Bangladesh Bank Heist – An Ethical Overlook

9.      INTRODUCTION

The Bangladesh bank heist is one of the example for hackers exploiting the poor security measures of the system and also carelessness by the bank authorities. On 4th February, 2016 a hacker group called Lazarus successfully made 35 malicious payments transaction worth 951 million USD from the Bangladesh Central bank via the New York federal bank. Though the heist took place on 2016, the planning for the heist started way back in may 2015. The hackers created four accounts in the RCBC bank in Philippines and left the account dormant without any transactions. On January 2016, a Bangladesh bank employee while checking the mail inadvertently opened an infected email and led to installation of malicious programs that provided the backdoor for the hackers to gain access and initiate the transactions within the network. Hiding in plain sight the intruders started to spy on the bankers and studied the bank’s operational procedures.

On February fourth, the hackers using the legitimate SWIFT credentials they possessed from the malicious program took control of the SWIFT terminals. The hackers then processed 35 phony transfer request amounting to 951 million USD was sent to the federal reserve bank of New York.

The Bangladesh bank employees back from their weekend were trying to fix the broken printer which was connect to the SWIFT network. The printer hadn’t been working for the past few days hence the real time transfer confirmations were backlogged. The hackers were responsible for stalling the printer and the irresponsibility of the employee to resolve the printer led to successful accomplishment of the heist, meanwhile 20 million USD arrived from New York to a Pan Asia bank account in Sri Lanka, similarly all the remaining transactions from the New York Federal reserve bank started to rollout. Meanwhile the printer started to work and the Bangladesh bank employees started to see the transfer confirmation copies from the federal bank and panicked. The Bangladesh bank tried to send a stop payment order but since it was a Sunday there was no one there to respond in New York. The automated transaction system in New York had flagged thirty of the transactions for manual review since one of the word on the SWIFT order matched the name of a shipping company that was blacklisted by U.S, 870 million USD worth of transactions were blocked. The remaining transactions were successfully carried out however the first transfer worth 20 million USD reached an account in Sri Lanka via a routing bank and was deposited to a company called Shalika Foundation. An employee at the Pan Asia bank, Sri Lanka noticed that there was something odd with the transaction and reverted the transactions. The remaining four transactions were routed to the four bank accounts created by the hackers at the RCBC bank in Philippines.

II. Literature Review

The Bangladesh Bank Heist is one of the major cyber attack in the recent times and various articles were published by various sources in the internet. The Dhaka tribune, the national news paper media in Bangladesh reported the attack exclusively and reported that the bank attack was state sponsored attack as the government didn’t publish the report of the probe committee.[1] Meanwhile, according to a Reuters report an FBI officer in the Philippines who has been involved in the investigations said the heist of $81 million from the Bangladesh central bank’s was state.[1]

The al jazeera, a doha based media company reported that The crime transfixed the then-governor of Bangladesh Bank, Atiur Rahman he said that it was similar to a terrorist planned attack.[2] It revealed weaknesses in the supposedly secure global money transfer system known as SWIFT, which banks use to move billions of dollars daily between themselves. [2] The 81 million USD were deposited into the account in RCBC and due to poor monitoring and lax procedures. The money from these accounts were quickly withdrawn and laundered through casinos with the electronic money transfers the money was converted into hard untraceable cash.

III. Liffick Analysis

A.  List participants and their action

Primary Participant

Bangladesh Bank Employee:

• Accessing a malicious e-mail inadvertently without adhering to the cooperate ethics and security measures.
• Not reporting the malicious e-mail immediately to the IT team for further assistance.
• Lack of professional knowledge
• Lethargy in resolving the printer issue which otherwise would have helped in stopping the heist.

Bangladesh Bank:

• The Governor of the Central Bank was responsible managing his employees and due to his poor management the heist took place.
• The Security Systems in the bank were not strong enough to detect the malware installed in their network.
•  The bank failed to improve the security standards as there was early such breaches in 2013.
• The bank was reckless to the malfunction of the firewall which costed them 81 million USD

Philippines Bank:

• The bank could have got suspicious upon receiving such a huge transaction in the four accounts, which were lying dormant for almost a year.
• The bank was responsible for transferring the whole fund to a casino which was unprofessional since it was a common practise to laundry the black money to white money through casinos
• The mode of payment was in cash which was abnormal for such a huge sum. [3]
• The mechanism of transfer of money to the casino was also not transparent. [3]

New York Federal Bank:

  Though the Federal Bank stopped the 31 transactions but still the system couldn’t detect the 4 fraudulent transactions hence there needed to be some improvement in the real time automated fraudulent detection system.

