Problem of cyber-crime in the financial sector

Thursday 9 January 2025 ,

Online Version

Problem of cyber-crime in the financial sector

The government is taking necessary legal steps to try and recover the missing funds. Bangladeshi, American, and Filipino officials are now working closely to get to the bottom of the mystery. Bangladesh has reportedly already retrieved around $20 million

Muhammad Zamir

Problem of cyber-crime in the financial sector

We had been basking in our success pertaining to the use of cyber space. We did not realize however that there were gaps within our security systems and that the human mind which had created digitalization was also capable of discovering ways and using them to profit from the nuances of cybercrime.
The first rude awakening came after the discovery and complaints filed due to misuse of ATM machines belonging to some Banks and withdrawal from different private Accounts of large amounts of money without authorization of the account holders. This led to arrest by the authorities of 14 persons on 4 March. It included 12 foreign nationals who were members of international cyber crime fraud gang. They had fraudulently used social media platforms and also hacked identity of individual customers to carry out their nefarious act.
This persuaded the Bangladesh Bank recommending to all Banks and financial institutions to ensure cyber-security governance. They were also urged to take measures for ascertaining existing technical gap assessment and vulnerability through a comprehensive cyber security risk study. In this context the Bangladesh Bank also reiterated that cyber security should be treated by all financial institutions as a collective responsibility. It was also acknowledged by the Central Bank that “Bangladesh remains vulnerable to cyber-attacks because traditional cyber defenses such as anti-virus software and firewalls are proving ineffective against new threat vectors such as zero-day-malware and Advanced Persistent Threats (APT)”. Such measures were recommended by the Bangladesh Bank because such cyber attacks were seen as being capable of causing financial loss and creating a reputational risk. This was an indirect acknowledgement of actors in the cyber scene who might be independent individual hackers or part of a sophisticated well-resourced crime syndicate.
However, the disappointing aspect of this sermon from the Bangladesh Bank was that, while giving necessary advice to all concerned, they had forgotten to heed their own suggestions and failed to take adequate precaution of their own institution and its relationship with other associated financial partners abroad. This failure on their part had been kept confidential and away from the Bangladesh media.
The first hint of trouble came through media reports originating from the Philippine Daily Inquirer which reported on 29 February that Philippine financial regulators were investigating an estimated US$ 100 million bank heist. The newspaper also mentioned that Bangladeshi authorities had obtained requisite information that the stolen funds were wired through the Fed to the Rizal Commercial Banking Corporation (RCBC) in the Philippines. From there, the cash was transferred to at least three Filipino casinos: Solaire Resort and Casino, City of Dreams, and Midas. At the casinos, someone converted the cash into chips for betting and then reconverted the chips into cash. This money was then sent to bank accounts in Hong Kong. An additional fund of about US$ 21 million was also transferred illegally to a third party in Sri Lanka.
