SlideShare ist ein Scribd-Unternehmen logo

Deciphering the Bengladesh bank heist

Jérôme Kehrli
Jérôme Kehrli

A complete overview of the SWIFT attack by a group of hackers also known as the Bangladesh Bank heist

Technologie
1 von 74
1 © Jerome Kehrli @ niceideas.ch https://www.niceideas.ch/roller2/badtrash/entry/deciphering-the-bengladesh-bank-heist Bangladesh Bank Heist A complete overview of the SWIFT Attack
2 1. Introduction 2. The SWIFT network - Key Concepts 1. Correspondant Banking 2. Transfering Money 3. Application Architecture (Bengladesh case) 4. Introducing key SWIFT messages 3. The attack 1. Behaviour of the malware 2. Complete overview of the attack 3. Timeline of the attack 4. Laundering of the money 4. Aftermath 5. Conclusion Summary
3
4 In February 2016, a group of CyberThieves have stolen 81 Million USDs from the Bengladesh Central Bank One of the three biggest bank Heists in global Financial History Biggest Cyberheist ever The Hackers broke into the Information System of the Bangladesh Central Bank Attempted to transfer 951 Million USD from the Bank Successfully transferred 81 Million USD The money laundering scheme was brilliantly designed The thieves are unknown, untroubled and safe The successfully stole the money by hacking the SWIFT bridge within the bank SWIFT is the heart of the worldwide finance system, it connects the financial institutions worldwide The attackers forged fraudulent SWIFT funds transfer messages to the network They attempted to hide their traces by hiding confirmation to the fraudulent transfers coming from the network 1. Introduction - Bangladesh Bank Heist – What we know
5 The team of thieves Likely under 20 persons Composed by (at least): Hackers: social engineering and physical penetration in the bank to get administrator credentials Software Engineers: developed a custom version of the Dridex worm to perform the attack and gain control over the SWIFT bridge SWIFT experts: helped the team have an in depth understanding of the SWIFT messages formats and the SWIFT network behaviour This is the most puzzling aspects. SWIFT experts are not numerous worldwide Finance experts: helped the team shape the attach, find the right timeframe and build the money laundering scheme The project The team leader(s) had the idea likely a few years before He (they) assembled the team likely 2 years before the heist The team started working likely 18 months before the heist 1. Introduction - Bangladesh Bank Heist – What we believe
6 2. The SWIFT Network – key concepts
7 Presenting key concepts about correspondent banking and the SWIFT network SWIFT - Society for Worldwide Inter-bank Financial Telecommunication A belgian company, located in Belgium, a trusted and closed network used for communication between banks around the world. overseen by a committee composed of the US Federal Reserve, the Bank of England, the European Central Bank, the Bank of Japan and other major banks. SWIFT is used by around 11'000 institutions in more than 200 countries supports around 25 million communications a day, most of them being money transfer transactions, the rest are various other types of messages. The majority of international inter-bank messages use the SWIFT network. For two financial institutions to exchange banking transactions, they must have a banking relationship beforehand. A cool introduction to SWIFT is available on the Fin website : https://fin.plaid.com/articles/what-is-swift. 2. The SWIFT network – key concepts
8 2.1 Correspondent Banking (1/3) A correspondent bank is a financial institution that provides services on behalf of another financial institution. facilitate wire transfers, conduct business transactions, accept deposits and gather documents on behalf of another financial institution. Correspondent banks are most often to be used by domestic banks to service transactions in foreign countries, acting as a domestic bank's agent abroad. Reasons for this include: limited access to foreign financial markets and the inability to service client accounts without opening branches abroad, act as intermediaries between banks in different countries or as an agent to process local transactions for customers abroad, accept deposits, process documentation and serve as transfer agents for funds. The ability to execute these services relieves domestic banks of the need to establish a physical presence in foreign countries.
9 The accounts held between correspondent banks and the banks to which they are providing services are referred to as NOSTRO and VOSTRO accounts An account held by one bank for another is referred to by the holding bank as a VOSTRO account. The same account is referred as a NOSTRO account by the owning bank (the customer). Both banks in a correspondent relationship hold accounts for one another for the purpose of tracking debits and credits between the parties. 2.1 Correspondent Banking (2/3)
10 Transferring Money Using a Correspondent Bank International wire transfers often occur between banks that do not have an established financial relationship. When agreements are not in place between the bank sending a wire and the one receiving it, a correspondent bank must act as an intermediary. For example, a bank in Geneva that has received instructions to wire funds to a bank in Japan cannot wire funds directly without a working relationship with the receiving bank. Most if not all international wire transfers are executed through SWIFT. Knowing there is not a working relationship with the destination bank, the originating bank can search the SWIFT network for a correspondent bank that has arrangements with both banks. When the sending bank has no banking relationships with any bank having itself a relationship with the target bank, then the order needs to be transferred through several, sometimes many, distinct banks through the SWIFT network. These are called routing banks. 2.1 Correspondent Banking (3/3)
11 In the scope of funds transfers, correspondent banking relationships often happen between commercial banks and central banks. This is especially useful when a bank has to process massive funds transfers in different currencies. Imagine that a non-US commercial banking institution has to transfer a massive amount of US Dollars for one of its big customers to some other account in another financial institution abroad. It would be very inconvenient in this case to have to build up enough reserves of US dollars for this kind of transfers. Instead, big commercial banks worldwide open a correspondent banking relationships with the US federal Reserve in New York and use their VOSTRO accounts there to process such big transfers. Such VOSTRO accounts have typically no limits and do not necessarily need to be credited beforehand. The settlement can happen afterwards, on a regular basis. 2.2 Transferring Money (1/6)
12 2.2 Transferring Money (2/6)
13 2.2 Transferring Money (3/6)
14 2.2 Transferring Money (4/6)
15 2.2 Transferring Money (5/6)
16 2.2 Transferring Money (6/6)
17 SWIFT provides a centralized store-and-forward mechanism, with some transaction management. guarantees secure and reliable delivery of multiple targets and actions messages. SWIFT guarantees are based primarily on high redundancy of hardware, software, and people. Principles Today the SWIFT network can be seen as a highly secured private network over Internet. A financial institution needs to obtain a SWIFT gateway running the SWIFT NetLink software. proprietary hardware running with Linux and requiring a physical security dongle storing cryptographic keys to access the network. SWIFT also provides a whole lot of other software such as SWIFT Alliance Access that can be used by a financial institution to access the SWIFT network with higher level or simpler APIs. SWIFT Network Security it's a private network, and most banks set up their accounts such that only certain transactions between particular parties are permitted. The network privacy means that it should be hard for someone outside a bank to attack the network, but if a hacker breaks into a bank-as was the case here-then that protection evaporates. The Bangladesh central bank has all the necessary SWIFT software and authorized access to the SWIFT network. Any hacker running code within the Bangladesh bank also has access to the software and network. 2.3 Application Architecture - Bengladesh case – (1/x)
18 The Bangladesh central bank was handling SWIFT connectivity from the Banking Information System to the SWIFT network using the specific SWIFT Alliance Access software running on a bridge server. Alliance Access, integrated the way it was at the Bangladesh banks, was setup to read/write SWIFT messages from/to files on the filesystem (huge security concern !!!) and record transaction information in an Oracle database. In addition, confirmation and reconciliation messages were handled through a manual process after being sent to a printer. 2.3 Application Architecture - Bengladesh case – (2/x)
19 The hackers created a malware that generated and manipulated key SWIFT messages to withdraw the money from the Bangladesh Central Bank's VOSTRO account at the Fed. SWIFT messages consist of five blocks of the data including three headers, message content, and a trailer. Message types are crucial to identifying content. All SWIFT messages include the literal "MT" (Message Type). This is followed by a three-digit number that denotes the message category, group and type The key SWIFT messages in question here were of the following types: MT103 is used for cash transfer specifically for cross border/international wire transfer. MT202 is the general Financial Institution transfer order, used to order the movement of funds to the beneficiary institution. MT950 is the Final Statement report on all settlement operations with specified account within a current business day. Can be seen as the confirmation for an MT 202. 2.4 Introducing key SWIFT messages (1/x)
20
21
22
23
24
25
26
27
28
29
30
31 A lot of stuff goes through SWIFT, on the small message types subset related to transferring money are interesting. First the MT103 is an information message, basically announcing that a target counterparty account will receive money from an internal (or correspondent) account to be debited. Then the MT202 is the inter-bank transfer order, it applies globally to transfer money from a banking institution to another banking institution, covering all individual account level transfer announces relating to the same target institution. Finally the MT950 is the extract that confirms all executed order. It is the bible and references all positions confirmed and executed by the correspondent bank. It is often an end of day extract used by banking institutions for reconciliations. Again, when it comes to SWIFT messages processing from and to the Banking information System in the Bangladesh case, the important aspects here are: SWIFT messages originating from the Bank IS simply needed to be put on the filesystem somewhere to be "slurped" by the SWIFT Alliance Access software integrated the way is was integrated at Bangladesh Central Bank. Confirmation messages back from the SWIFT network were stored and printed. Reconciliation is a manual process from these printed messages.
32 3. The Attack
33 Capitalizing on weaknesses in the security of the Bangladesh Central Bank, hackers attempted to steal around a billion US dollars from the Bangladesh central bank's VOSTRO account with the US Federal Reserve Bank between February 4 and 5 when Bangladesh Bank's offices were closed. The perpetrators managed to compromise Bangladesh Bank's computer network, observed how transfers were done, and gained access to the bank's credentials for payment transfers. They used these credentials to authorize about three dozen requests to the Federal Reserve Bank of New York to transfer funds from the Bangladesh Bank VOSTRO to accounts in Sri Lanka and the Philippines. Thirty transactions worth 851 million USD were flagged by the banking system for staff review, but five requests were granted; 20 million USD to Sri Lanka (later recovered), and 81 million USD lost to the Philippines, entering the Southeast Asian country's banking system on February 5, 2016. This money was laundered through casinos and a little later transferred to Hong Kong. Summary of the attack (1/2)
34 The attack is impressive and stands out on various levels, in terms of technical means, maturity and complexity for several reasons: Technical Mastery: the usage of a custom Dridex worm to hack the SWIFT Bridge by the bank and likely other malwares to capture the administration credentials In-depth understanding of the worldwide financial market: both the attack shape and the money laundering scheme prove in-depth understanding of financial markets SWIFT knowledge: in-depth Knowledge of the SWIFT messaging details is not that much spread among software engineers Attacking the VOSTRO account of the Bengladesh Central Bank managed at the Fed was brilliant! Such VOSTRO account usually have no limits whatsoever They do not even need to be credited beforehand In addition, since a correspondent bank knows nothing of the customer on behalf the sending bank is acting, its fairly easy to make it believe the transaction is genuine Summary of the attack (2/2)
35 The hackers used a custom version of the Dridex malware to hack software called SWIFT Alliance Access to both make the transactions and hide the evidence. When a message with one of the search terms was found, the malware would do different things depending on the kind of message. Payment orders were modified to increase the amounts being moved, updating the Alliance database with new values. Confirmation messages from the SWIFT network were also modified. Confirmations are printed and stored in the database. Before being printed, the malware would alter the confirmations to show the original, correct transaction value; it also deleted confirmations from the Alliance database entirely. It's still not clear how the initial transactions were entered into the system to trigger the malware in the first place. 3.1 Behaviour of the malware (1/3)
