What Secures the Central Bank of Bangladesh

security finance April 23, 2016 at 10:58 AM Emin Gün Sirer

Precious little, it turns out.

I often give a hard time to Bitcoin exchanges, for they seem to have a half-life of 1 year, and there is a new and colorful story emerging from some exchange in the ecosystem almost every two weeks or so.

But it turns out that the state of security for regular, accredited financial institutions is no better. To wit, we're getting more details about the successful hack of the Central Bank of Bangladesh, from which hackers managed to extract $80M USD, and would have stolen another $850M were it not for a typo that brought in manual scrutiny. The new details are not at all flattering:

the investigators would not say how the hackers managed to bypass the security solutions on its network.

But in reality, there was no security solution installed to help protect against increasingly sophisticated attacks.

The network computers that were linked through the second-hand routers were connected to the SWIFT global payment network, allowing hackers to gain access to the credentials required to make high-value transfers straight into their own accounts.

"It could be difficult to hack if there was a firewall," forensic investigator Mohammad Shah Alam told Reuters.

I don't think we should place too much faith in initial press reports, but I can see how a contractor could have placed wireless nodes in the trusted zone, behind a firewall -- a common configuration for many enterprises, something many of us employ at our homes, and obviously not suitable for a bank. Frankly, it's not clear at all that a firewall would have prevented an attack where user credentials are stolen. But, at the end of the day, this is a central bank that holds the keys to foreign lines of credit for an entire government, and a country deserves much better.

The bottom line is that the state of computer security is nowhere near where it needs to be to keep high value credentials online.

Breaking into computer systems, once the domain of hobbyists out to have some harmless fun, has now become a big business. Online credentials provide an immediate bounty for hackers who can convert their newfound access into untraceable cash, and get rich from the comfort of their dens by simply probing for vulnerabilities. And given the scale of computer networks, a successful attack that works against the Central Bank of Bangladesh will probably work against at least a few of the other 193 central banks worldwide, not to mention regular banks.

And insider attacks compound the problem. Network engineers who make as little as $100K play a critical role in securing credentials worth billions of dollars. A genuine mistake is indistinguishable from an error inserted on purpose for a conspirator to take advantage of later. If it were not for banks actively suppressing the disclosure of all breaches that don't involve the loss of customer information, we'd hear much more about insider attacks against financial institutions.

There are a few ways out of this mess: (1) figure out how to build systems that can resist such attacks, (2) build layers of safeguards and detection mechanisms that can catch such attacks without manual intervention, and (3) bolster the traceability of money such that attacks, detected post facto, can be undone. We seem to be pursuing all three, but at a glacial pace and without coordination. Let's see which central bank gets hit next.