the final recipients and probably masked with
other legitimate transactions for better security for them.

~~~
21
Why would you mix a money stealing operation with a money counterfitting one?
It doesn't make sense. And we are talking huge sums here, the fake money would
quickly show up everywhere in that area.

~~~
Tloewald
[https://en.m.wikipedia.org/wiki/Money_laundering](https://en.m.wikipedia.org/wiki/Money_laundering)

Having money in an account is useless as long as it can be traced to the
fraudulent transfer. So you move the money through a casino or any other large
scale cash flow, such as counterfeiting (buy fake money for cents in the fake
dollar and then sell it at a loss somewhere else)

------
kchoudhu
Oh my.

Treasury ops at banks live in fear of clients getting ripped off like this.
The liability is probably not the Fed's, but the reputation hit from large
value transfer fraud is enough that loss of client business is a very real
possibility.

Consider also that the Fed is also facing competition in the intra-government
"hold my cash" business from the Chinese, and this could be the first
reputational domino in a real geopolitical shift in how funds are held and
managed internationally.

~~~
ilostmykeys
Could it be Chinese hackers then?

~~~
kchoudhu
Given that most of the funds ended up in Hong Kong...

There's more at play here than Bangladesh getting ripped off.

------
tromp
Choice quote:

"In other words, the Fed was funding gamblers, only these were located in
Philippine casinos, not in the financial district. Ironically, that's
precisely what the Fed does, only it normally operates with gamblers operating
out of Manhattan's financial district."

------
at-fates-hands
The page this article is on is a exhibit A of how broken the internet has
become.

~~~
runeb
This is pretty much the only reason I still use Safari. The Read mode gives me
a clean article. Sad that its become necessary really.

~~~
fsiefken
Firefox has a read-mode as well: [https://support.mozilla.org/en-
US/kb/firefox-reader-view-clu...](https://support.mozilla.org/en-
US/kb/firefox-reader-view-clutter-free-web-pages)

------
patrickk
Reminds me somewhat of this story, where a German guy suspects the New York
Fed is missing some of Germany's gold and won't come clean:

[http://www.bloomberg.com/news/features/2015-02-05/germany-s-...](http://www.bloomberg.com/news/features/2015-02-05/germany-
s-gold-repatriation-activist-peter-boehringer-gets-results)

------
an_account
If the funds were sent to casinos, shouldn't the casinos have logs of what the
money was used for?

~~~
chatmasta
Have you ever been to a casino? You buy chips with cash, then you play with
the chips, then you cash the (remaining) chips in for cash. There is no
tracking of where each chip came from.

EDIT: Although maybe you're right, if the "gamblers" deposited funds to the
casino via wire, direct from the fed, and then exchanged them for chips. So
the casinos should presumably have some record of who came to claim that wire
in chips.

~~~
wlesieutre
I'm surprised they haven't started putting RFID tags in every chip so they can
track exactly how much each player spends at each game. Combined with proper
record keeping, if chips were ever stolen, you could flag them and make sure
they can't be redeemed for cash. Maybe in Vegas?

~~~
drone
Play craps? You'll cycle chips pretty much all of your chips, and chips you
throw to one side get replaced with chips from another side when making field
bets -- for example.

Typical player tracking is done through comp cards, where they account for
your buy-ins at the table, and buy out at the cashier.

~~~
jgalt212
OK, now try doing that with $100MM of chips.

------
imaginenore
I don't get how any of this could have happened. So many WTFs. Fraudulent bank
wires are reversible, even months after. And how in the world do they not
check who they send the money to?

~~~
eli
How does that work if the money is no longer at the destination account?

~~~
imaginenore
That becomes the destination bank's problem.

------
JackFr
Does the Fed make good on the lost money? As they can create it ex nihilo, it
literally costs them nothing to make Bangledesh whole.

------
karmacondon
I would be all for banning submissions from zerohedge.com outright. It's just
noise that makes it harder for me to skim headlines for actual content.

~~~
laxatives
This is probably an unpopular opinion, but I feel the same way about Vice. Its
not news, its entertainment. And when you can't disambiguate the two, its
fucking dangerous.

~~~
fiatmoney
"The News" exists as a genre because it is entertaining, and this has been
true literally since the inception of mass media with the printing press.

------
gjem97
Misleading headline, given the first line of the piece is "The story of the
theft of $100 million from the Bangladesh central bank"

~~~
Someone1234
Yeah the article's title is true but misleading.

They hacked the Bangladesh Central Bank, but stole money from the New York
Fed. It is even debatable if the NY Fed is even at fault given that the
hackers had legitimate credentials to make the transfer (the Bangladeshis are
arguing that the NY Fed is still responsible because they should have flagged
the Casinos as unusual and stopped it).

You'd think that with accounts as large as these they would have a "whitelist"
of valid accounts to transfer funds to, and some long convoluted process to
add additional whitelist entries.

~~~
CPLX
In the context of the New York Fed transactions of tens of millions of
dollars, as in this example, are essentially tiny.

