How to steal a cyber billion swiftly
At the heart of the attack was a “sophisticated knowledge of specific operational controls within the targeted banks — knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both.”
But also… a bit of malware which targeted the bank’s PDF reader.
As we’ve had it explained by Swift on Friday, the malware essentially created a decoy interface which obfuscated the true state of underlying accounts, ensuring the spent transactions went unnoticed by the impacted institution for longer than would otherwise be normal.
In physical real-world robbery terms that would be the equivalent of stealing a rare piece of artwork and replacing it with a fake, just to avoid detection.
There are two important consequences to all this.
The first pertains to what some speculate could become a systemic issue for the banking industry, with dire liquidity effects to boot.
The underlying factors are viciously circular. Banks impacted by cyber fraud have little to no incentive to report vulnerabilities because doing so potentially exposes the exploits and creates a hacker “run” on the mechanism by which value can be extracted from the system. That, after all, would only make things worse. Inadvertently, this encourages banks to be as secretive about value lost to hacking attacks as they would ordinarily be about deposit runs.
It also downplays the seriousness of the issue in the popular media. How much value is being routinely lost to hackers? We just don’t know.
The central banks on their part would be wise to keep abreast of hacking attacks to take mitigating action on the liquidity front. Yet, from the point of view of the banks, reporting information to central banks or authorities potentially only worsens the problem. The more institutions you share the knowledge of the vulnerability with, the more vulnerable you are because the greater the opportunity for leaks.
The issue thus becomes both institutional and socio-economic. You can report the crime to the police but — as we all know from the movies — since you can’t be sure corrupt cops are not present in their system, you can’t be sure that’s a good idea.
Efforts such as those initiated by the European Central Bank for a cyber attack real-time alert system — see the FT’s Martin Arnold’s story here — thus aren’t all that reassuring, from the perspective of the banks. To the contrary, payments professionals tell us they would rather if central banks operated in a more clandestine and haphazard manner when it comes to keeping tabs on hacking abuse. (Even so, there comes a point where we return to the security/prosperity paradox — if we’re spending more resources on sneakily supervising, inspecting and defending the system than the system is creating in wealth, the game’s lost.)
Which brings us to point two.
Upon the news of the secondary hack becoming known — an attack we now know occurred before the Bangladesh central bank hack in February — it took no time at all for blockchain enthusiasts to propose this would not have been possible within a blockchain system.
Swift, however, disagrees.
Harry Newman, head of market initiatives EMEA at Swift, told us on Friday: “This was an input fraud, and you can’t fix that with a blockchain,” adding that “blockchain is an interesting technology and we might use it ourselves but it would not have changed this.”
FT Alphaville’s long-standing critique about a permissioned private blockchain system is precisely this. Distributed ledgers do not at any point control for fraud at the origination or input point, which remains vulnerable to human fallibility, social engineering, extortion and duress.
Indeed, blockchain’s potential, if any, relates to synchronising and standardising transaction instructions in such a way that non conforming transactions are delayed, ignored or blacklisted by the system’s protocols in the system. But if the instructions emanate from a hack within the trusted network, the lack of segregated or silo-ed systems (or even human interfaces) ensures they’re liable to spread like a cancer within the network. Blockchain remains a one size fits all measure.
And whilst the synchronisation approach might seem appealing to those keen on improving efficiency, the consequence is a militaristically rigid and inflexible machine of a system, which can’t easily process unexpected externalities. The more predictable the financial machine becomes, the easier it also becomes to game by the increasingly unpredictable outcast human and creative layer.
Last, there is also the issue of speed.
“If you speed things up you have to be sure you can secure it because if you move everything in real-time, money can disappear in real-time too,” says Swift’s Newman, alluding to the point that bad guys benefit from technology breakthroughs as well as good guys.
Hence, perhaps, the focus in modern day cyber attacks on obfuscation. The longer it takes for the victim to notice he’s been defrauded, the greater the chance the value stolen has already been spent in the real economy. The quicker it’s been spent, the longer and more costly the process of reclaiming the lost economic value — to the eventual point where the costs exceed the benefits of having the value returned, encouraging a write down, which someone in the real world has to bear.
We can see this play out in the attempts to reclaim the Bangladesh loot. It is now believed the hack was staged by Chinese hackers, who transferred a portion of the windfall to the accounts of casinos in the Philippines as well as to a regional foreign exchange broker. A portion of the $81m pilfered in the raid was transferred to a junket operator called Kim Wong, president and general manager of Eastern Hawaii Leisure Company Ltd, which operates in the Cagayan economic processing zone. At the heart of the story are also a number of local high-rollers.
Local reports state that Kim Wong has returned $9.7m of the loot to the anti-money laundering council although he is believed to have received at least $35m in total. Wong has denied any wrongdoing on the basis that junket operators are not bound by same know-your-customer regulations as casinos.
With respect to the speed vulnerability in the system, here’s a nice closing snippet from local news site The Manilla Times about the nature of the return:
Wong’s lawyer said it took two hours to count the money,Cyber crime doesn’t necessarily pay, but it certainly does take up economic resources and time.which were in P1000 and P500 denominations loaded in a trolley bag. Fernandez admitted, though, that two counterfeit P500 bills were found among the peso-denominated notes and Ferrer had to shell out P1,000 to replace the fake bills.
Abad also confirmed there were two counterfeit P500 bills found in the bag of money turned over on Monday, but declined to comment further. Without elaborating, Fernandez said Wong “will attend Tuesday’s hearing because he wants to finish this thing as soon as possible.”
Nessun commento:
Posta un commento