After that the story gradually surfaced. Subsequently, the Bangladeshi media revealed that the false transfer orders to Philippines included fraudulent payment orders of US$ 25 million for the Kanchpur, Meghna and Gumti 2nd Bridge Construction Project, US$ 30 million for the Dhaka Mass Rapid Transport Development Project, US$ 6 million for the IPFF project cell and US$ 19 million for the Bheramara Combined Cycle Power Plant Development Project. A ranking official of Pagcor, which is in charge of regulating gaming activities in Philippines has said that the funds were split into a $26-million tranche that was channeled into the account of Solaire Resort and Casino and a $20-million tranche that was directed to the accounts of Easter Hawaii Casino and Resort at the Cagayan Economic Zone Authority in Santa Ana, Cagayan province. The two tranches, totaling $46 million represented 56 percent of the stolen money that entered the Philippine financial system between Feb. 5 and Feb 9, 2016.
Jim Finkle, an analyst on cybercrime noted that the perpetrators of the approximate US$100 million digital heist from the reserves of the Bangladesh's central bank had deep knowledge of the institution's internal workings, likely gained by spying on bank workers. Unknown hackers, it turned out had breached the Bangladesh Bank account on 4 February, stole credentials for payment transfers and then ordered transfers out of a Federal Reserve Bank of New York account held by Bangladesh Bank.
As expected, the Bangladesh government officials blamed the Fed for the attack when they disclosed the loss. The New York Fed responded by saying there was no evidence that its systems were compromised in the attack- one of the biggest bank thefts in history. The Fed also pointed out that it had followed normal procedures when responding to requests that appeared to be from Bangladesh Bank. This was done because the course of action was made and authenticated over SWIFT. Belgian-based SWIFT, it may be noted is a member-owned cooperative that Banks use for account transfer requests and other secure messages. Security experts of the Fed also commented that to pull off the attack, cyber criminals had to first gather information about Bangladesh Bank's procedures for ordering transfers, so that the fraudulent requests would not raise red flags. In addition, experts in banking fraud also mentioned that to stealing credentials for processing transfers, the hackers, in all likelihood also spied on Bangladesh Bank staff to get a deeper understanding of the central bank's operations. There was also the possibility that some of them might have discreetly assisted in the hacking process. Kayvan Alikhani, a senior Director with security firm RSA, also indicated that in addition to user names and passwords for accessing SWIFT, the hackers likely needed to obtain cryptographic keys that authenticated the senders. Such certificates might have been copied and used by impostors if they were not properly secured.
The Bangladesh Finance Minister has gone on record that he as well as the Bank and Financial Institutions Division Secretary had been kept in the dark by the Bangladesh Bank about the crisis. One has to agree with him that this was totally unacceptable.
In this context, Dr, Atiur Rahman, the Governor of Bangladesh Bank at the time of the occurrence of the cyber-heist, has on 15 March, on his return from an official meeting in New Delhi, voluntarily submitted his resignation from his post. By doing so he has acknowledged his moral responsibility and set an example for others to follow. Former Secretary Fazle Kabir has been appointed in his place. Two Deputy Governors of the Bangladesh Bank- M.A.Quasem and Nazneen Sultana have also faced the axe. It has also been reported that a high-powered Committee headed by former Bangladesh Bank Governor Dr. M. Farashuddin has been constituted to investigate all aspects related to this criminal transaction. Those found guilty must also face the music.
We must not have a repeat of the mal-governance that we have witnessed in the case of recovery of lost funds through scams carried out in the Sonali Bank, the BASIC Bank, the Hall Mark Group, the Bismillah Group and some other institutions. Lack of dispensation of justice with regard to the criminal activities carried by these Groups in collaboration with corrupt Bank officials still continue to irritate public opinion.