36 The SWIFT network key components haven't been compromised, the malware was targeting the Bangladesh Central Bank's own bride to the SWIFT infrastructure running the SWIFT Alliance Access Software: 3.1 Behaviour of the malware (2/3)
37 If an organization can't keep its endpoint secure, it leaves itself very vulnerable to being electronically robbed. The bank lacked any firewalls and was using second-hand $10 switches on its network. These switches did not allow for the regular LAN to be segmented or otherwise isolated from the SWIFT systems. The lack of network security infrastructure has also hindered the investigation. It's still not known how the hackers penetrated the network, but it looks like the bank didn't make it difficult for them to do so. How the attackers obtained administration credentials is also still unclear. They might have obtained these credentials by using another malware or by exploiting a remotely available vulnerability (not impossible considering the weak security practices in place in the Bangladesh Central Bank) or it might also have been an insider job. So far there are only speculations in this regards. 3.1 Behaviour of the malware (3/3)
38 3.1.1 Forging fraudulent SWIFT messages (1/3) Simplifying a bit the reality, we can picture the malware as forging fraudulent SWIFT messages as follows:
39 3.1.1 Forging fraudulent SWIFT messages (2/3)
40 3.1.1 Forging fraudulent SWIFT messages (3/3)
41 3.1.2 Forging fraudulent SWIFT messages (1/3) Here as well, by simplifying a little the reality, we can picture the malware as intercepting SWIFT confirmations as follows:
42 3.1.2 Forging fraudulent SWIFT messages (2/3)
43 3.1.2 Forging fraudulent SWIFT messages (3/3)
44 What we know of the malware: codenamed Dridex filenamed evtdiag.exe, designed to hide the hacker's tracks by changing information on a SWIFT database within Alliance Access contained the IP address of a server in Egypt the attackers used to monitor the use of the SWIFT system by Bangladesh Bank staff. was compiled close to the date of the heist, contained detailed information about the bank's operations was uploaded from Bangladesh. While that malware was specifically written to attack the Bangladesh Bank, the general tools, techniques and procedures used in the attack may allow the gang to strike again and as a matter of fact there have been attempts discussed by Reuters. It was likely part of a broader attack toolkit that was installed after the attackers obtained administrator credentials. 3.1.3 The Malware (1/2)
45 The malware was designed to make a slight change to the code of the Access Alliance software installed at the Bangladesh Central Bank, giving attackers the ability to modify a database that logged the bank's activity over the SWIFT network. It could delete records of outgoing transfer requests from the database and also intercept incoming messages confirming transfers ordered by the hackers. It also able to manipulate account balances on logs to prevent the heist from being discovered until after the funds had been laundered. The malware also manipulated the stream of confirmations sent to a printer that produced hard copies of transfer requests so that the bank would not identify the attack through those printouts. This part went wrong and led the printer to crash. 3.1.3 The Malware (2/2)
46 3.2 Complete overview of the attack (1/8) On February 4, likely after months of preparation, organizationally and technically, gaining access to the systems, developing the custom Dridex worm, obtaining credentials, infecting the systems, etc. The hackers launched the attack.
47 3.2 Complete overview of the attack (2/8) On February 4, unknown hackers sent more than three dozens of fraudulent money transfer requests to the Federal Reserve Bank of New York asking the bank to transfer millions of the Bangladesh Bank's VOSTRO account to bank accounts in the Philippines, Sri-Lanka and other parts of Asia.
48 3.2 Complete overview of the attack (3/8) The hackers managed to get 81 million USD sent to Rizal Commercial Banking Corporation (RCBC) in the Philippines via four different transfer requests and an additional 20 million USD sent to Pan Asia Banking in a single request.
49 3.2 Complete overview of the attack (4/8) Fortunately 850 million USD in other transactions managed to be saved initially (thx to the Fed). the losses could have been much higher had the name ”Jupiter” not formed part of the address of a Philippines bank account where the hackers sought to send hundreds of millions of dollars more. “Jupiter” was the name of an oil tanker and a shipping company under United States' sanctions against Iran. That sanctions listing triggered concerns at the Fed.
50 3.2 Complete overview of the attack (5/8) The 81 million USD was deposited into three accounts at a Rizal branch in Manila on Feb. 4. These accounts had all been opened a year earlier in May 2015, but had been inactive with just 500 USD sitting in them until the stolen funds arrived in February this year.
51 3.2 Complete overview of the attack (6/8) Another 20 million USD intended to be sent to Pan Asia Banking have been blocked later in the correspondent bank funds transfer routing process (Deutsche Bank). the hackers misspelled the name of a non-existent NGO, Shalika Foundation, by writing "fandation" instead of "foundation". This prompted the Deutsche Bank, a routing bank, to seek clarification from the Bangladesh central bank, thereby stopping the transaction.
52 3.2 Complete overview of the attack (7/8) But the 81 million USD that went to Rizal Bank in the Philippines was gone. It had already been credited to multiple accounts, reportedly belonging to casinos in the Philippines They were transferred by a money transfer (remittance) company Philrem Services Corporation.
53 The printer error A printer "error" helped Bangladesh Bank discover the heist. The bank's SWIFT bridge (running Alliance Access) was configured to automatically print out confirmations back from correspondent banks. The printer works 24 hours so that when workers arrive each morning, they check the tray for transfers that got confirmed overnight. But on the morning of Friday February 5, the director of the bank found the printer tray empty. When bank workers tried to print the reports manually, they couldn't. The software on the terminal that connects to the SWIFT network indicated that a critical system file was missing or had been altered. The problem is deemed to be an unwanted bug with the worm, a failure in the attack if one likes, since the worm was programmed to remove confirmation of fraudulent payments from the confirmation stream being sent to the printer. When they finally got the software working the next day and were able to restart the printer, dozens of suspicious transactions spit out. The Fed bank in New York had apparently sent queries to Bangladesh Bank questioning dozens of the transfer orders, but no one in Bangladesh had responded. Fortunately, in this case, the Fed clarification requests and the Deutsche Bank request would have anyway alerted the bank, so even if the worm had functioned correctly, the bank would have been made aware of the attack. 3.2 Complete overview of the attack (8/8)
54 3.3 Timeline of the attack (1/9) In every movie about bank robberies, timing is presented as critical. Here as well timing has been an essential concern and brilliantly mastered by the attackers.
55 3.3 Timeline of the attack (2/9)
56 3.3 Timeline of the attack (3/9)
57 3.3 Timeline of the attack (4/9)
58 3.3 Timeline of the attack (5/9)
59 3.3 Timeline of the attack (6/9)
60 3.3 Timeline of the attack (7/9)
61 3.3 Timeline of the attack (8/9)
62 The timing was perfect ! A unique Week-End preceded by a business holiday in Bengladesh and followed by a the Chinese New Year holiday in the Philippines. An ideal situation ! The Fed couldn't get the required clarification from Bangladesh Bank on the next day, because of banking holidays in Bengladesh, and as such didn't attempt to recover the 5 orders that passed immediately. On Monday, the stop orders sent by the Bangladesh bank couldn't be processed by the RCBC to freeze the funds since it was a banking holiday in Philippines. In addition, the chinese new-year and the volume of exchanges in casinos at such occasion made the laundering of the money straightforward, not to mention the Philippines weak AML laws and practices. 3.3 Timeline of the attack (9/9)
63 Getting the money out is also difficult ! Here the laundering scheme was both easy and magnificent. money has been laundered through the Philippines. The 81 million USD was sent to the Philippines to accounts at the Rizal Commercial Banking Corp (RCBC) held by two Chinese nationals (false identities). The money was moved to several Philippine casinos and then subsequently to international bank accounts. Laundering money in a Casino is fairly straightforward... Philippine casinos are exempted of anti-money laundering law that requires them to report suspicious transactions, making them an attractive target for this kind of crime. The volumes and the kind of operations during Chinese New-Year makes everything absolutely untraceable. Bamm ! Done. Money Laundered. 3.4 Laundering of the money
64 4. Aftermath
65 What Does the Heist Mean? Even if the hackers didn't compromise the SWIFT network itself, such that all of SWIFT banks were vulnerable, it's still bad news for the global banking system. By targeting the methods that financial institutions use to conduct transactions over the SWIFT network, the hackers undermine a system that until now had been viewed as stalwart. 4. Aftermath (1/6)
66 Who's to Blame? Only the attackers of course ! But still, without such amazing security weaknesses in the Bengladesh Central Bank and with better control and stricter procedures in place at the Fed, the attack would not have been possible. Of course, the Bangladesh Bank blames the Fed for allowing the money transfers to go through instead of waiting for confirmation from Bangladesh. The Fed counters that it contacted the bank to question and verify dozens of suspicious transfers and never got a response. Authorities at the Fed said that workers followed the correct procedures in approving the five money transfers that went through and blocking 30 others. Bangladesh Bank says the Fed bank should have blocked all money transfers until it got a response on the ones it deemed suspicious. And so on ... 4. Aftermath (2/6)
67 The Bengladesh Bank Aside from the loss of money, the Central Bank's governor, Atiur Rahman has resigned due to the incident. The bank promised to improve their cyber-security and ensure this kind of bank heist is prevented in the future. 4. Aftermath (3/6)
68 The Fed The immediate result of the breach for the New York Fed is a claim from the Bangladesh Bank for payment of lost funds and a potential lawsuit. The Fed focused security resources on other priorities, such as preventing money-laundering and enforcing U.S. economic sanctions, officials with knowledge of the bank's security operations told Reuters. Fed officials took some comfort in the fact that SWIFT's security software had never been cracked. The Bengladesh heist forced the Fed to invest massively in Fraud prevention solutions and better transaction monitoring systems. 4. Aftermath (4/6)
69 Philrem services The Philippine central bank has revoked the license of a remittance company that anti-money laundering investigators said was used to transfer some of the 81 million USD hackers looted from the Bangladesh central bank. The Anti-Money Laundering Council (AMLC) issued a complaint against Philrem Service Corporation on April 28, accusing it of creating a fog around transactions and washing the stolen funds via a web of transfers and currency conversions through Philippine bank accounts, before moving the cash through casinos in Manila and junket operators. 4. Aftermath (5/6)
70 The Philippines The Philippines' involvement in the 100 million USD Bangladesh Bank heist, which has risked its return to the FATF gray list, showed the urgency of putting more teeth into the Anti-Money Laundering Act (AMLA). The law, which was first introduced in 2001, left casinos out of the list of entities required to report suspicious transactions to the AMLC. There were efforts in the Senate to include this provision in the amended AMLA in 2013, but this was blocked by some lawmakers and casinos lobbies. 4. Aftermath (6/6)
71 5. Conclusion
72 The heist scares the whole financial system worldwide If the hackers had indeed managed to get away with the terrifyingly large amount of 1 billion USD, this would have easily been the biggest bank heist in history, not to mention cyber heist. Interestingly, these kinds of attacks will be increasingly common and if banks aren't updating their security processes and maintaining their network infrastructures, and the success rates of these attacks will only go up. Imagine the following if the worm had functioned correctly and not blocked the printer, if the Deutsche bank didn't find the typo, if the Fed didn't become suspicious because of the Jupiter keyword, Then the attack might have been a complete success. Not only the attackers would have successfully withdrawn almost one billion US dollars from the Bangladesh bank VOSTRO account at the Fed, but the attack might have been noted only weeks after the facts. 5. Conclusions (1/2)
73 Imagine that the same attack succeeds against european bank for instance In the US and in Europe, the SWIFT interfaces are integrated in an STP (Straight Through Processing) way. There is no such thing as manual reconciliation from some papers printed on a printer. The handling of confirmations and position reconciliation is mostly completely automated. As such, the same attack succeeding in Europe for instance might take months to be discovered and uncovered, only a the moment the big position reconciliations between NOSTRO and VOSTRO accounts in correspondent banks are triggered. Even further, imagine that one of these banks at stakes suspects something They would use SWIFT again to reconcile their views of the truth (MT109 and MT999). These messages can be hacked just as well, in which case the theft may remain uncovered for months. 5. Conclusions (2/2)
74 Thanks for listening

