
How a hacker's typo helped stop a billion dollar bank heist - pavornyoh
http://www.reuters.com/article/us-usa-fed-bangladesh-typo-insight-idUSKCN0WC0TC
======
dang
[https://news.ycombinator.com/item?id=11262177](https://news.ycombinator.com/item?id=11262177)

------
r0m4n0
I worked at a very large company that had a email virus move quickly through
the ranks...

The subject of the email was "Please see attached documens" in which a PDF was
attached that upon opening would hijack your email account and send the same.
Over the first day, I had about 100 emails from coworkers in my inbox. After
our "IT Security" team sent out an email claiming they stopped the threat, the
following day more emails came from coworkers that was a slight variant but
had more typos.

I still wonder what sort of breach occurred and whether our internal teams
performed a true investigation... obviously a foreign intrusion and they
managed to at least gain control of quite a few internal machines.

I still get a laugh out of using the same subject in an occasional email to
coworkers...

~~~
FlyingLawnmower
As someone totally ignorant in this space, how does opening a .PDF document
allow for email hijacking (assuming it was actually a PDF)?

I think I'm stuck at how code is able to execute when opening a document
inside a PDF viewer or something of the sort. Thanks for sharing your story!

~~~
CiPHPerCoder
Usually some variant of: The PDF file contains binary data somewhere within it
that will cause a particular PDF reader to misallocate memory. Because data
and code are jammed next to each other when you run a program, a clever memory
misallocation can be used to rewrite the program (the PDF reader) as it
executes in order to execute whatever malicious commands the author of said
PDF file intends.

The typical defenses against these attacks include:

* Exploit mitigation tools, such as EMET

* Writing applications to be more memory-safe

* Various other tactics, many of them disingenuous.

------
cmdrfred
Why can't we escrow these say 10 million plus wire transfers for long enough
to seek some form of two factor authentication? Fax a random code to the head
office or something? Seems like a pretty weak system.

~~~
unabridged
SWIFT and NY Fed are making many $10M+ transactions every hour, maybe every
minute.

I am sure that the Bangladesh Central Bank could have requested daily or
transaction limits for their accounts. But they most likely did not have that
in place. Being a government bank they might make $20M transactions on a daily
basis. They probably also could have 2-factor authentication, but that won't
help you if its an inside job.

The most telling part of the story is that you can transfer $80M into Manila
casinos (a city I didn't even know had casinos before today) and get that in
chips without any trouble. I can't even imagine the volume of money flowing in
Vegas or Macau casinos.

~~~
ikeboy
Still, their margins on 20M should be high enough to pay someone to manually
check every transaction, within the amount of time it takes to become
irreversible.

Reminds me of [http://www.theguardian.com/business/2015/oct/20/deutsche-
ban...](http://www.theguardian.com/business/2015/oct/20/deutsche-bank-
accidentally-transfers-6bn-to-a-single-customer)

------
rcaught
Does the misspelling of "foundation" as "fandation" suggest the first language
of an attacker(s)?

------
freddealmeida
I think the real moral of the story is why is the Fed even part of these
transactions without any actual security.

------
krisgenre
What's the point of transferring to a bank account? Wouldn't a bank account
have an address associated with it? and some kind of ID proof of the account
holder?

~~~
dublinben
The article mentions that the money was further laundered through casinos in
the Philippines. At that point, it's pretty much gone.

------
vjeux
"They then bombarded the Federal Reserve Bank of New York with nearly three
dozen requests to move money"

------
altitudinous
Crime pays. They still got away with $80m.

~~~
welder
They can't just anonymously withdraw $80m from an ATM...

------
DougN7
Moral of the story for techies: learn to spell! It could cost you dearly!
/smirk

~~~
raintrees
I was going to make a joke about @#$% autocorrect, but fandation?