The government is also taking necessary legal steps to try and recover the missing funds. Bangladeshi, American, and Filipino officials are now working closely to get to the bottom of the mystery. Bangladesh has reportedly already retrieved around $20 million that was laundered and forwarded to Sri Lanka. The Sri Lankan and Filipino authorities need to be thanked for their close cooperation.
Interestingly it was also revealed in the second week of March that most fortunately, though the hackers had tried to transfer illegally another $870 million from the Bangladesh Bank's account at the Fed, they had been unable to carry out their operations through the international banking system because regulators detected that something was fishy and blocked the transfer. A spelling mistake prevented the illegal shifting of money. Apparently the hackers misspelled the name of the NGO to whom the money was going to be transferred. Instead of “foundation” the hackers had spelt it as “fandation”. This prompted a routing Bank- Deutsche Bank to seek clarification from the Bangladesh Bank, which stopped the transaction.
The seriousness of the situation is indicated by the fact that last year, Russia’s computer security company, Kaspersky Lab informed that a gang of cyber criminals had stolen as much as US$ 1 billion from nearly 100 financial institutions around the world over the previous two years. The hard-working people of Bangladesh have now been victims of such a carefully pre-planned scam that saw five Philippine nationals open five US Dollar accounts in a Philippines Bank for the purpose of defrauding Bangladesh Bank on 15 May, 2015. It has also been learnt that hackers installed malicious software into the Bangladesh Bank system in January, 2016. This helped them to gain knowledge of the Bangladesh Bank’s working methods before initiating the process of the heist.
It is understood that the Bangladesh Bank has sought cooperation from the Federal Bureau of Investigation to recover the stolen funds. US Embassy Officials in Dhaka have apparently responded positively. In addition, experienced information technology consultants from the World Bank and Bangladesh have also been appointed to help investigate and collect information on the existing cyber security system (that assists in the functioning of the back office) related to the Accounts and Budgeting Department of the Bangladesh Bank. FireEye Inc’s Mandiant Forensics Division is also helping in the investigation. Experts believe that on conclusion of the current inquiry, steps will be taken by the Bank to install new software to make the Bangladesh Bank activities safer.
Unfortunately, while the Bangladesh Bank was so pro-active in advising how to stop ATM fraud in other financial institutions, it forgot that the adage “Prevention is better than cure” also applies for them. Cybercrimes, we need to remember cover a range of offences that are committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm, or loss, to the victim directly or indirectly, using modern telecommunication networks.
Due to easily exploitable laws, cybercriminals use developing countries in order to evade detection and prosecution from law enforcement. Laws against cybercrime in these countries are weak or sometimes nonexistent. Such crimes may threaten a nation’s security and financial health. It is also clear that both governmental and non-state actors engage in cybercrimes, including espionage, financial theft, and other cross-border crimes. Unfortunately, it appears that the regulatory regime regarding control of cybercrime or server management (in the case of e-commerce) is weak in Bangladesh. It might be useful to seriously study the European Union Directive 2013/40/EU, the offences enumerated within the Directive and other definitions and procedural institutions as enumerated in the Council of Europe’s Convention on Cybercrime.
We need to remove our deficiencies - sooner the better. This is vital to restore faith in our financial system among foreign investors, lenders and buyers (of our products).