SWIFT:

Though SWIFT was not responsible for the heist to take place, the weakness in the system gave access to the hackers to make the fraudulent money transfers.

B. Reduced List

 Since the Bangladesh Bank Employee and the Bangladesh Bank itself come under the same organization so it’s reasonable to consider them as one participant and as a whole the Bangladesh Bank lacked both professionalism and Security measures to safeguard the money of the taxpayers. 

 Since SWIFT really didn’t have any fault in their system and wasn’t the reason for the heist and the individuals at the Bangladesh bank were at fault for letting the SWIFT network get exploited by the malware, so we can eliminate SWIFT from the list.

 The Federal Bank of New York were actually responsible for alarming the 31 phony transaction request and hence they actually helped in stopping the heist

C. Legal Considerations

 One of the major Legal Considerations in the Bangladesh Bank Heist is the money laundering done by the Philippines bank through the local casinos.               This was due to the lack of robust money laundering laws in Philippines. Hence the hackers used this loophole as the destination to perform their illicit operation. According to the FATF, Philippines was blacklisted for uncooperative in the fight against money laundering [4]. The report states that the Philippines lacks a basic set of anti-money laundering regulations. Bank records have been under excessive secrecy provisions. Philippines didn’t have any specific legislation to criminalize money laundering. Furthermore, an automated suspicious transaction reporting system does not exist in the banks [4]. The Anti Money Laundering Act (AMLA) was passed by the Philippines government in the early 2001 but casinos were not included in the covered institutions. Despite having such acts, Philippines had past records of many money laundering activities. The unyielding secrecy laws in the RCBC bank made it hard for the bank to disclose any details to the FBI while investigating

 In Bangladesh after the outbreak, the Heist exposed the deficient legal framework in the nation. Copious vulnerability was exposed by the Bangladesh bank heist. This resulted in the resigning of the Bangladesh Central Bank governor and firing of four other associates.

D. Possible Options for Participants:

 The bank employee had the option to resolve the printer issue immediately without delaying it and hence could have averted the issue but they failed to do so which costed in hindering the stopping of payment. The bank failed to improve the security measures of their network which resulted in the breaching of their database. The Governor of the bangladesh central bank could have taken precautions to avert such cyber attack earlier by insisting on high standard of security protocols but he failed to do so.

 unlike the Sri lanka bank, the philippines bank failed to detect or get suspicious about the fraudulent money trasanctions, this is due to poor executive adiminstation by the employee of the philippines bank. The employee could have alarmed the bank over sudden deposition of 80 million dollars in the four accounts of the hackers. The Philippines bank also had their hand in laundering the cash immediately through the casinos. The employee in the bank could have refused to laundry the money.

E. Possible Justification for the participant’s Action:

 In the Case Study of Bangladesh Bank Heist, the actions of the SWIFT could be justified since their system really didn’t have any flaw as the hackers were able to access the secure SWIFT creditenials from the Bangladesh Bank. Hence their action to pass the transaction request can’t be wronged. Similiar the Federal Bank in New York did it’s job to approve the transaction since the request came from the trusted SWIFT. However the federal bank was able to detect the phony transactions based on previous blacklisted hits. Hence we can justify the actions of the SWIFT and Federal Bank of New York as they weren’t involved in the heist.

 However no solid justification can be given for the actions of the RCBC bank and the Bangladesh Bank since both had flaws within their organisation. The Bangladesh bank can justify their action by saying being an banking sector the emploee didn’t have much knowledge over the security protocols and malware attacks. Printer issues were quite common and hence was neglected to be repaired later. RCBC being a humongous bank would have neglected the deposition of 81 million USD into the hackers account since there would be millions of transactions happening. Also the RCBC can defend by saying due to poor Anti Money Laundering Acts, the bank had took advantage over it and sent the money to casions.

F. Key Statements:

“..Though the heist took place on 2016, the planning for the heist started way back in may 2015..”

“…SWIFT uses military graded security for money transaction across the globe. SWIFT doesn’t facilitate the transfer of the actual funds but provides trusted payment orders between accounts which then the bank acts on…”

“…Why New York? because the Bangladesh bank owns an account with billions of dollars in it meant for international settlements…”

“..The printer hadn’t been working for the past few days and the employee were lethargic over resolving it immediately. Hence the real time transfer confirmations were backlogged…”

“…The Bangladesh bank tried to send a stop payment order but since it was a Sunday there was no one there to respond in New York…”

“…The automated transaction system in New York had flagged thirty of the transactions for manual review since one of the word on the SWIFT order matched the name of a shipping company that was blacklisted by U.S, 870 million USD worth of transactions were blocked….”