Empfohlen

Bnagldesh bank heist
Bnagldesh bank heistBnagldesh bank heist
Bnagldesh bank heist
Sumon Chowdhury
 
Bangladesh bank heist case study!
Bangladesh bank heist case study!Bangladesh bank heist case study!
Bangladesh bank heist case study!
Mohammed Jaseem Tp
 
Bangladesh Bank Foreign Exchange Heist
Bangladesh Bank Foreign Exchange HeistBangladesh Bank Foreign Exchange Heist
Bangladesh Bank Foreign Exchange Heist
AinulHasan4
 
Presentation AML
Presentation AMLPresentation AML
Presentation AML
Mirsazzad
 
The ANTI-MONEYLAUNDERING LEGAL FRAMEWORK
The ANTI-MONEYLAUNDERING LEGAL FRAMEWORK The ANTI-MONEYLAUNDERING LEGAL FRAMEWORK
The ANTI-MONEYLAUNDERING LEGAL FRAMEWORK
Melissa Cammarata
 
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...
Dinidu Weeraratne
 
Basics of Anti-Money Laundering : A Really Quick Primer
Basics of Anti-Money Laundering : A Really Quick PrimerBasics of Anti-Money Laundering : A Really Quick Primer
Basics of Anti-Money Laundering : A Really Quick Primer
complianceonline123
 
Security system in banks
Security system in banksSecurity system in banks
Security system in banks
university of education,Lahore
 

Empfohlen

Bnagldesh bank heist
Bnagldesh bank heistBnagldesh bank heist
Bnagldesh bank heist
Sumon Chowdhury
 
Bangladesh bank heist case study!
Bangladesh bank heist case study!Bangladesh bank heist case study!
Bangladesh bank heist case study!
Mohammed Jaseem Tp
 
Bangladesh Bank Foreign Exchange Heist
Bangladesh Bank Foreign Exchange HeistBangladesh Bank Foreign Exchange Heist
Bangladesh Bank Foreign Exchange Heist
AinulHasan4
 
Presentation AML
Presentation AMLPresentation AML
Presentation AML
Mirsazzad
 
The ANTI-MONEYLAUNDERING LEGAL FRAMEWORK
The ANTI-MONEYLAUNDERING LEGAL FRAMEWORK The ANTI-MONEYLAUNDERING LEGAL FRAMEWORK
The ANTI-MONEYLAUNDERING LEGAL FRAMEWORK
Melissa Cammarata
 
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...
Dinidu Weeraratne
 
Basics of Anti-Money Laundering : A Really Quick Primer
Basics of Anti-Money Laundering : A Really Quick PrimerBasics of Anti-Money Laundering : A Really Quick Primer
Basics of Anti-Money Laundering : A Really Quick Primer
complianceonline123
 
Security system in banks
Security system in banksSecurity system in banks
Security system in banks
university of education,Lahore
 
Preventing Bank's Fraud and Forgery
Preventing Bank's Fraud and ForgeryPreventing Bank's Fraud and Forgery
Preventing Bank's Fraud and Forgery
Asad Hameed
 
Investigating Trade-Based Money Laundering
Investigating Trade-Based Money LaunderingInvestigating Trade-Based Money Laundering
Investigating Trade-Based Money Laundering
Case IQ
 
Anti Money Laundering Presentation
Anti Money Laundering PresentationAnti Money Laundering Presentation
Anti Money Laundering Presentation
Audrius Sapola
 
Cybersecurity in Banking Sector
Cybersecurity in Banking SectorCybersecurity in Banking Sector
Cybersecurity in Banking Sector
Quick Heal Technologies Ltd.
 
