Bangladesh Bank Hack and US Regulations

Eighty-one million dollars remain unrecovered after hackers targeted the central bank in Bangladesh with the initial intent to steal closer to one billion dollars. That the central bank of a country could be attacked and compromised begs uncomfortable questions about the security of banks in the United States.

The attackers exploited multiple vulnerabilities in order to gain access to the money and subsequently transfer it. BAE Systems has released a detailed technical research piece on the likely approach taken by the hackers. See the write up: In simple terms, the Bangladesh central bank had no firewall in place to protect its network from intrusion. Additionally, a decision by the bank to employ inexpensive routers added to the ease of network access. The combination of compromised routers and lack of a firewall then led to the compromise of the SWIFT network as it was not segmented from the rest of the network. The Society for Worldwide Interbank Financial Telecommunication (SWIFT) network normally provides a secure, standardized and reliable environment in which financial organizations may transfer information regarding financial transactions. By compromising the SWIFT network, the Bangladeshi bank attackers were able to hide their illegal activity until they were discovered due to a typo.

What about the security of U.S.-based banks?

Financial institutions here in the United States face a multitude of regulations:

  • The Federal Deposit Insurance Corporation (FDIC), which provides deposit insurance to depositors, says that FDIC insurance protection “does not apply in the case of theft or fraud.” The onus is on individual banks to carry protection against physical and cyber theft.
  • The Federal Information Security Management Act (FISMA) requires government institutions to have security measures in place, but many critics argue FISMA is nothing more than a mandated checklist. U.S. Governmental organizations typically score towards or at the bottom of the barrel with regards to security on independent research reports.
  • The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to notify customers of their privacy practices through an annual notice. Per GLBA, financial institutions must also establish comprehensive security programs in order to protect consumers’ data.
  • The Payment Card Industry Data Security Standard (PCI DSS) mandates the highest security requirements in order to protect cardholder data and those institutions which process it. Unlike in the case of the Bangladeshi bank, here in the U.S. organizations must install and maintain a firewall for the protection of cardholder data per the PCI DSS. 

Is our money more secure?

There are certainly many regulations in place. However, it is important to remember a simple mantra any information security professional will agree with: nothing is ever truly secure. Just as you can lock your car, there is still a chance that it may be broken into.

The fight against cyber-attacks may seem daunting, especially when we hear about the success of an attack on a central bank. With so much hinging on the vigilance of security staff and company employees, many organizations feel that they have limited understanding of how to handle this risk. 

There are numerous tools available which can help any organization improve its security posture. DarkOwl Vision provides access to Dark Net big data, which allows organizations the potential to find and monitor chatter on the dark net, and detect stolen or hacked data. DarkOwl’s customers have found leaked and compromised data, and recently one of our clients found chatter related to planning an attack and was able to thwart this attack based on the information learned.