As the Central Bank of Bangladesh threatens to sue the Federal Reserve Bank of New York over at least $80 million stolen from its account there, the Fed says its systems were not compromised.
On Feb. 4 and 5, hackers broke into the Central Bank of Bangladesh's servers and stole its credentials for Swift payment transfers, two Bangladesh bank officials told the New York Post.
On Feb. 5, the hackers used those credentials to wire money from the bank's account at the New York Fed to accounts in the Philippines and Sri Lanka, Agence France-Press reported.
-
A cybercrime ring that reportedly stole $1 billion from banks around the world last year is back, using different tactics. For one thing, it's more often going after banks' corporate customers, making its activities harder for banks to detect.
February 11 -
Some say the U.S. payments infrastructure is a prime target for government-sponsored cybercriminals. But the aged and fragmented nature of our infrastructure could, for once, work in its favor.
February 9 -
WASHINGTON The financial services sector has been sharing information on cyber threats despite potential legal ramifications, but passage of a cybersecurity bill still winding its way through Congress may put those handshake deals into writing and bolster cyber-defenses.
November 4
The New York Fed did not deny that the theft happened, but said its systems weren't breached.
"To date, there is no evidence of any attempt to penetrate Federal Reserve systems in connection with the payments in question, and there is no evidence that any Fed systems were compromised," a spokesperson said. "The payment instructions in question were fully authenticated by the Swift messaging system in accordance with standard authentication protocols. The Fed has been working with the central bank since the incident occurred, and will continue to provide assistance as appropriate."
Swift and the Central Bank of Bangladesh did not respond to requests for an interview. (It was midnight in Bangladesh at deadline.)
"Swift does not comment on individual users or messages, but can confirm it is in contact with the parties concerned," the organization said in a statement cited by Reuters and Fortune.
"Messages sent over Swift are authenticated between sending and receiving institutions. There is no indication that our network has been compromised," it said.
Access to the Swift messaging system requires credentials stored on dedicated
The New York Fed did see signs of unusual activity after the fact — Bangladeshi officials told Reuters that the unusually high number of payment instructions and the transfer requests to private entities, rather than other banks, made the Fed suspicious and that it alerted the Bangladesh bank. But its fraud detection systems did not catch the transactions before they went through.
In an interesting wrinkle in this case, Reuters reported that one of the hackers' attempts to steal from the Bangladesh Bank was foiled due to a misspelling.
While four requests to transfer a total of $81 million to the Philippines went through, a fifth, for $20 million, to a Sri Lankan nonprofit organization, got held up because the hackers misspelled the name of the organization, Reuters reported. Instead of "foundation," the hackers typed "fandation." This prompted a routing bank, Deutsche Bank, to seek clarification from the Bangladesh central bank, which stopped the transaction.