Aml / anti money laundering
Aml / anti money launderingAml / anti money laundering
Aml / anti money laundering
SAMBIT SWAIN
 
SWIFT - Clearing and Settlement
SWIFT - Clearing and Settlement SWIFT - Clearing and Settlement
SWIFT - Clearing and Settlement
Aman Lalpuria
 
Aml training
Aml trainingAml training
Aml training
Rahul Bhan (CA, CIA, MBA)
 
5. Core Banking System
5. Core Banking System5. Core Banking System
5. Core Banking System
Ashish Desai
 
Red Flags of Money Laundering
Red Flags of Money LaunderingRed Flags of Money Laundering
Red Flags of Money Laundering
complianceonline123
 
Aml basics
Aml basicsAml basics
Aml basics
David F Amakobe
 
Bank frauds
Bank fraudsBank frauds
Bank frauds
jagannath ojha
 
Bank frauds
Bank fraudsBank frauds
Bank frauds
Pooja Rani
 
AML Training uba capital
AML Training uba capitalAML Training uba capital
AML Training uba capital
SEGUN AREMU B.sc Banking and Finance (ACIB)
 
Payment and Settlement Systems(SWIFT,NEFT and Securities Cycle)
Payment and Settlement Systems(SWIFT,NEFT and Securities Cycle)Payment and Settlement Systems(SWIFT,NEFT and Securities Cycle)
Payment and Settlement Systems(SWIFT,NEFT and Securities Cycle)
Savita Marwal
 
E banking security
E banking securityE banking security
E banking security
Iman Rahmanian
 
Money Laundering and Terrorist Financing in a Nutshell: Chapter One
Money Laundering and Terrorist Financing in a Nutshell: Chapter OneMoney Laundering and Terrorist Financing in a Nutshell: Chapter One
Money Laundering and Terrorist Financing in a Nutshell: Chapter One
Md. Moulude Hossain
 
Money Laundering and Corruption
Money Laundering and CorruptionMoney Laundering and Corruption
Money Laundering and Corruption
Jubayer Alam Shoikat
 
Aml cft training programme
Aml cft training programmeAml cft training programme
Aml cft training programme
Subhalakshmi Girish
 
Anti-Money Laundering and Counter Financing of Terrorism
Anti-Money Laundering and Counter Financing of TerrorismAnti-Money Laundering and Counter Financing of Terrorism
Anti-Money Laundering and Counter Financing of Terrorism
Puni Hariaratnam
 
Causes, Effects and Management of Fraud: A Study with reference to Indian Ban...
Causes, Effects and Management of Fraud: A Study with reference to Indian Ban...Causes, Effects and Management of Fraud: A Study with reference to Indian Ban...
Causes, Effects and Management of Fraud: A Study with reference to Indian Ban...
central university of rajasthan
 
How does works trace swift messaging services
How does works trace swift messaging servicesHow does works trace swift messaging services
How does works trace swift messaging services
Trace Software
 
Key terms done
Key terms doneKey terms done
Key terms done
nileshsen
 

Weitere ähnliche Inhalte

Was ist angesagt?

Aml training
Aml trainingAml training
Aml training
Rahul Bhan (CA, CIA, MBA)
 
Red Flags of Money Laundering
Red Flags of Money LaunderingRed Flags of Money Laundering
Red Flags of Money Laundering
complianceonline123
 
Payment and Settlement Systems(SWIFT,NEFT and Securities Cycle)
Payment and Settlement Systems(SWIFT,NEFT and Securities Cycle)Payment and Settlement Systems(SWIFT,NEFT and Securities Cycle)
Payment and Settlement Systems(SWIFT,NEFT and Securities Cycle)
Savita Marwal
 
Anti-Money Laundering and Counter Financing of Terrorism
Anti-Money Laundering and Counter Financing of TerrorismAnti-Money Laundering and Counter Financing of Terrorism
Anti-Money Laundering and Counter Financing of Terrorism
Puni Hariaratnam
 

Was ist angesagt? (20)

Preventing Bank's Fraud and Forgery
Preventing Bank's Fraud and ForgeryPreventing Bank's Fraud and Forgery
Preventing Bank's Fraud and Forgery
 
Investigating Trade-Based Money Laundering
Investigating Trade-Based Money LaunderingInvestigating Trade-Based Money Laundering
Investigating Trade-Based Money Laundering
 
Anti Money Laundering Presentation
Anti Money Laundering PresentationAnti Money Laundering Presentation
Anti Money Laundering Presentation
 
Cybersecurity in Banking Sector
Cybersecurity in Banking SectorCybersecurity in Banking Sector
Cybersecurity in Banking Sector
 
Aml / anti money laundering
Aml / anti money launderingAml / anti money laundering
Aml / anti money laundering
 
SWIFT - Clearing and Settlement
SWIFT - Clearing and Settlement SWIFT - Clearing and Settlement
SWIFT - Clearing and Settlement
 
Aml training
Aml trainingAml training
Aml training
 
5. Core Banking System
5. Core Banking System5. Core Banking System
5. Core Banking System
 
Red Flags of Money Laundering
Red Flags of Money LaunderingRed Flags of Money Laundering
Red Flags of Money Laundering
 
Aml basics
Aml basicsAml basics
Aml basics
 
Bank frauds
Bank fraudsBank frauds
Bank frauds
 
Bank frauds
Bank fraudsBank frauds
Bank frauds
 
AML Training uba capital
AML Training uba capitalAML Training uba capital
AML Training uba capital
 
Payment and Settlement Systems(SWIFT,NEFT and Securities Cycle)
Payment and Settlement Systems(SWIFT,NEFT and Securities Cycle)Payment and Settlement Systems(SWIFT,NEFT and Securities Cycle)
Payment and Settlement Systems(SWIFT,NEFT and Securities Cycle)
 
E banking security
E banking securityE banking security
E banking security
 
Money Laundering and Terrorist Financing in a Nutshell: Chapter One
Money Laundering and Terrorist Financing in a Nutshell: Chapter OneMoney Laundering and Terrorist Financing in a Nutshell: Chapter One
Money Laundering and Terrorist Financing in a Nutshell: Chapter One
 
Money Laundering and Corruption
Money Laundering and CorruptionMoney Laundering and Corruption
Money Laundering and Corruption
 
Aml cft training programme
Aml cft training programmeAml cft training programme
Aml cft training programme
 
Anti-Money Laundering and Counter Financing of Terrorism
Anti-Money Laundering and Counter Financing of TerrorismAnti-Money Laundering and Counter Financing of Terrorism
Anti-Money Laundering and Counter Financing of Terrorism
 
Causes, Effects and Management of Fraud: A Study with reference to Indian Ban...
Causes, Effects and Management of Fraud: A Study with reference to Indian Ban...Causes, Effects and Management of Fraud: A Study with reference to Indian Ban...
Causes, Effects and Management of Fraud: A Study with reference to Indian Ban...
 

