Can blockchain or distributed ledger technologies help prevent attacks on the world’s critical financial systems?
Banks use standardised electronic messages, made up of codes and identifiers, a sort of a common financial language, to make international payments and move money around the world.
There are checks and balances, policies, and procedures in place to comply with legal requirements, validate the parties involved, detect irregularities, and looking out for anything suspicious, anything out of the ordinary. Transactions are checked against special databases such as those containing information on blacklisted individuals and entities or those under government sanctions. Hundreds of billions of dollars are at stake so it is hardly surprising there are so many controls built into the system.
But even with all these financial fortifications in place and armies of back-office staffers monitoring money movements, now and again hackers manage to get way with very large sums of money.
Earlier this year, a massive heist took place. Someone stole around $81 million from the account of Bangladesh Bank, the country’s central bank, with the New York Federal Reserve. The audacious plan was to steal a whopping $1 billion from the account but the NY Fed caught most of it in its preventive net mainly due to an unexpected piece of good luck.
Here’s what happened.
Investigations are still underway but so far each party involved has been busy laying the blame on others. The NY Fed argues that it flagged and declined a majority of the fraudulent requests it received. Cybercriminals had sent 35 messages to the NY Fed pretending to be from Bangladesh Bank totalling nearly a billion dollars and only a few got through. The NY Fed handles $800 billions in international money transfers every day so in this context $58 million seems a relatively small amount.
The NY Fed should have caught the fraud in its entirety as the pattern of the requests to transfer money was highly suspicious, so argues Bangladesh Bank. Over the past year Bangladesh Bank had only requested around 2 transfers per month mostly to institutions, not 35 in one day addressed to individuals.
SWIFT, the bank owned entity responsible for the messaging protocols, the necessary software and hardware, and management of the secure network, is under fire too. The network handles 25 million communications every day for around 10,000 banks and corporates. Critics say that over the years SWIFT has not done enough to improve the security environment around its network. SWIFT should have been invested in the latest technologies to make communications over its network completely bullet-proof
Bangladesh Bank has also a lot to answer. Its systems were compromised, some say due to the lax security controls deployed at the bank. Hackers were able to install malware a month before they struck which enabled them to prepare and plan the attack in February. Bank officials did not monitor their transactions online and the only way to review communications on the system was to physically print out the messages they receive over the SWIFT network. The hackers had disabled the print function and it was not fixed until the next day when the bank discovered the communications from the NY Fed and the fraud.
Lastly, the timing of the theft was deftly planned. The hackers sent the fraudulent instructions on a Thursday and by the time the NY Fed got back to them Bangladesh Bank employees had gone off for the weekend which is Friday and Saturday. By the time they discovered what was going on (after fixing the print function) it was the weekend in New York. When on Monday the NY Fed tried to stop the transfers they discovered it was the Chinese New Year holiday in the Philippines, the ultimate destination of the stolen funds.
The 35 fraudulent messages to transfer the billion dollars first came with some vital information missing and were rejected by the NY Fed’s system. The hackers soon corrected the error and re-submitted. This time the NY Fed cleared 5 of them. The others were rejected – according to early reports – by a piece of unexpected luck or a “total fluke” as someone described it. The destination for the transfers, a bank branch in the Philippines, happens to be located on Jupiter Street. This triggered an alert in the Fed’s system as Jupiter was also the name of an oil tanker and a shipping outfit from Iran under sanctions from the United States. The coast was otherwise clear.
Global Networks Vulnerable
The truth is that the all global networks especially those that deal with money transfers are a primary target for cyber criminals who have reached new heights of technical sophistication and are more organised than ever before.
These criminals now boast access to vast resources, even patronage of rogue governments and plenty of motivation to perpetrate multi-million dollar frauds. To compound the problem banking industry veterans also point to a culture at banks of keeping things quiet in case of breaches or thefts if they can help it. They should be sharing information and undertaking investigations in a spirit of openness and cooperation so that the points of vulnerability are identified and corrected.
