You get what you pay for. Buildings collapse, machines break down, dinosaurs roam parks and eat tourists and computers get hacked. That’s what happens when people scrimp too much on costs. If billionaire John Hammond paid Dennis Nedry well enough, Jurassic Park would never have broken down. He spared some expense there. But then, we wouldn’t have had a great movie and a ton of B movies with the requisite T-Rex that followed. If contractors didn’t scrooge on building materials, we wouldn’t have collapsible buildings after an intensity 5 earthquake. If the Bangladesh Central Bank didn’t scrimp on their budget, they probably wouldn’t have lost 81 million US dollars or more when hackers punched through their non-existent firewall and ten dollar routers. Their IT head’s career should be over by now.
Well, I know of a manager who quickly rose to the top when he cut the company some costs when he found this vendor and came up with a good in-house CRM. Cutting costs and managing to raise the company’s bottom line is great but not at the risk of security. No less than the central bank of Bangladesh suffered several attacks by hackers who stole up to 81 million US dollars. All because of one simple shortcoming. Someone cheaped out on their network infrastructure. Imagine a bank, the central bank no less with no hardware firewall, its computers connected to ten-dollar second-hand switches. It’s an all-you-can-eat financial buffet for black-hats. God knows how much malware must lurk in the 5000 computers of the banking staff.
“It could be difficult to hack if there was a firewall,”
— Mohammad Shah Alam, Bangladesh Criminal Investigations Department, Forensic Training Institute
It’s a miracle the Bangladesh Central Bank functioned for so long on such a level of security. It was only a matter of time before the inevitable happened. The 81 million heist was probably just one of many heists that occurred. Fortunately, they managed to fend off an attack that could have cost the bank 1 billion dollars according to Mr. Alam. The attack that happened earlier this year was done using the bank’s SWIFT global payment network credentials. It’s also appalling that SWIFT didn’t review the bank’s no-firewall cheap-switch infrastructure before allowing connections. Such a thing could make SWIFT equally liable for the incident.
“It was their responsibility to point out, but we haven’t found any evidence they advised before the heist.”
— Mohammad Shah Alam
It was only after the heist that the bank was advised by SWIFT representatives from Malaysia to upgrade the infrastructure.
“There might have been a deficiency in the system in the SWIFT room… Two SWIFT engineers came and visited the bank after the heist and suggested to upgrade the system,”
— Subhankar Saha, spokesman Bangladesh Central Bank
No kidding. Funny they didn’t advise it before. About 951 million dollars almost made it to the Federal Reserve Bank of New York, but 81 million made their way to the Philippines. The stolen funds were then tracked down to a major bank where a bank manager and several employees are being investigated for allowing the transfers of the stolen funds despite restrictions. Several businessmen and casinos are also implicated in an elaborate scheme to launder the stolen money. This reminds me of Rush Hour 2 where fake cash was being laundered through casinos. The heist is currently under investigation by the Philippine Senate and other law enforcement agencies. Final resolution for this case probably won’t happen until months after the elections.
Fortunately, the hackers weren’t smart enough to get through the Federal Reserve Bank in New York or it would have been a terrible disaster for Bangladesh. Another 20 million failed to be transferred to Sri Lanka due to a misspelling of the transferee. That’s millions of dollars lost which could have been prevented by coughing up a couple of million for Central Bank or enterprise-level IT security. The bank has over 5000 interconnected computers and according to Mr. Alam, the SWIFT room is within the same network and not separated by managed switches.
The bank’s IT staff is in for overdue security and infrastructure refresher courses if they haven’t been replaced yet. The bank is also in for some long overdue spending for new hardware. Other countries should take this incident as an object lesson on IT security. In a world where hacking is reported left and right, now isn’t the time to be cheap. If they really want to go cheap on servers, switches, backup and maintenance, there’s always IaaS. If they’re willing to entrust their money to the cloud.