Ähnlich wie Deciphering the Bengladesh bank heist

Key terms done
Key terms doneKey terms done
Key terms done
nileshsen
 
Swift society worldwideinterbankfinancialtelecommunication
Swift society worldwideinterbankfinancialtelecommunicationSwift society worldwideinterbankfinancialtelecommunication
Swift society worldwideinterbankfinancialtelecommunication
VogelDenise
 
difference-between-swift-and-local-transfer (1).pdf
difference-between-swift-and-local-transfer (1).pdfdifference-between-swift-and-local-transfer (1).pdf
difference-between-swift-and-local-transfer (1).pdf
Salt Poziom INC
 
SWIFT for Corporates Brochure
SWIFT for Corporates BrochureSWIFT for Corporates Brochure
SWIFT for Corporates Brochure
David Unsdorfer
 
Reference Architecture for Cryptocurrency in Banking
Reference Architecture for Cryptocurrency in BankingReference Architecture for Cryptocurrency in Banking
Reference Architecture for Cryptocurrency in Banking
ITIIIndustries
 

Ähnlich wie Deciphering the Bengladesh bank heist (20)

How does works trace swift messaging services
How does works trace swift messaging servicesHow does works trace swift messaging services
How does works trace swift messaging services
 
Key terms done
Key terms doneKey terms done
Key terms done
 
SWIFT secure financial messaging services key facts and information
SWIFT secure financial messaging services key facts and informationSWIFT secure financial messaging services key facts and information
SWIFT secure financial messaging services key facts and information
 
Correspondent banking
Correspondent bankingCorrespondent banking
Correspondent banking
 
Swift society worldwideinterbankfinancialtelecommunication
Swift society worldwideinterbankfinancialtelecommunicationSwift society worldwideinterbankfinancialtelecommunication
Swift society worldwideinterbankfinancialtelecommunication
 
Swift.pptx
Swift.pptxSwift.pptx
Swift.pptx
 
difference-between-swift-and-local-transfer (1).pdf
difference-between-swift-and-local-transfer (1).pdfdifference-between-swift-and-local-transfer (1).pdf
difference-between-swift-and-local-transfer (1).pdf
 
Bancassurance 121118023946-phpapp01
Bancassurance 121118023946-phpapp01Bancassurance 121118023946-phpapp01
Bancassurance 121118023946-phpapp01
 
SWIFT for Corporates Brochure
SWIFT for Corporates BrochureSWIFT for Corporates Brochure
SWIFT for Corporates Brochure
 
International banking MFI
International banking MFIInternational banking MFI
International banking MFI
 
White Paper Libra Facebook April 2020
White Paper Libra Facebook April 2020White Paper Libra Facebook April 2020
White Paper Libra Facebook April 2020
 
The Libra Blockchain Whitepaper | v 2.0
The Libra Blockchain Whitepaper | v 2.0The Libra Blockchain Whitepaper | v 2.0
The Libra Blockchain Whitepaper | v 2.0
 
Ripple for Financial Institutions
Ripple for Financial InstitutionsRipple for Financial Institutions
Ripple for Financial Institutions
 
Fund transfer process
Fund transfer processFund transfer process
Fund transfer process
 
Swift-cyber-attacks.pptx
Swift-cyber-attacks.pptxSwift-cyber-attacks.pptx
Swift-cyber-attacks.pptx
 
Reference Architecture for Cryptocurrency in Banking
Reference Architecture for Cryptocurrency in BankingReference Architecture for Cryptocurrency in Banking
Reference Architecture for Cryptocurrency in Banking
 
S&P on DeFi
S&P on DeFiS&P on DeFi
S&P on DeFi
 
Virtual taka in bangladesh context
Virtual taka in bangladesh contextVirtual taka in bangladesh context
Virtual taka in bangladesh context
 
An introduction to SwiftNET
An introduction to SwiftNETAn introduction to SwiftNET
An introduction to SwiftNET
 
Eft,rtgs,international banking,exchange rate
Eft,rtgs,international banking,exchange rateEft,rtgs,international banking,exchange rate
Eft,rtgs,international banking,exchange rate
 

Mehr von Jérôme Kehrli

From Product Vision to Story Map - Lean / Agile Product shaping
From Product Vision to Story Map - Lean / Agile Product shapingFrom Product Vision to Story Map - Lean / Agile Product shaping
From Product Vision to Story Map - Lean / Agile Product shaping
Jérôme Kehrli
 
Bytecode manipulation with Javassist for fun and profit
Bytecode manipulation with Javassist for fun and profitBytecode manipulation with Javassist for fun and profit
Bytecode manipulation with Javassist for fun and profit
Jérôme Kehrli
 
Blockchain 2.0
Blockchain 2.0Blockchain 2.0
Blockchain 2.0
Jérôme Kehrli
 
The Blockchain - The Technology behind Bitcoin
The Blockchain - The Technology behind Bitcoin The Blockchain - The Technology behind Bitcoin
The Blockchain - The Technology behind Bitcoin
Jérôme Kehrli
 

Mehr von Jérôme Kehrli (18)

Introduction to Operating Systems
Introduction to Operating Systems Introduction to Operating Systems
Introduction to Operating Systems
 
Introduction to Modern Software Architecture
Introduction to Modern Software ArchitectureIntroduction to Modern Software Architecture
Introduction to Modern Software Architecture
 
A proposed framework for Agile Roadmap Design and Maintenance
A proposed framework for Agile Roadmap Design and MaintenanceA proposed framework for Agile Roadmap Design and Maintenance
A proposed framework for Agile Roadmap Design and Maintenance
 
The search for Product-Market Fit
The search for Product-Market FitThe search for Product-Market Fit
The search for Product-Market Fit
 
Big data in Private Banking
Big data in Private BankingBig data in Private Banking
Big data in Private Banking
 
From Product Vision to Story Map - Lean / Agile Product shaping
From Product Vision to Story Map - Lean / Agile Product shapingFrom Product Vision to Story Map - Lean / Agile Product shaping
From Product Vision to Story Map - Lean / Agile Product shaping
 
Artificial Intelligence and Digital Banking - What about fraud prevention ?
Artificial Intelligence and Digital Banking - What about fraud prevention ?Artificial Intelligence and Digital Banking - What about fraud prevention ?
Artificial Intelligence and Digital Banking - What about fraud prevention ?
 
Artificial Intelligence for Banking Fraud Prevention
Artificial Intelligence for Banking Fraud PreventionArtificial Intelligence for Banking Fraud Prevention
Artificial Intelligence for Banking Fraud Prevention
 
Linux and Java - Understanding and Troubleshooting
Linux and Java - Understanding and TroubleshootingLinux and Java - Understanding and Troubleshooting
Linux and Java - Understanding and Troubleshooting
 
Introduction to NetGuardians' Big Data Software Stack
Introduction to NetGuardians' Big Data Software StackIntroduction to NetGuardians' Big Data Software Stack
Introduction to NetGuardians' Big Data Software Stack
 
Periodic Table of Agile Principles and Practices
Periodic Table of Agile Principles and PracticesPeriodic Table of Agile Principles and Practices
Periodic Table of Agile Principles and Practices
 
Agility and planning : tools and processes
Agility and planning : tools and processesAgility and planning : tools and processes
Agility and planning : tools and processes
 
Bytecode manipulation with Javassist for fun and profit
Bytecode manipulation with Javassist for fun and profitBytecode manipulation with Javassist for fun and profit
Bytecode manipulation with Javassist for fun and profit
 
DevOps explained
DevOps explainedDevOps explained
DevOps explained
 
Digitalization: A Challenge and An Opportunity for Banks
Digitalization: A Challenge and An Opportunity for BanksDigitalization: A Challenge and An Opportunity for Banks
Digitalization: A Challenge and An Opportunity for Banks
 
Lean startup
Lean startupLean startup
Lean startup
 
Blockchain 2.0
Blockchain 2.0Blockchain 2.0
Blockchain 2.0
 
The Blockchain - The Technology behind Bitcoin
The Blockchain - The Technology behind Bitcoin The Blockchain - The Technology behind Bitcoin
The Blockchain - The Technology behind Bitcoin
 

Kürzlich hochgeladen

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Deciphering the Bengladesh bank heist

