On February 4th, a process of events started that would sap $81 million from Bangladeshi banks and eventually cause us to question the security behind the SWIFT protocol, the global standard for banking security.
Let’s take a few steps back and explain what happened in case you didn’t catch the news at the time.
Bangladeshi bankers arrived to work on Monday, February 8th with the intention of doing what they normally do: reconcile a box of printed transaction records from the weekend before. But there was a problem. The box was empty. Upon review, it turned out that an essential file used to connect their printer to the SWIFT network was either missing or corrupted. When the issue was resolved a day later, what showed up on the transaction records must have made someone in that office lose their sh*t. They would have seen over 35 pending requests to move $951 million dollars out of Banglesdeshi accounts via the New York Federal Reserve, and into unknown private accounts in the Philippines and Sri Lanka.
A transfer moving to Sri Lankan ‘NGO’ the Shalika Foundation for $20 million was suspended by the German bank because ‘foundation’ was misspelled ‘fandation’.
A confluence of amazing luck and skill culminated into one of the biggest bank heists in history. In fact, the damage could have been a lot worse if it hadn’t been for a spelling error on a transfer form going through the Deutsche Bank. A transfer moving to Sri Lankan ‘NGO’ the Shalika Foundation for $20 million was suspended by the German bank because ‘foundation’ was misspelled ‘fandation’. That error started a chain of events that turned a would-be billion dollar heist into one that would just cost the bank $81 million.
Nevertheless, $81 million is a lot of money, and authorities still aren’t completely sure how this happened, but one thing is clear: SWIFT played a big role in enabling the theft. According to FireEye Inc, a security firm hired to look into the event, a network of groups likely hacked into the SWIFT platform software installed on banking servers through an internal messaging app. This malware knew full well that Bangladeshi server security practices were poor at best — no firewalls plus decrepit server switches — and took full advantage of good timing and terrible infrastructure.
Behind the scenes, the event has helped galvanise an idea in the financial community. One that’s been nagging at banking security experts for some time. Even though SWIFT is an encompassing system of standard protocols for fund transfers, it is finally failing the test of time as advanced groups of hackers expose new vulnerabilities in the system. If standardized banking is going to continue, it’s going to have to be on the back of different tech than the type currently utilized via SWIFT.
The scary part is that we don’t even know how frequently groups manage to maliciously compromise banking systems. Many overseas banks are under no obligation to make breaches public, and it’s unknown how many were silently dealt with before this massive attack. The fact that a spelling error was all that stood in the way of $81 million turning into $945 million, should prove to be a major wake-up call for global banks.
Of course, blockchain continues to stand at the back of the room waving its hands impatiently and yelling, “what about me?!”.
If the efficiency argument for blockchain can’t bring bankers to the table, then perhaps this recent security breach can. By implementing a trustless distributed ledger, banks would not only cut transfer confirmation times dramatically, but could create a network that would make SWIFT’s security look rookie in comparison.
It’s going to take a while for the dust to settle on this latest fiasco, but the folks building out blockchain prototypes are sure to be using this to build their case for why blockchain tech should be an integral part of the financial world in the years ahead.