Scribd Logo
Upload

Welcome to Scribd!

  • 329 views

    Bangladesh Bank Heist Negative

    Uploaded by

    Huey Calabines
    The document discusses a 2016 cyber heist from Bangladesh Bank where hackers stole $81 million by accessing the bank's system through malware. It summarizes the key events and discusses two issues: 1) whether Belgium's SWIFT system is liable for the breach, and 2) whether the US Federal Reserve violated banking laws. The summary concludes that Belgium is not liable because the breach was due to weaknesses in Bangladesh Bank's own system, and that the US did not violate laws because the Federal Reserve reasonably approved transactions absent suspicious information.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd

    Bangladesh Bank Heist Negative

    Uploaded by

    Huey Calabines
    329 views4 pages
    The document discusses a 2016 cyber heist from Bangladesh Bank where hackers stole $81 million by accessing the bank's system through malware. It summarizes the key events and discusses two issues: 1) whether Belgium's SWIFT system is liable for the breach, and 2) whether the US Federal Reserve violated banking laws. The summary concludes that Belgium is not liable because the breach was due to weaknesses in Bangladesh Bank's own system, and that the US did not violate laws because the Federal Reserve reasonably approved transactions absent suspicious information.

    Original Title

    Bangladesh-Bank-Heist-Negative

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document discusses a 2016 cyber heist from Bangladesh Bank where hackers stole $81 million by accessing the bank's system through malware. It summarizes the key events and discusses two issues: 1) whether Belgium's SWIFT system is liable for the breach, and 2) whether the US Federal Reserve violated banking laws. The summary concludes that Belgium is not liable because the breach was due to weaknesses in Bangladesh Bank's own system, and that the US did not violate laws because the Federal Reserve reasonably approved transactions absent suspicious information.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    329 views4 pages

    Bangladesh Bank Heist Negative

    Uploaded by

    Huey Calabines
    The document discusses a 2016 cyber heist from Bangladesh Bank where hackers stole $81 million by accessing the bank's system through malware. It summarizes the key events and discusses two issues: 1) whether Belgium's SWIFT system is liable for the breach, and 2) whether the US Federal Reserve violated banking laws. The summary concludes that Belgium is not liable because the breach was due to weaknesses in Bangladesh Bank's own system, and that the US did not violate laws because the Federal Reserve reasonably approved transactions absent suspicious information.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    of 4
    At a glance
    Powered by AI
    The Bangladesh Bank heist involved hackers stealing credentials through a malware and initiating fraudulent transactions totaling $81 million. Key parties discussed are Bangladesh, Belgium, SWIFT, the US, and the Federal Reserve Bank of New York regarding who is responsible for the loss.

    A malware was opened by a Bangladesh Bank employee on February 4, 2016 which stole credentials and was used to generate fraudulent transfer requests. $81 million was transferred to the Philippines and other countries before being laundered.

    Belgium and SWIFT are not liable as the breach was due to flaws in Bangladesh Bank's system and negligence, not problems with SWIFT's software. Bangladesh Bank did not have proper security controls.

    CASE CONCERNING

    THE BANGLADESH HEIST

    BANGLADESH
    v.
    BELGIUM AND
    THE UNITED STATES

    POSITION PAPER
    OF GROUP II

    CALABINES
    DE LEON
    EUSTAQUIO
    GINGOYON
    GUERRERO
    Overview

    On February 2016, as a result of opening an email that contained a malware,


    an employee of the Bangladesh Bank initiated a series of event that would shake the
    country of Bangladesh. The event not only gave rise to the issue about the weaknesses
    in the security of the Bangladesh Bank but also the liability of the countries that were
    part of the transaction. Notwithstanding that some of the funds were returned, there
    is still a need to discuss whom among the parties are responsible for the loss of more
    $81 million.

    Factual Antecedents

    On February 4, 2016, the start of the weekend in Bangladesh, a malware, sent


    through an email which was later opened by an employee, collected usernames and
    passwords. This malware is believed to have destroyed evidence of its footprints. [1]

    The malware stole the credentials of the bank to access SWIFT, an international
    messaging system used by banks around the world. [2]

    The hackers then generated thirty-five request with the Federal Reserve Bank
    of New York, amounting to almost $1 billion. Thirty-one requests were blocked, one
    of which was to a Sri Lankan non-profit organization amounting $20 million which
    was held up because the hackers misspelled “foundation” in the NGO’s name as
    “fandation”. However, four request got through amounting to $81 million which was
    sent to Rizal Commercial Banking Corporation (RCBC) in the Philippines. [3]

    The money was then moved to several bank accounts created by the RCBC
    bank manager Maia Deguito for a casino owner named Kim Wong. The money was
    channeled through Manila casino industry. Thereafter, RCBC was fined around $20
    million for failing to comply with banking regulations.

