The Bangladesh Bank heist in March 2016 netted USD81 million when fake transfer requests were wired to the Federal Reserve Bank of New York (the Fed) which is where the Bangladesh central bank keeps much of its cash… for safe keeping. Upwards of USD1 billion would have disappeared had it not been for a simple spelling mistake that alerted a bank in Sri Lanka, which was to be the destination of another tranche of the illegal transfer money. The USD81 million nevertheless got through the net and ended up being laundered through a casino in Manila, which is not covered by the banking laws, and to junkets based in Macau and Mainland China, or so it is reported. In a way, none of this is surprising, although the criminals making the spelling mistake were a bit unprofessional.
The missing part of the story is apparently a printing machine at the Bangladesh bank. It seems the Fed sent a query concerning the unusual number of transfer requests to the Bangladesh bank, but the printing machine was not working.[1] The fault was subsequently attributed to the hackers.[2] It was a Friday. Saturday was a holiday in Bangladesh, so the authorities only got the machine working again on the Sunday to discover the alert. One wonders whatever happened to Internet. When they responded to the Fed it was already a holiday in the US, so nothing happened until the next working day. The first lesson is: always rob a bank on a Friday. The by-now infamous Hatten Garden bank robbery in April 2015 is a good example. The robbers struck on a Friday evening, found their equipment couldn’t get through the wall into the safe security box room, went out to buy more cutting tools on the Saturday, returned and disappeared with the cash and jewellery on Sunday. The second lesson is: round-the-clock security might be a good idea. The criminals like to take their holidays during weekdays when everyone else is working.
The third lesson is: maintain the printing machine, or the fax machine, or the CCTV, or the alarm systems, or keep the emergency telephone numbers up-to-date and those who need to know, etc, etc. And therein lies the big problem. Usually it isn’t the security software that’s out-of-date, but it’s that nobody is around to notice the alerts. Security systems are often fool-proof, but people are not. They give away their passwords, they open phishing emails, they forget to log-off, and so on.
But besides the human factor, the lack of monitoring and maintenance is too often the cause of the problem. When London was hit by terrorist explosions in July 2005, the CCTV camera on the upper deck of the bus that was blown apart was not working. When Indonesia was recently hit by a 6.7 earthquake off the coast of Sumatra, Indonesia’s array of six underwater sensors which had been installed following the devastating earthquake and tsunami in December 2004, were not working. Other arrays of sensors further south, maintained by other nations, were working fine. Luckily on this occasion there was no tsunami otherwise there would have been loss of life among people unaware of the danger. The sensors are embedded in the ocean floor and connected to floating buoys from where their signals are transmitted to a satellite and from there to command and control centres in Hawaii, Thailand and other locations. According to sources,[3] the problems were twofold: lack of monitoring and maintenance due to cost and theft of the cables by fishermen and others. The latter is entirely believable. In poor countries, anything public as well as anything private is fair game for many people. Stories are told of thieves being burned alive trying to steal submarine cables without realising they are accompanied by high-voltage power lines. There is often little understanding by citizens, and little effort put into educating citizens, about infrastructure technologies. Cables, towers, junction boxes are all just part of the assumed environment, structures that just appear. These are public goods, even when privately owned, but for the public they rarely register.
The real issue however is one of governance. If equipment that plays a vital role in monitoring and surveillance, whether it’s an undersea sensor, a CCTV camera or a simple printer, is not working, and if the cause is the cost of maintenance, then there needs to be transparency. Cost-cutting is a false economy in such circumstances, but if cost-cutting is inevitable, then that needs to be known and the risks fully assessed. Some services may need to be sacrificed to ensure safety. No one would fly on an airplane knowing that maintenance had been suspended. But they might fly without meals being served. It’s a matter of priorities, and ICTs cannot determine priorities, only people can. Or at least until the day AI takes over our lives for us.
[1] AFP News ‘Faulty printer implicated in $81 mn Bangladesh bank heist’ 16th March 2016 https://sg.news.yahoo.com/faulty-printer-implicated-81-mn-bangladesh-bank-heist-145959996–finance.html
[2] Wall Street Journal ‘Focus is Shifting to Fed in Heist’ 11 April 2016 https://www.pressreader.com/belgium/the-wall-street-journal-europe/20160411/282050506223222
[3] The New York Tines ‘Indonesia’s Tsunami Sensors Were Down During Quake’ 3 March 2016 https://www.nytimes.com/2016/03/04/world/asia/indonesia-earthquake.html?_r=0