Muhammad Zamir, a former ambassador, is an analyst specialised in foreign affairs, right to information and good governance. He can be reached at [email protected]

Comments

Problem of cyber-crime in the financial sector

Muhammad Zamir

We had been basking in our success pertaining to the use of cyber space. We did not realize however that there were gaps within our security systems and that the human mind which had created digitalization was also capable of discovering ways and using them to profit from the nuances of cybercrime. The first rude awakening came after the discovery and complaints filed due to misuse of ATM machines belonging to some Banks and withdrawal from different private Accounts of large amounts of money without authorization of the account holders. This led to arrest by the authorities of 14 persons on 4 March. It included 12 foreign nationals who were members of international cyber crime fraud gang. They had fraudulently used social media platforms and also hacked identity of individual customers to carry out their nefarious act. This persuaded the Bangladesh Bank recommending to all Banks and financial institutions to ensure cyber-security governance. They were also urged to take measures for ascertaining existing technical gap assessment and vulnerability through a comprehensive cyber security risk study. In this context the Bangladesh Bank also reiterated that cyber security should be treated by all financial institutions as a collective responsibility. It was also acknowledged by the Central Bank that Bangladesh remains vulnerable to cyber-attacks because traditional cyber defenses such as anti-virus software and firewalls are proving ineffective against new threat vectors such as zero-day-malware and Advanced Persistent Threats (APT). Such measures were recommended by the Bangladesh Bank because such cyber attacks were seen as being capable of causing financial loss and creating a reputational risk. This was an indirect acknowledgement of actors in the cyber scene who might be independent individual hackers or part of a sophisticated well-resourced crime syndicate. However, the disappointing aspect of this sermon from the Bangladesh Bank was that, while giving necessary advice to all concerned, they had forgotten to heed their own suggestions and failed to take adequate precaution of their own institution and its relationship with other associated financial partners abroad. This failure on their part had been kept confidential and away from the Bangladesh media. The first hint of trouble came through media reports originating from the Philippine Daily Inquirer which reported on 29 February that Philippine financial regulators were investigating an estimated US$ 100 million bank heist. The newspaper also mentioned that Bangladeshi authorities had obtained requisite information that the stolen funds were wired through the Fed to the Rizal Commercial Banking Corporation (RCBC) in the Philippines. From there, the cash was transferred to at least three Filipino casinos: Solaire Resort and Casino, City of Dreams, and Midas. At the casinos, someone converted the cash into chips for betting and then reconverted the chips into cash. This money was then sent to bank accounts in Hong Kong. An additional fund of about US$ 21 million was also transferred illegally to a third party in Sri Lanka. After that the story gradually surfaced. Subsequently, the Bangladeshi media revealed that the false transfer orders to Philippines included fraudulent payment orders of US$ 25 million for the Kanchpur, Meghna and Gumti 2nd Bridge Construction Project, US$ 30 million for the Dhaka Mass Rapid Transport Development Project, US$ 6 million for the IPFF project cell and US$ 19 million for the Bheramara Combined Cycle Power Plant Development Project. A ranking official of Pagcor, which is in charge of regulating gaming activities in Philippines has said that the funds were split into a $26-million tranche that was channeled into the account of Solaire Resort and Casino and a $20-million tranche that was directed to the accounts of Easter Hawaii Casino and Resort at the Cagayan Economic Zone Authority in Santa Ana, Cagayan province. The two tranches, totaling $46 million represented 56 percent of the stolen money that entered the Philippine financial system between Feb. 5 and Feb 9, 2016. Jim Finkle, an analyst on cybercrime noted that the perpetrators of the approximate US$100 million digital heist from the reserves of the Bangladeshs central bank had deep knowledge of the institutions internal workings, likely gained by spying on bank workers. Unknown hackers, it turned out had breached the Bangladesh Bank account on 4 February, stole credentials for payment transfers and then ordered transfers out of a Federal Reserve Bank of New York account held by Bangladesh Bank. As expected, the Bangladesh government officials blamed the Fed for the attack when they disclosed the loss. The New York Fed responded by saying there was no evidence that its systems were compromised in the attack- one of the biggest bank thefts in history. The Fed also pointed out that it had followed normal procedures when responding to requests that appeared to be from Bangladesh Bank. This was done because the course of action was made and authenticated over SWIFT. Belgian-based SWIFT, it may be noted is a member-owned cooperative that Banks use for account transfer requests and other secure messages. Security experts of the Fed also commented that to pull off the attack, cyber criminals had to first gather information about Bangladesh Banks procedures for ordering transfers, so that the fraudulent requests would not raise red flags. In addition, experts in banking fraud also mentioned that to stealing credentials for processing transfers, the hackers, in all likelihood also spied on Bangladesh Bank staff to get a deeper understanding of the central banks operations. There was also the possibility that some of them might have discreetly