    [1] Byron, Rejaul Karim, and Md Fazlur Rahman. “Hackers bugged Bangladesh Bank system in Jan”. asianews.network.
    https://web.archive.org/web/20160312145208/http://www.asianews.network/content/hackers-bugged-bangladesh-bank-system-
    jan-11271 (accessed March 8, 2019).
    [2] Kitten, Tracy. “Bangladesh Bank Heist: Lessons Learned”. bankinfosecurity.com.

    https://www.bankinfosecurity.com/bangladesh-bank-heist-lessons-learned-a-9064 (accessed March 8, 2019).


    [3] Quadir, Serajul. “Spelling mistake stops hackers stealing $1 billion in Bangladesh bank heist. independent.co.uk

    https://www.independent.co.uk/news/world/asia/spelling-mistake-stops-hackers-stealing-1-billion-in-bangladesh-bank-heist-
    a6924971.html (accessed March 8, 2019)
    Issue

    1. Whether or not Belgium, by the negligence of SWIFT, is liable for violating the
    trust and confidence given to them by their clients when its system was
    breached and used by unidentified hackers.

    2. Whether or not the US, through the acts of the Federal Reserve Bank of New
    York, is liable for violating the International Banking Act of 1978.

    Conclusion

    Belgium is not liable for


    breaching the trust and
    confidence of their clients.

    The Society for Worldwide Interbank Financial Telecommunication (SWIFT)


    is not, in any way, liable for the breach of the system in Bangladesh Bank. When
    Bangladesh Bank’s system was breached, it was the bank’s system or controls that
    were compromised, not the software. The SWIFT software behaved as it was intended
    to, but was not operated by the intended person or process. This is therefore a bank
    problem, not a problem with SWIFT. [4]

    Were it not for human intervention, the breach would not have been detected.
    It should be clear that the current state of the automated fraud detection and
    prevention mechanism of Bangladesh is lacking. It also comes to mind that it was
    Bangladesh Bank’s employee who triggered the malware to activate.

    Furthermore, it is the duty of the bank to keep their credentials secure. In this
    case, the computer used to hack into the system of Bangladesh Bank was not
    dedicated to transact SWIFT-only transactions. In fact, the computer can be accessed
    by anyone. Therefore, Bangladesh Bank’s negligence of not having a dedicated
    computer for the single task of conducting SWIFT transactions ultimately led for
    their system to be breached by the hackers.

    Finally, it is not impossible that the breach in the system likely involved an
    insider connection. It is rather sloppy, if not careless for a bank employee to open a
    spam email on a computer that has access to the entire network of Bangladesh Bank.
    Kitten, Tracy. “Bangladesh Bank Heist: Lessons Learned”. bankinfosecurity.com.
    [4]

    https://www.bankinfosecurity.com/bangladesh-bank-heist-lessons-learned-a-9064 (accessed March 8, 2019).


    At most, we can assume that an employee of the Bank deliberately opened the
    malware so that the virus can infiltrate the system of the Bank which in the end, led
    to bank losing $101 million.

    Consequently, the fault belongs to Bangladesh Bank for the negligence of its
    employees and the flawed system in detecting fraudulent transactions.

    The US did not violate the


    International Banking Act of
    1978.

    Bangladesh argues that the Federal Reserve Bank of New York did not
    exercise due diligence when it approved four transactions from Bangladesh in spite
    of the suspicion arising from one transaction for Sri Lanka thereby violating the
    International Banking Act of 1978.

    Bangladesh’s contention is untenable. The obligation of the Federal Reserve to


    keep safe the accounts of its clients was not violated.

    When it received the requests from Bangladesh, the Federal Reserve acted
    within the scope of duties. It blocked thirty out of thirty-five transactions due to
    misspelled instructions. On the other, the Federal Reserve approved five transactions
    but later halted one of the transactions for misspelling the name of one of the
    supposed accounts. Four out of thirty-five instructions were cleared because it did not
    have any information that may give rise to suspicion that those were fraudulent
    transactions.

    Bangladesh cling to the idea that the Federal Reserve should have waited for
    confirmation from Bangladesh before clearing the transaction. But this would go
    against the duty of the bank to release the funds requested by its clients when they
    request it. Furthermore, the Federal Reserve cannot just assume that all transactions
    from Bangladesh are fraudulent just because some of the requests are. Therefore,
    absent any patent information that may give rise to suspicion, the Federal Reserve
    cannot be held liable for clearing the transactions.

    Finally, it is common if not a custom for any business to stop or decrease


    operation during the weekends. The Federal Reserve cannot be held liable for failing
    to reply to the requests of Bangladesh on a time that is not the usual business hour.

    You might also like