The Bangladesh heist was the work of confident criminals who knew their way about the system, avoiding the strongest defences and targeting the weakest links in the international payments network. It is possible that the hackers were also responsible for an earlier theft of $12 million from an Ecuadorian bank’s account with Wells Fargo. The two banks are now fighting each other in the courts.
Symantec, the security company, believes the group called Lazarus, the one said to be responsible for the attack on Sony Pictures back in 2014 and sponsored by the North Korean government, may have been behind the attack.
Blockchain and Distributed Ledgers
The concept of blockchain was developed to support a virtual decentralised currency system called Bitcoin but the world’s financial systems work with centralised or “fiat” currencies, those issued by governments and considered legal tender in the country of issue. Decentralised systems are essentially “trust-less” systems since there is no central “trusted” authority or a single entity so decisions are driven through logic and consensus programmed into the system.
The blockchain is an irrefutable and unchangeable record of past transactions and as such serves to establish ownership and the right to transfer bitcoins. It also guards against a rightful owner spending bitcoins twice. A Bitcoin transaction is validated by consensus by a network of computers or nodes participating in the virtual currency system and not by a single centralised authority responsible for record keeping. The blockchain ensures the Bitcoin system is “permissionless”, requiring no central authority approval or decision, and therefore autonomous.
Distributed ledgers encompass a much broader definition. While a blockchain as originally envisaged by its creators works essentially within the Bitcoin system, distributed ledger architecture can support all types of systems. In financial services a distributed ledger system is likely to be permissioned and therefore less autonomous. It can be deployed with varying levels of control and flexibility.
Enhanced Risk Management Through Distributed Ledger Architecture
A fraud prevention system based on a distributed ledger approach with multiple databases working in sync can be deployed to combat fraudulent incidents of this type very effectively. Such a system would first, maintain a confidential record of past transactions for reference and verification but without disclosing transaction details to everyone in the system (unlike the blockchain where transactions are in the open). Second, the system would store and update authenticated credentials of legitimate and verified senders and receivers.
Individual banks and financial institutions today operate their internal risk management systems and consult common information on blacklists and sanctions. The responsibility of developing robust risk management controls is left to individual banks resulting in inconsistent approaches and widely varying quality of risk controls and procedures. A distributed system would be beneficial for everyone in the international marketplace not just the large banks but also the smaller banks who have less sophisticated risk management systems in place.
Often a bank’s systems will generate a high number of “false positives”, transactions rejected by the system as suspicious or fraudulent. But an overwhelming majority of such transactions are found only to be missing some information which is corrected before resubmission. Such a high percentage results in transaction monitoring staff to consider most alarms as harmless. A distributed ledger system could be maintained by the leading stakeholders such as the major central banks and large commercial banks. In the long term, it is debatable whether a central network entity such as SWIFT would be necessary in such a scenario. Indeed, with standardised ISO formats, the distributed system could work on its own or just skeleton staff with the help of the leading players.
Collaborative Hybrid Approaches
Central banks are rightly exploring hybrid systems where a single authority manages records maintained centrally but also encourages and helps maintain a wider distributed ledger system to ensure network security and integrity. Such a system could work on several levels – global, regional, and local or domestic, to enable centralised authorities in multiple jurisdictions to develop an additional layer of shared decentralised systems.
But while a made-for-purpose distributed ledger based international value transfer system would take some time to build and incur substantial costs, internal collusion and compromise of private digital keys means that no system in theory is immune to cleverly thought out cyberattacks. Still, a hybrid system will be able to identify fraud or money laundering transactions a lot quicker for more immediate remedial action.
A parting caveat: It is important to note that new technical approaches cannot absolve banks from deploying robust operational and risk management controls. Hackers often use tried and trusted but simple techniques for perpetrating fraud such as installing malware, disabling viewing or printing features, and simple observations, how people work and their weaknesses and choosing the right time to make a move lining up weekends and national holidays to their benefit.