  • 1. 1 © Jerome Kehrli @ niceideas.ch https://www.niceideas.ch/roller2/badtrash/entry/deciphering-the-bengladesh-bank-heist Bangladesh Bank Heist A complete overview of the SWIFT Attack
  • 2. 2 1. Introduction 2. The SWIFT network - Key Concepts 1. Correspondant Banking 2. Transfering Money 3. Application Architecture (Bengladesh case) 4. Introducing key SWIFT messages 3. The attack 1. Behaviour of the malware 2. Complete overview of the attack 3. Timeline of the attack 4. Laundering of the money 4. Aftermath 5. Conclusion Summary
  • 3. 3
  • 4. 4 In February 2016, a group of CyberThieves have stolen 81 Million USDs from the Bengladesh Central Bank One of the three biggest bank Heists in global Financial History Biggest Cyberheist ever The Hackers broke into the Information System of the Bangladesh Central Bank Attempted to transfer 951 Million USD from the Bank Successfully transferred 81 Million USD The money laundering scheme was brilliantly designed The thieves are unknown, untroubled and safe The successfully stole the money by hacking the SWIFT bridge within the bank SWIFT is the heart of the worldwide finance system, it connects the financial institutions worldwide The attackers forged fraudulent SWIFT funds transfer messages to the network They attempted to hide their traces by hiding confirmation to the fraudulent transfers coming from the network 1. Introduction - Bangladesh Bank Heist – What we know
  • 5. 5 The team of thieves Likely under 20 persons Composed by (at least): Hackers: social engineering and physical penetration in the bank to get administrator credentials Software Engineers: developed a custom version of the Dridex worm to perform the attack and gain control over the SWIFT bridge SWIFT experts: helped the team have an in depth understanding of the SWIFT messages formats and the SWIFT network behaviour This is the most puzzling aspects. SWIFT experts are not numerous worldwide Finance experts: helped the team shape the attach, find the right timeframe and build the money laundering scheme The project The team leader(s) had the idea likely a few years before He (they) assembled the team likely 2 years before the heist The team started working likely 18 months before the heist 1. Introduction - Bangladesh Bank Heist – What we believe
  • 6. 6 2. The SWIFT Network – key concepts
  • 7. 7 Presenting key concepts about correspondent banking and the SWIFT network SWIFT - Society for Worldwide Inter-bank Financial Telecommunication A belgian company, located in Belgium, a trusted and closed network used for communication between banks around the world. overseen by a committee composed of the US Federal Reserve, the Bank of England, the European Central Bank, the Bank of Japan and other major banks. SWIFT is used by around 11'000 institutions in more than 200 countries supports around 25 million communications a day, most of them being money transfer transactions, the rest are various other types of messages. The majority of international inter-bank messages use the SWIFT network. For two financial institutions to exchange banking transactions, they must have a banking relationship beforehand. A cool introduction to SWIFT is available on the Fin website : https://fin.plaid.com/articles/what-is-swift. 2. The SWIFT network – key concepts
  • 8. 8 2.1 Correspondent Banking (1/3) A correspondent bank is a financial institution that provides services on behalf of another financial institution. facilitate wire transfers, conduct business transactions, accept deposits and gather documents on behalf of another financial institution. Correspondent banks are most often to be used by domestic banks to service transactions in foreign countries, acting as a domestic bank's agent abroad. Reasons for this include: limited access to foreign financial markets and the inability to service client accounts without opening branches abroad, act as intermediaries between banks in different countries or as an agent to process local transactions for customers abroad, accept deposits, process documentation and serve as transfer agents for funds. The ability to execute these services relieves domestic banks of the need to establish a physical presence in foreign countries.
  • 9. 9 The accounts held between correspondent banks and the banks to which they are providing services are referred to as NOSTRO and VOSTRO accounts An account held by one bank for another is referred to by the holding bank as a VOSTRO account. The same account is referred as a NOSTRO account by the owning bank (the customer). Both banks in a correspondent relationship hold accounts for one another for the purpose of tracking debits and credits between the parties. 2.1 Correspondent Banking (2/3)
  • 10. 10 Transferring Money Using a Correspondent Bank International wire transfers often occur between banks that do not have an established financial relationship. When agreements are not in place between the bank sending a wire and the one receiving it, a correspondent bank must act as an intermediary. For example, a bank in Geneva that has received instructions to wire funds to a bank in Japan cannot wire funds directly without a working relationship with the receiving bank. Most if not all international wire transfers are executed through SWIFT. Knowing there is not a working relationship with the destination bank, the originating bank can search the SWIFT network for a correspondent bank that has arrangements with both banks. When the sending bank has no banking relationships with any bank having itself a relationship with the target bank, then the order needs to be transferred through several, sometimes many, distinct banks through the SWIFT network. These are called routing banks. 2.1 Correspondent Banking (3/3)
  • 11. 11 In the scope of funds transfers, correspondent banking relationships often happen between commercial banks and central banks. This is especially useful when a bank has to process massive funds transfers in different currencies. Imagine that a non-US commercial banking institution has to transfer a massive amount of US Dollars for one of its big customers to some other account in another financial institution abroad. It would be very inconvenient in this case to have to build up enough reserves of US dollars for this kind of transfers. Instead, big commercial banks worldwide open a correspondent banking relationships with the US federal Reserve in New York and use their VOSTRO accounts there to process such big transfers. Such VOSTRO accounts have typically no limits and do not necessarily need to be credited beforehand. The settlement can happen afterwards, on a regular basis. 2.2 Transferring Money (1/6)
  • 17. 17 SWIFT provides a centralized store-and-forward mechanism, with some transaction management. guarantees secure and reliable delivery of multiple targets and actions messages. SWIFT guarantees are based primarily on high redundancy of hardware, software, and people. Principles Today the SWIFT network can be seen as a highly secured private network over Internet. A financial institution needs to obtain a SWIFT gateway running the SWIFT NetLink software. proprietary hardware running with Linux and requiring a physical security dongle storing cryptographic keys to access the network. SWIFT also provides a whole lot of other software such as SWIFT Alliance Access that can be used by a financial institution to access the SWIFT network with higher level or simpler APIs. SWIFT Network Security it's a private network, and most banks set up their accounts such that only certain transactions between particular parties are permitted. The network privacy means that it should be hard for someone outside a bank to attack the network, but if a hacker breaks into a bank-as was the case here-then that protection evaporates. The Bangladesh central bank has all the necessary SWIFT software and authorized access to the SWIFT network. Any hacker running code within the Bangladesh bank also has access to the software and network. 2.3 Application Architecture - Bengladesh case – (1/x)
  • 18. 18 The Bangladesh central bank was handling SWIFT connectivity from the Banking Information System to the SWIFT network using the specific SWIFT Alliance Access software running on a bridge server. Alliance Access, integrated the way it was at the Bangladesh banks, was setup to read/write SWIFT messages from/to files on the filesystem (huge security concern !!!) and record transaction information in an Oracle database. In addition, confirmation and reconciliation messages were handled through a manual process after being sent to a printer. 2.3 Application Architecture - Bengladesh case – (2/x)
  • 19. 19 The hackers created a malware that generated and manipulated key SWIFT messages to withdraw the money from the Bangladesh Central Bank's VOSTRO account at the Fed. SWIFT messages consist of five blocks of the data including three headers, message content, and a trailer. Message types are crucial to identifying content. All SWIFT messages include the literal "MT" (Message Type). This is followed by a three-digit number that denotes the message category, group and type The key SWIFT messages in question here were of the following types: MT103 is used for cash transfer specifically for cross border/international wire transfer. MT202 is the general Financial Institution transfer order, used to order the movement of funds to the beneficiary institution. MT950 is the Final Statement report on all settlement operations with specified account within a current business day. Can be seen as the confirmation for an MT 202. 2.4 Introducing key SWIFT messages (1/x)
  • 20. 20
  • 21. 21
  • 22. 22
  • 23. 23
  • 24. 24
  • 25. 25
  • 26. 26
  • 27. 27
  • 28. 28
  • 29. 29
  • 30. 30
  • 31. 31 A lot of stuff goes through SWIFT, on the small message types subset related to transferring money are interesting. First the MT103 is an information message, basically announcing that a target counterparty account will receive money from an internal (or correspondent) account to be debited. Then the MT202 is the inter-bank transfer order, it applies globally to transfer money from a banking institution to another banking institution, covering all individual account level transfer announces relating to the same target institution. Finally the MT950 is the extract that confirms all executed order. It is the bible and references all positions confirmed and executed by the correspondent bank. It is often an end of day extract used by banking institutions for reconciliations. Again, when it comes to SWIFT messages processing from and to the Banking information System in the Bangladesh case, the important aspects here are: SWIFT messages originating from the Bank IS simply needed to be put on the filesystem somewhere to be "slurped" by the SWIFT Alliance Access software integrated the way is was integrated at Bangladesh Central Bank. Confirmation messages back from the SWIFT network were stored and printed. Reconciliation is a manual process from these printed messages.
  • 33. 33 Capitalizing on weaknesses in the security of the Bangladesh Central Bank, hackers attempted to steal around a billion US dollars from the Bangladesh central bank's VOSTRO account with the US Federal Reserve Bank between February 4 and 5 when Bangladesh Bank's offices were closed. The perpetrators managed to compromise Bangladesh Bank's computer network, observed how transfers were done, and gained access to the bank's credentials for payment transfers. They used these credentials to authorize about three dozen requests to the Federal Reserve Bank of New York to transfer funds from the Bangladesh Bank VOSTRO to accounts in Sri Lanka and the Philippines. Thirty transactions worth 851 million USD were flagged by the banking system for staff review, but five requests were granted; 20 million USD to Sri Lanka (later recovered), and 81 million USD lost to the Philippines, entering the Southeast Asian country's banking system on February 5, 2016. This money was laundered through casinos and a little later transferred to Hong Kong. Summary of the attack (1/2)
  • 34. 34 The attack is impressive and stands out on various levels, in terms of technical means, maturity and complexity for several reasons: Technical Mastery: the usage of a custom Dridex worm to hack the SWIFT Bridge by the bank and likely other malwares to capture the administration credentials In-depth understanding of the worldwide financial market: both the attack shape and the money laundering scheme prove in-depth understanding of financial markets SWIFT knowledge: in-depth Knowledge of the SWIFT messaging details is not that much spread among software engineers Attacking the VOSTRO account of the Bengladesh Central Bank managed at the Fed was brilliant! Such VOSTRO account usually have no limits whatsoever They do not even need to be credited beforehand In addition, since a correspondent bank knows nothing of the customer on behalf the sending bank is acting, its fairly easy to make it believe the transaction is genuine Summary of the attack (2/2)
  • 35. 35 The hackers used a custom version of the Dridex malware to hack software called SWIFT Alliance Access to both make the transactions and hide the evidence. When a message with one of the search terms was found, the malware would do different things depending on the kind of message. Payment orders were modified to increase the amounts being moved, updating the Alliance database with new values. Confirmation messages from the SWIFT network were also modified. Confirmations are printed and stored in the database. Before being printed, the malware would alter the confirmations to show the original, correct transaction value; it also deleted confirmations from the Alliance database entirely. It's still not clear how the initial transactions were entered into the system to trigger the malware in the first place. 3.1 Behaviour of the malware (1/3)
  • 36. 36 The SWIFT network key components haven't been compromised, the malware was targeting the Bangladesh Central Bank's own bride to the SWIFT infrastructure running the SWIFT Alliance Access Software: 3.1 Behaviour of the malware (2/3)
