The security flaws that lead to an audacious heist of Bangladesh’s Central Bank have been found to be in software used globally to facilitate transfers between banks.

Bangladesh Bank had $81 million stolen from them in February (the figure was first thought to be $100 million), and at the time they claimed that the funds had been stolen from their foreign exchange account at the Federal Reserve Bank of New York.

An investigation by BAE systems instead found that after hackers had entered the banks systems, which had no firewall and were using a second-hand $10 network, they managed to hack the software of the Society for Worldwide Interbank Financial Telecommunication, more commonly known as SWIFT.

According to Reuters, hackers manipulated the Alliance Access server software which banks use to interface with SWIFT’s messaging platform, to gain access to the funds, and then cover their tracks.

Alliance reads and writes SWIFT messages to files on the filesystem, and records transactional information in an Oracle database; once inside, the hackers designed malware that removed integrity checks within the software and then watched transaction files waiting for payment orders and confirmations for specific terms.

Once a message meeting the criteria was found, the malware would then do a number of things, including increasing the amounts of payment orders, modifying confirmation messages from the SWIFT network itself, and then altering communications to show the original, correct transactions and deleting the actual transaction from the Alliance database.

Response

SWIFT confirmed the breach and said that they were issuing a software update “to assist customers in enhancing their security and to spot inconsistencies in their local database records,” and that “the malware has [had] no impact on SWIFT’s network or core messaging services.”

The organization also issued a warning to all of its 11,000 plus members about the potential problem.

In the end, it was pure luck that Bangladesh Bank had not been taken for far more money as the hackers had been attempting to steal $951 million but came undone when a typo in the name of a transfer drew the attention of bank employees.

The overall investigation continues.

Image credit: vladus/Flickr/CC by 2.0