assisted in the hacking process. Kayvan Alikhani, a senior Director with security firm RSA, also indicated that in addition to user names and passwords for accessing SWIFT, the hackers likely needed to obtain cryptographic keys that authenticated the senders. Such certificates might have been copied and used by impostors if they were not properly secured. The Bangladesh Finance Minister has gone on record that he as well as the Bank and Financial Institutions Division Secretary had been kept in the dark by the Bangladesh Bank about the crisis. One has to agree with him that this was totally unacceptable. In this context, Dr, Atiur Rahman, the Governor of Bangladesh Bank at the time of the occurrence of the cyber-heist, has on 15 March, on his return from an official meeting in New Delhi, voluntarily submitted his resignation from his post. By doing so he has acknowledged his moral responsibility and set an example for others to follow. Former Secretary Fazle Kabir has been appointed in his place. Two Deputy Governors of the Bangladesh Bank- M.A.Quasem and Nazneen Sultana have also faced the axe. It has also been reported that a high-powered Committee headed by former Bangladesh Bank Governor Dr. M. Farashuddin has been constituted to investigate all aspects related to this criminal transaction. Those found guilty must also face the music. We must not have a repeat of the mal-governance that we have witnessed in the case of recovery of lost funds through scams carried out in the Sonali Bank, the BASIC Bank, the Hall Mark Group, the Bismillah Group and some other institutions. Lack of dispensation of justice with regard to the criminal activities carried by these Groups in collaboration with corrupt Bank officials still continue to irritate public opinion. The government is also taking necessary legal steps to try and recover the missing funds. Bangladeshi, American, and Filipino officials are now working closely to get to the bottom of the mystery. Bangladesh has reportedly already retrieved around $20 million that was laundered and forwarded to Sri Lanka. The Sri Lankan and Filipino authorities need to be thanked for their close cooperation. Interestingly it was also revealed in the second week of March that most fortunately, though the hackers had tried to transfer illegally another $870 million from the Bangladesh Banks account at the Fed, they had been unable to carry out their operations through the international banking system because regulators detected that something was fishy and blocked the transfer. A spelling mistake prevented the illegal shifting of money. Apparently the hackers misspelled the name of the NGO to whom the money was going to be transferred. Instead of foundation the hackers had spelt it as fandation. This prompted a routing Bank- Deutsche Bank to seek clarification from the Bangladesh Bank, which stopped the transaction. The seriousness of the situation is indicated by the fact that last year, Russias computer security company, Kaspersky Lab informed that a gang of cyber criminals had stolen as much as US$ 1 billion from nearly 100 financial institutions around the world over the previous two years. The hard-working people of Bangladesh have now been victims of such a carefully pre-planned scam that saw five Philippine nationals open five US Dollar accounts in a Philippines Bank for the purpose of defrauding Bangladesh Bank on 15 May, 2015. It has also been learnt that hackers installed malicious software into the Bangladesh Bank system in January, 2016. This helped them to gain knowledge of the Bangladesh Banks working methods before initiating the process of the heist. It is understood that the Bangladesh Bank has sought cooperation from the Federal Bureau of Investigation to recover the stolen funds. US Embassy Officials in Dhaka have apparently responded positively. In addition, experienced information technology consultants from the World Bank and Bangladesh have also been appointed to help investigate and collect information on the existing cyber security system (that assists in the functioning of the back office) related to the Accounts and Budgeting Department of the Bangladesh Bank. FireEye Incs Mandiant Forensics Division is also helping in the investigation. Experts believe that on conclusion of the current inquiry, steps will be taken by the Bank to install new software to make the Bangladesh Bank activities safer. Unfortunately, while the Bangladesh Bank was so pro-active in advising how to stop ATM fraud in other financial institutions, it forgot that the adage Prevention is better than cure also applies for them. Cybercrimes, we need to remember cover a range of offences that are committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm, or loss, to the victim directly or indirectly, using modern telecommunication networks. Due to easily exploitable laws, cybercriminals use developing countries in order to evade detection and prosecution from law enforcement. Laws against cybercrime in these countries are weak or sometimes nonexistent. Such crimes may threaten a nations security and financial health. It is also clear that both governmental and non-state actors engage in cybercrimes, including espionage, financial theft, and other cross-border crimes. Unfortunately, it appears that the regulatory regime regarding control of cybercrime or server management (in the case of e-commerce) is weak in Bangladesh. It might be useful to seriously study the European Union Directive 2013/40/EU, the offences enumerated within the Directive and other definitions and procedural institutions as enumerated in the Council of Europes Convention on Cybercrime. We need to remove our deficiencies - sooner the better. This is vital to restore faith in our financial system among foreign investors, lenders and buyers (of our products). Muhammad Zamir, a former ambassador, is an analyst specialised in foreign affairs, right to information and good governance. He can be reached at [email protected]