NY Fed rejected, then later approved $81 million bank heist

The Fed branch had denied 35 fraudulent requests to transfer money from the Bangladesh Bank to accounts in the Philippines and Sri Lanka because they weren’t formatted properly for SWIFT messages, kind of like not clicking on spam email after noticing typos. The hackers resubmitted them in proper SWIFT format and they were authenticated by the messaging system, but the Fed blocked 30 of them anyway for later review. It scrubbed one last $20 million request thanks to an actual typo noticed by a German routing bank, but the four that weren’t flagged netted the hackers $81 million.

A source told Reuters that anomalies in those last four requests should have alerted the New York Fed: the money was to be paid to individuals, which was rare for the Bangladesh Bank, and the fake names on the requests appeared on some of the other 30 that the Fed had blocked. Yet an investigation after the heist revealed that cheap second-hand switches used to network the Bangladesh Bank’s computers and the lack of a proper firewall enabled the hackers to break in and steal bank credentials to make the requests.

In response to this and other similar fraudulent money transfers, the cooperative behind the SWIFT financial messaging system has announced a plan to help banks improve their overall security. But since banks apply SWIFT policies at their discretion, the cooperative’s plan hinges mostly on educating banks to avoid compromising their operations.