Management
07/05/2016

New York Fed Feared Similar Cyber Heists Even Before Massive Bangladesh Bank Heist




Senior Fed security officials examined the risk of a large cyber attack - but judged the prospect unlikely in the years before hackers stole $81 million from a Bangladesh central bank account at the Federal Reserve Bank of New York, reports Reuters.
 
According to interviews with seven current and former New York Fed officials and a former U.S. government official familiar with the discussions, the Fed managers worried that lax security procedures and outdated technology at some foreign central banks could allow cyber-criminals to commandeer local computers and breach foreign accounts at the U.S. central bank.
 
According to Fed and government officials, the risk of an attack made using the banking system’s communications network, known as SWIFT, have been discussed over several years by the New York Fed and Federal Bureau of Investigation officials.
 
 “The New York Fed was concerned with lots of vulnerabilities. SWIFT was one of them,” said the former government official to Reuters.
 
Officials with knowledge of the bank’s security operations told Reuters that instead the Fed focused security resources on other priorities, such as preventing money-laundering and enforcing U.S. economic sanctions. Sources said that the fact that the v SWIFT’s security software had never been cracked provided some sort of comfort for the Fed officials.
 
A claim from the Bangladesh Bank for payment of lost funds and a potential lawsuit is the immediate result of the breach for the New York Fed. A potentially systemic risk to a vital global finance network was well understood by the U.S. central bank but was unable or unwilling to address it. There was no comments from the New York Fed o the past security priorities or on whether it had made changes since the heist. SWIFT declined to comment.
 
One well-placed official with knowledge of the discussions told Reuters that the threat of fraudulent transfers ordered through SWIFT a “fat tail risk” – a statistical term for events with low probability but dire consequences was considered by some New York Fed officials before the heist. February’s theft from the Bangladesh Bank fit that definition - a bold cyber heist in which thieves attempted to withdraw nearly $1 billion in dozens of requests. Since the conduit for the theft was the SWIFT network, an acronym for the Society for Worldwide Interbank Financial Telecommunication, it had left the banking industry rattled.  SWIFT connects about 11,000 financial institutions globally that use it to order money transfers.
 
“What everyone is realizing right now is that no one has ever really appreciated the risk,” said the person with direct knowledge of the New York Fed’s deliberations.
 
The scheme involved altering SWIFT software on Bangladesh Bank computers to hide evidence of fraudulent transfers, said SWIFT. The Bangladesh Bank attack was not an isolated incident but one of a number of recent criminal schemes aimed at its messaging platform, SWIFT had acknowledged last week.
 
(Source:www.reuters.com) 

Christopher J. Mitchell
In the same section