How cheap $10 switches cost a bank $80m

Banks should be leading lights of security, not blundering failures

Poor security including cheap network switches and the lack of a firewall was partly to blame for the daring hack and theft of just over $81 million (around £55 million, or AU$105 million) from the central bank of Bangladesh pulled off back in February.

The bank used second-hand $10 switches to hook computers up with the SWIFT global payment system, as opposed to more sophisticated switches which cost hundreds of dollars. The ropey switches have also made it difficult for those investigating the attack to pinpoint where the hackers might have been based.

Thus far, the thieves – who actually attempted to whisk away almost a billion bucks, but were only successful in bagging $81 million (around £55 million, or AU$105 million) which was transferred to the Philippines – have remained unidentified. Although the authorities have now pinpointed some of the folks who received the money, but not those who actually masterminded the attack and stole it.

As Reuters reports, the SWIFT room at the bank, which contains four servers, should have been walled off from the rest of the system, and that could have been achieved with more expensive and sophisticated switches.

A firewall is also an obvious security measure the central bank had failed to put in place, alarmingly.

Jeff Wichman, a consultant with cyber firm Optiv, told Reuters: "You are talking about an organisation that has access to billions of dollars and they are not taking even the most basic security precautions."

Other central banks in developing nations are apparently blighted by similar security issues, but hopefully this incident will have given them more than a little food for thought.

The blame game

In fairness, police have also blamed not just Bangladesh Bank but also the SWIFT network itself, which has been accused of failing to advise the bank suitably.

The thieves would have got away with more money if it wasn't for a simple spelling mistake – a $20 million (around £14 million, or AU$26 million) transfer to Sri Lanka was caught by a German clearing bank after the hackers misspelt the name of the non-profit organisation being used to receive the funds, which raised the alarm.

It's also worth noting that recently, when it comes to customers being hit by online fraud, all the major banks have been accused of burying their heads in the sand, and taking the stance that it's cheaper to mitigate fraud risks rather than trying to fully defend against them.

Banks should be setting the standard when it comes to security, but it seems financial organisations are falling short on a number of fronts.