  • 37. 37 If an organization can't keep its endpoint secure, it leaves itself very vulnerable to being electronically robbed. The bank lacked any firewalls and was using second-hand $10 switches on its network. These switches did not allow for the regular LAN to be segmented or otherwise isolated from the SWIFT systems. The lack of network security infrastructure has also hindered the investigation. It's still not known how the hackers penetrated the network, but it looks like the bank didn't make it difficult for them to do so. How the attackers obtained administration credentials is also still unclear. They might have obtained these credentials by using another malware or by exploiting a remotely available vulnerability (not impossible considering the weak security practices in place in the Bangladesh Central Bank) or it might also have been an insider job. So far there are only speculations in this regards. 3.1 Behaviour of the malware (3/3)
  • 38. 38 3.1.1 Forging fraudulent SWIFT messages (1/3) Simplifying a bit the reality, we can picture the malware as forging fraudulent SWIFT messages as follows:
  • 39. 39 3.1.1 Forging fraudulent SWIFT messages (2/3)
  • 40. 40 3.1.1 Forging fraudulent SWIFT messages (3/3)
  • 41. 41 3.1.2 Forging fraudulent SWIFT messages (1/3) Here as well, by simplifying a little the reality, we can picture the malware as intercepting SWIFT confirmations as follows:
  • 42. 42 3.1.2 Forging fraudulent SWIFT messages (2/3)
  • 43. 43 3.1.2 Forging fraudulent SWIFT messages (3/3)
  • 44. 44 What we know of the malware: codenamed Dridex filenamed evtdiag.exe, designed to hide the hacker's tracks by changing information on a SWIFT database within Alliance Access contained the IP address of a server in Egypt the attackers used to monitor the use of the SWIFT system by Bangladesh Bank staff. was compiled close to the date of the heist, contained detailed information about the bank's operations was uploaded from Bangladesh. While that malware was specifically written to attack the Bangladesh Bank, the general tools, techniques and procedures used in the attack may allow the gang to strike again and as a matter of fact there have been attempts discussed by Reuters. It was likely part of a broader attack toolkit that was installed after the attackers obtained administrator credentials. 3.1.3 The Malware (1/2)
  • 45. 45 The malware was designed to make a slight change to the code of the Access Alliance software installed at the Bangladesh Central Bank, giving attackers the ability to modify a database that logged the bank's activity over the SWIFT network. It could delete records of outgoing transfer requests from the database and also intercept incoming messages confirming transfers ordered by the hackers. It also able to manipulate account balances on logs to prevent the heist from being discovered until after the funds had been laundered. The malware also manipulated the stream of confirmations sent to a printer that produced hard copies of transfer requests so that the bank would not identify the attack through those printouts. This part went wrong and led the printer to crash. 3.1.3 The Malware (2/2)
  • 46. 46 3.2 Complete overview of the attack (1/8) On February 4, likely after months of preparation, organizationally and technically, gaining access to the systems, developing the custom Dridex worm, obtaining credentials, infecting the systems, etc. The hackers launched the attack.
  • 47. 47 3.2 Complete overview of the attack (2/8) On February 4, unknown hackers sent more than three dozens of fraudulent money transfer requests to the Federal Reserve Bank of New York asking the bank to transfer millions of the Bangladesh Bank's VOSTRO account to bank accounts in the Philippines, Sri-Lanka and other parts of Asia.
  • 48. 48 3.2 Complete overview of the attack (3/8) The hackers managed to get 81 million USD sent to Rizal Commercial Banking Corporation (RCBC) in the Philippines via four different transfer requests and an additional 20 million USD sent to Pan Asia Banking in a single request.
  • 49. 49 3.2 Complete overview of the attack (4/8) Fortunately 850 million USD in other transactions managed to be saved initially (thx to the Fed). the losses could have been much higher had the name ”Jupiter” not formed part of the address of a Philippines bank account where the hackers sought to send hundreds of millions of dollars more. “Jupiter” was the name of an oil tanker and a shipping company under United States' sanctions against Iran. That sanctions listing triggered concerns at the Fed.
  • 50. 50 3.2 Complete overview of the attack (5/8) The 81 million USD was deposited into three accounts at a Rizal branch in Manila on Feb. 4. These accounts had all been opened a year earlier in May 2015, but had been inactive with just 500 USD sitting in them until the stolen funds arrived in February this year.
  • 51. 51 3.2 Complete overview of the attack (6/8) Another 20 million USD intended to be sent to Pan Asia Banking have been blocked later in the correspondent bank funds transfer routing process (Deutsche Bank). the hackers misspelled the name of a non-existent NGO, Shalika Foundation, by writing "fandation" instead of "foundation". This prompted the Deutsche Bank, a routing bank, to seek clarification from the Bangladesh central bank, thereby stopping the transaction.
  • 52. 52 3.2 Complete overview of the attack (7/8) But the 81 million USD that went to Rizal Bank in the Philippines was gone. It had already been credited to multiple accounts, reportedly belonging to casinos in the Philippines They were transferred by a money transfer (remittance) company Philrem Services Corporation.
  • 53. 53 The printer error A printer "error" helped Bangladesh Bank discover the heist. The bank's SWIFT bridge (running Alliance Access) was configured to automatically print out confirmations back from correspondent banks. The printer works 24 hours so that when workers arrive each morning, they check the tray for transfers that got confirmed overnight. But on the morning of Friday February 5, the director of the bank found the printer tray empty. When bank workers tried to print the reports manually, they couldn't. The software on the terminal that connects to the SWIFT network indicated that a critical system file was missing or had been altered. The problem is deemed to be an unwanted bug with the worm, a failure in the attack if one likes, since the worm was programmed to remove confirmation of fraudulent payments from the confirmation stream being sent to the printer. When they finally got the software working the next day and were able to restart the printer, dozens of suspicious transactions spit out. The Fed bank in New York had apparently sent queries to Bangladesh Bank questioning dozens of the transfer orders, but no one in Bangladesh had responded. Fortunately, in this case, the Fed clarification requests and the Deutsche Bank request would have anyway alerted the bank, so even if the worm had functioned correctly, the bank would have been made aware of the attack. 3.2 Complete overview of the attack (8/8)
  • 54. 54 3.3 Timeline of the attack (1/9) In every movie about bank robberies, timing is presented as critical. Here as well timing has been an essential concern and brilliantly mastered by the attackers.
  • 55. 55 3.3 Timeline of the attack (2/9)
  • 56. 56 3.3 Timeline of the attack (3/9)
  • 57. 57 3.3 Timeline of the attack (4/9)
  • 58. 58 3.3 Timeline of the attack (5/9)
  • 59. 59 3.3 Timeline of the attack (6/9)
  • 60. 60 3.3 Timeline of the attack (7/9)
  • 61. 61 3.3 Timeline of the attack (8/9)
  • 62. 62 The timing was perfect ! A unique Week-End preceded by a business holiday in Bengladesh and followed by a the Chinese New Year holiday in the Philippines. An ideal situation ! The Fed couldn't get the required clarification from Bangladesh Bank on the next day, because of banking holidays in Bengladesh, and as such didn't attempt to recover the 5 orders that passed immediately. On Monday, the stop orders sent by the Bangladesh bank couldn't be processed by the RCBC to freeze the funds since it was a banking holiday in Philippines. In addition, the chinese new-year and the volume of exchanges in casinos at such occasion made the laundering of the money straightforward, not to mention the Philippines weak AML laws and practices. 3.3 Timeline of the attack (9/9)
  • 63. 63 Getting the money out is also difficult ! Here the laundering scheme was both easy and magnificent. money has been laundered through the Philippines. The 81 million USD was sent to the Philippines to accounts at the Rizal Commercial Banking Corp (RCBC) held by two Chinese nationals (false identities). The money was moved to several Philippine casinos and then subsequently to international bank accounts. Laundering money in a Casino is fairly straightforward... Philippine casinos are exempted of anti-money laundering law that requires them to report suspicious transactions, making them an attractive target for this kind of crime. The volumes and the kind of operations during Chinese New-Year makes everything absolutely untraceable. Bamm ! Done. Money Laundered. 3.4 Laundering of the money
  • 65. 65 What Does the Heist Mean? Even if the hackers didn't compromise the SWIFT network itself, such that all of SWIFT banks were vulnerable, it's still bad news for the global banking system. By targeting the methods that financial institutions use to conduct transactions over the SWIFT network, the hackers undermine a system that until now had been viewed as stalwart. 4. Aftermath (1/6)
  • 66. 66 Who's to Blame? Only the attackers of course ! But still, without such amazing security weaknesses in the Bengladesh Central Bank and with better control and stricter procedures in place at the Fed, the attack would not have been possible. Of course, the Bangladesh Bank blames the Fed for allowing the money transfers to go through instead of waiting for confirmation from Bangladesh. The Fed counters that it contacted the bank to question and verify dozens of suspicious transfers and never got a response. Authorities at the Fed said that workers followed the correct procedures in approving the five money transfers that went through and blocking 30 others. Bangladesh Bank says the Fed bank should have blocked all money transfers until it got a response on the ones it deemed suspicious. And so on ... 4. Aftermath (2/6)
  • 67. 67 The Bengladesh Bank Aside from the loss of money, the Central Bank's governor, Atiur Rahman has resigned due to the incident. The bank promised to improve their cyber-security and ensure this kind of bank heist is prevented in the future. 4. Aftermath (3/6)
  • 68. 68 The Fed The immediate result of the breach for the New York Fed is a claim from the Bangladesh Bank for payment of lost funds and a potential lawsuit. The Fed focused security resources on other priorities, such as preventing money-laundering and enforcing U.S. economic sanctions, officials with knowledge of the bank's security operations told Reuters. Fed officials took some comfort in the fact that SWIFT's security software had never been cracked. The Bengladesh heist forced the Fed to invest massively in Fraud prevention solutions and better transaction monitoring systems. 4. Aftermath (4/6)
  • 69. 69 Philrem services The Philippine central bank has revoked the license of a remittance company that anti-money laundering investigators said was used to transfer some of the 81 million USD hackers looted from the Bangladesh central bank. The Anti-Money Laundering Council (AMLC) issued a complaint against Philrem Service Corporation on April 28, accusing it of creating a fog around transactions and washing the stolen funds via a web of transfers and currency conversions through Philippine bank accounts, before moving the cash through casinos in Manila and junket operators. 4. Aftermath (5/6)
  • 70. 70 The Philippines The Philippines' involvement in the 100 million USD Bangladesh Bank heist, which has risked its return to the FATF gray list, showed the urgency of putting more teeth into the Anti-Money Laundering Act (AMLA). The law, which was first introduced in 2001, left casinos out of the list of entities required to report suspicious transactions to the AMLC. There were efforts in the Senate to include this provision in the amended AMLA in 2013, but this was blocked by some lawmakers and casinos lobbies. 4. Aftermath (6/6)
  • 72. 72 The heist scares the whole financial system worldwide If the hackers had indeed managed to get away with the terrifyingly large amount of 1 billion USD, this would have easily been the biggest bank heist in history, not to mention cyber heist. Interestingly, these kinds of attacks will be increasingly common and if banks aren't updating their security processes and maintaining their network infrastructures, and the success rates of these attacks will only go up. Imagine the following if the worm had functioned correctly and not blocked the printer, if the Deutsche bank didn't find the typo, if the Fed didn't become suspicious because of the Jupiter keyword, Then the attack might have been a complete success. Not only the attackers would have successfully withdrawn almost one billion US dollars from the Bangladesh bank VOSTRO account at the Fed, but the attack might have been noted only weeks after the facts. 5. Conclusions (1/2)
  • 73. 73 Imagine that the same attack succeeds against european bank for instance In the US and in Europe, the SWIFT interfaces are integrated in an STP (Straight Through Processing) way. There is no such thing as manual reconciliation from some papers printed on a printer. The handling of confirmations and position reconciliation is mostly completely automated. As such, the same attack succeeding in Europe for instance might take months to be discovered and uncovered, only a the moment the big position reconciliations between NOSTRO and VOSTRO accounts in correspondent banks are triggered. Even further, imagine that one of these banks at stakes suspects something They would use SWIFT again to reconcile their views of the truth (MT109 and MT999). These messages can be hacked just as well, in which case the theft may remain uncovered for months. 5. Conclusions (2/2)

