SWIFT, the financial messaging system used by 11,000 banksthroughout the world, admitted this week that it's vulnerable tohackers if they penetrate its member financial institutions. Itshouldn't be major news: Thieves go where the money is,and more than half of the 25.8 million messages a daythat the network carried in March were meant to transfermoney. Yet SWIFT's hacker problem is a great illustration of howglobalized finance can get out of hand.

SWIFT's warning, sent to members over its secure network, tellsthem about “a number of recent cyber incidents in whichmalicious insiders or external attackers have managed to submitSWIFT messages from financial institutions' back offices, PCs, orworkstations connected to their local interface to the SWIFTnetwork.” Of these incidents, only one is well-known—February'sBangladesh Bank heist, which could easilyprovide the plot for a cyberpunk novel. On Monday, U.K.-basedBAE Systems' cybersecurity division provided thetechnical details of how the hack probably worked, havingfound malware that was likely used for the hack on an onlinemalware repository.

The perpetrators tried to transfer $951 million to thePhilippines and Sri Lanka from the account Bangladesh's centralbank holds with the New York Federal Reserve. The Philippine bitworked without a hitch: $81 million went to accounts at the RizalCommercial Banking Corp., set up in the names of two Chinesebusinessmen (who deny they had anything to do with it), then passedthrough several local casinos that are exempt frommoney-laundering regulations and left the Philippines in an unknowndirection.

The Sri Lanka bit was a failure. Bangladesh Bank recovered the$20 million transferred to that country and stopped furthertransactions after a typo in one of the messages led a routing bankto start asking questions. The hackers slipped up stupidly: Theymisspelled “foundation” as “fandation” in the name of a Sri Lankannon-governmental organization they were using for theirtransfer.

The hackers gained access to Bangladesh Bank's local network,which wasn't too hard since the bank was using secondhand $10switches. They found that the SWIFT servers were on that network,not separated from it by any kind of firewall. They then ran aprogram designed to cheat SWIFT's Alliance Access software, whichinteracts with the Oracle-built database in which transaction datais stored. The malware searched SWIFT messages to extract addressesand transfer references. As the hackers generated and sentmoney-transfer messages based on that data (exactly how they didthat is not clear to BAE Systems based on the available data), theyalso patched Alliance Access to allow these transactions, so theylooked as if they had been properly checked by the system.That's why, at the New York Fed's end, the messages lookedperfectly legit. The hackers also knew that all SWIFT messages areautomatically sent to be printed, and they used a bit of malware tocheat the printers so they only spewed out evidence of properlyapproved transactions.

“The tool was custom-made for this job, and shows a significantlevel of knowledge of SWIFT Alliance Access software, as well asgood malware-coding skills,” BAE Systems praised the attackers.Apparently, they knew Bangladesh Bank pretty well, too: Theprinter-cheating software was specifically written for a particularmodel of HP printer used at the bank.

They also must have been knowledgeable about internationalbanking regulations and loopholes in countries' financial systems,such as the one that allowed them to launder the loot as gamblingproceeds in the Philippines. And they may have subverted a numberof bank employees. A Rizal Commercial Banking Corp. branchmanager, who withdrew part of the money in cash to move it, isunder investigation.

It was a big, sophisticated operation, and it paid off for thosewho launched it. There will undoubtedly be more like them becausepeople with the technical expertise are not the ones with the money—bankers are.

Far be it from me to praise the perpetrators as Robin Hoods:They robbed one of the poorest nations in the world. Even usingpurchasing power parity, Bangladesh is, according to theInternational Monetary Fund, the 139th of 185 nations in terms ofper capital economic output. The average disposable monthly wagethere is $324, lower than, for example, in Zimbabwe or El Salvador.Its international reserves—$27 billion, part of which the hackersstole—are smaller than tiny Hungary's, though Bangladesh has abigger population than Russia.

And yet Bangladesh in on the electronic systems that movebillions of dollars per second—money that belongs to governments,corporations, and wealthy individuals. As far as that money isconcerned, this is one world. Yet it's not in real life. BangladeshBank has assets of $29 billion, compared with $2.7 trillionfor the New York Fed. It cannot afford to spend as much oncybersecurity as its U.S. counterpart in the fraudulent deals. Norcan many central banks and financial institutions around theworld.

Networks such as SWIFT aren't vulnerable because they underspendon security. SWIFT takes it seriously: The latest warning came witha mandatory security update. Yet a global system is only as safe asits most unsafe parts. In a way, the Bangladesh heist is partof the same problem as Europe's refugee crisis: The West would liketo be complacent about its relative wealth and security, but itcan't be, because in a world made smaller by technologicaladvances, poverty and need are knocking more and morepersistently at its doors. To keep the world as convenientlysmall as it's getting—with fast, affordable travel, instant moneytransfers, and the other 21st-century perks—it's time to strive fora more uniform distribution of wealth.

From: Bloomberg

This column does not necessarily reflect the opinion of theeditorial board or Bloomberg LP and its owners.

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.