G. Questions Raised:

How secure were the security firewall of the bank in order to prevent the intrusion attack? Being an online banking provider they are ought to be secured with a high standard firewall system to avoid malware attacks but in the case of Bangladesh bank heist, the bank failed to install such highly secured security systems.

How safe is the taxpayers money post such cyber attack? The answer to this question still is ambiguous since Bangladesh being in the progressive country is still trying hard to improve it standards but due to various factors like corruption, it’s not able to achieve it.

How ethical was the RCBC bank? By directly involving in transferring the money to casinos the morality of the bank was impaired and hence leaving the question to the readers how virtuous is the RCBC bank

How the secrecy laws in Philippines helped in covering the unfair activities? The secrecy laws in Philippines were poorly drafted which helped the authorities to undergo various unethical activities using the loopholes.

H. Analogies Employed 

The Bangladesh bank heist incident is similar to the activities of the Carbanak hacking group that stole more than 1 billion USD from financial institutions in 2015.  In both cases, attackers infiltrated the network and employed the highest level of insider access possible. Once inside the bank’s networks, attackers hide in plain sight and watched internal processes and procedures in order to carry out the next stage of their plan with minimal risk of detection.  In the case of Carbanak, it was ATM fraud, cash transactions and money transfers. But with Bangladesh bank heist, it was in the form of a series of transfer requests across the SWIFT[5]

Meanwhile, SWIFT – the global financial messaging network – has subsequently warned of another second malware attack targeting a commercial bank, believed to be Vietnam’s Tien Phong Bank.  In a statement, Swift noted that the attackers exhibited a “deep and sophisticated knowledge of specific operational controls” at targeted banks and may have been aided by “malicious insiders or cyber attacks, or a combination of both”.[5]

I. Code Of Ethics Utilized:

We can infer that the Bangladesh bank as well as the Philippines bank failed to follow many codes of ethics they failed to know and respect the existing rules pertaining to professional work. The bank failed to design and implement systems that are robustly. They failed to honor confidentiality and failed to take fare action The Employee of the Bangladesh bank were irresponsible in discharging their duty and failed to adhere to the ethics of work.

J. Alternative Proposals:

•    Pessimistic: The Philippines bank had done the right decision by sending the money to the casinos since it was the customer’s request and being a customer oriented bank the RCBC cleared the request and the loss of money was fault of the Bangladesh bank since it failed to have the necessary security systems.
•    Optimistic: The Bangladesh bank heist disclosed the weak security systems in the Bangladesh central bank and also the governor of the central bank along with four other employees were fired due to this issue. Hence this will lead to developing better security systems in banks not just in Bangladesh but in other nations as well and also brought out the unethical actions taken by the employees of the Philippines bank in order to launder the money and thus exposed the secrecy laws in Philippines. Thus encouraging the nation to change the acts and eradicate loopholes in the system
•    Compromise: Thought Bangladesh failed to safeguard the taxpayer money, the Philippines bank could have acted ethical and helped the Bangladesh bank to recover the money instead of letting the money to transfer to the casinos

IV. Conclusion:

 The Bangladesh Bank Heist is a classic example of unethical practices both intentionally and unintentionally in a system. It also showcased how the pan asia bank in Sri Lanka acted ethical in alarming the phony transaction while some unprofessional banks like the RCBC bank were involved in the action. The Bangladesh bank learnt their lessons at the expense of 81 million USD. If they were professional and skilled such incident would have never occurred.

V. References:

[1] Shariful Islam, “What type of attack was the central bank reserve heist?”, Available: dhakatribune, https://www.dhakatribune.com/business/banks/2018/02/04/type-attack-central-bank-reserve-heist [Accessed: Nov10, 2018]

[2] Al Jazeera, “Hacked: The Bangladesh Bank Heist”, Available: al jazeera, https://www.aljazeera.com/programmes/101east/2018/05/hacked-bangladesh-bank-heist-180523070038069.html [Accessed: Nov. 10, 2018]

[3] Karen Lema, “Philippine bank and Bangladesh play blame game over missing millions”, Available: reuters, https://www.reuters.com/article/us-cyber-heist-bangladesh-philippines-idUSKBN13O0ZP [Accessed: Nov 13, 2018]

[4] FATF, “Fatf blacklist”, Available: ipfs, https://ipfs.io/ipfs/QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco/wiki/FATF_blacklist.html [Accessed: Nov 13, 2018]

[5] Matt Middleton-Leal, “BANKINGLEARNING THE LESSONS OF THE BANGLADESH BANK HEIST”, Available: financedigest, https://www.financedigest.com/learning-the-lessons-of-the-bangladesh-bank-heist.html [Accessed: Nov 13, 2018]