Hinweis der Redaktion

  1. Early February 2016 : authorities of Bangladesh Bank were informed that 81 mUSD was illegally taken out of its account with the Federal Reserve Bank of New York using an inter-bank messaging system known as SWIFT The money was moved via SWIFT transfer requests, ending up in bank accounts in the Philippines and laundered in the Philippines' casinos during the chinese New-Year holidays. This is the story of a group of less than 20 cyber-criminals, composed by high profile hackers, engineers, financial experts and banking experts who gathered together to hack the worldwide financial system, by attacking an account of the central bank of Bangladesh, a lower middle income nation and one of the world's most densely populated countries The thieves have stolen this money without any gun, without breaking physically in the bank, without any form of physical violence. (There are victims though, there are always victims in such case, but they haven't suffered any form of physical violence)  These 81 million US dollars disappeared and haven't been recovered yet. The thieves are unknown, untroubled and safe. They actually attempted to steal almost a billion USD!!! In terms of technological and technical mastery, business understanding, financial systems knowledge and timing, this heist was a perfect crime. The execution was brilliant, way beyond any Hollywood scenario. And the bank was actually pretty lucky that that the hackers didn't successfully loot the billion US dollars as they planned, but instead only 81 million. 
  2. (latin words for ours and yours).
  3. In case the money transfer requested by a customer in a foreign currency (here USD for the Bangladesh bank) exceeds some limits or even the reserves of the Bangladesh bank in USDs, the bank decides to go through the VOSTRO account by the correspondent central bank related to the foreign currency (Here the US Fed for USD) and instruct it to proceed with the transfer.  Again, that VOSTRO account doesn't even necessarily need to be credited beforehand, the settlement can happen way later or even never.
  4. There is a relationship between MT103 and MT202, they cross-reference each others (field 21 in MT103 reference MT202 and field 20 in MT202 references all related MT103) filesystem somewhere to be "slurped" by the SWIFT Alliance Access software integrated the way is was integrated at Bangladesh Central Bank. In terms of security of the process, this is more that questionable.
  5. The view above is a simplification of the reality. Actually, the worm was brilliantly implemented since forging from scratch consistent SWIFT announces (MT103) and Money Transfer Orders (MT202) messages would have been more difficult.  Instead, the worm was tampering with genuine messages issued by the Banking Information System and changing the amounts and recipient. This is a lot easier than blank forging.  It is still unclear for now if the initial untampered messages were simply authentic and relevant messages, perhaps duplicated by the worm, or forged through other malwares on different systems. I couldn't find clear information in this regards in all that has been published (if a reader has additional information in this regards, I would be happy to learn about it). Just as a sidenote, whenever an institution such as the Bengladesh central bank sends a SWIFT funds transfer order, it's always in behalf of one of its customer. The SWIFT message(s) indicates the customer for which the bank requests a funds transfer.  Now of course the target correspondent bank cannot know if such customer exist, it doesn't have access to the list of customers of the sending bank. The SWIFT messages tampered by the worm could have been related to any random customer of the Bengladesh bank, this doesn't matter.  The only important aspect was that the beneficiary account and banking institution were the ones intended by the attackers.
  6. The malware was also developed in such a way that it was intercepting confirmation messages (MT950) back from the Fed (from the SWIFT network in fact). Confirmation of genuine orders were supposed to be allowed to pass through untampered while confirmation of fraudulent messages were supposed to be intercepted and hidden.  But the worm was buggy and while tampering with confirmations sent to the printer, it corrupted them somehow which caused the printer to crash. We'll get back to that later. Interestingly, going as far as trying to tamper with confirmations was pure genius (even though it didn't work as expected). Had it worked, the bank might well have noticed the attack weeks after the facts since on both sides of the world (the Fed view and the Bengladesh Central bank view), positions would have been very different but yet consistent, the Fed knowing about the orders, taking them as genuine and the Bangladesh bank would have known nothing about them.  Also, one should note that transfer orders (MT202) are executed immediately. So trying to tamper with confirmations was not intended to give more chance to the transfer to succeed, it was really intended as a way to hide the theft until hopefully after the money is laundered.