A little-noticed lawsuit details a hacking attack similar to one
that stole $81 million from Bangladesh's central bank, saying
cybercriminals stole about $9 million last year from a bank in
Ecuador. The case suggests global bankers haven't been sharing
critical information to prevent such heists.
The February cyberheist involving Bangladesh Bank has elevated
concerns about the security of the global finance system in the
face of persistent cyberattacks. Details of another bank being
victimized more than a year earlier is likely to increase those
concerns, especially since overseers of the international payment
system said that they were unaware of the attack.
A third attack from December 2015 at a commercial bank in
Vietnam was detailed last week by the Society for Worldwide
Interbank Financial Telecommunication, or Swift. That bank detected
the fraudulent requests and stopped the movement of funds, the
central bank in Vietnam said.
In the January 2015 Ecuador hack, as with the February 2016
Bangladesh case, hackers managed to get the bank's codes for using
Swift, the global bank messaging service, to procure funds from
another bank, according to court papers.
A spokeswoman for Swift said Thursday that the network was never
told of the earlier hack. "We were not aware," said Natasha de
Teran, the spokeswoman. "We need to be informed by customers of
such frauds if they relate to our products and services, so that we
can inform and support the wider community. We have been in touch
with the bank concerned to get more information, and are reminding
customers of their obligations to share such information with
us."
The Ecuadorean Bank, Banco del Austro, filed a lawsuit in New
York federal court earlier this year, accusing Wells Fargo Bank of
failing to notice "red flags" in a dozen January 2015 transactions,
and to stop them before the thieves transferred about $12 million,
most of it to banks in Hong Kong.
Lawyers for the two banks didn't immediately return phone calls
asking to comment about the case and Swift's complaints that they
had failed to notify the payment network.
According to the lawsuit, Banco del Austro was able to get back
about $2.8 million of the stolen money and initiated legal
proceedings in Hong Kong to try to recover more. The court papers
don't explain what, if anything, happened to the funds after they
were sent to Hong Kong. About $1.5 million was transferred to an
account in Los Angeles, and $1 million was sent to a bank in Dubai,
according to the lawsuit.
It is unclear whether there is a connection between the hacking
heists carried out against the Ecuadorean bank and those in
Bangladesh and Vietnam. There are similarities in method, including
thieves accessing the bank's system to log on to the Swift bank
messaging network, and doing so after banker's hours, apparently to
reduce the likelihood that someone would ask questions about
specific transactions.
Swift officials have this year been aggressively notifying
customers about malicious software on the perimeter of their
messaging network ever since learning about the attack in
Bangladesh. But news that the company didn't know about the Ecuador
case at the time of the attack underscores the challenge it faces
keeping up with thousands of customer firms, all of whom have
varying layers of security and different home regulators around the
world—and suggests there is no effective global process for sharing
information about threats and vulnerabilities.
"Unfortunately, this risk with SWIFT is nothing new, as
technology has evolved, and hackers have gotten more
sophisticated," lawyers for the Ecuadorean bank wrote in a March 31
court filing, citing news articles about the Bangladesh case.
According to that filing on behalf of Banco del Austro, or BDA,
"For each of the unauthorized transfers, an unauthorized user,
using the Internet, hacked into BDA's computer system after hours
using malware that allowed remote access, logged onto the Swift
network purporting to be BDA, and redirected transactions to new
beneficiaries with new amounts."
Using that method, just before midnight on Jan. 14, 2015, a
payment order made to a Miami company for less than $3,000 was
altered to send $1.4 million to an account in Hong Kong, according
to the court filing.
There were 12 suspect transfers carried out over a 10-day period
in January 2015, according to the lawsuit.
BDA's lawsuit argues Wells Fargo should have noticed several
anomalies in the transfers and, at a minimum, asked questions about
them.
"The unauthorized transfers were made in unusual times of the
day, in unusual amounts, to unusual beneficiaries in unusual
geographic locations," the bank's lawyers argued in the filing.
"Despite the numerous anomalies in the unauthorized transfers,
(Wells Fargo) inexplicably failed to block them and/or alert BDA of
the suspicious activity."
Wells Fargo's lawyers have urged a judge in a court filing to
throw out the lawsuit, saying the Ecuadorean bank's claims are
misplaced and, if adopted by the financial industry, would impose
impossible expectations on banks to vet account transfers.
"BDA and Wells Fargo agreed that Swift authentication was a
commercially reasonable security procedure for verifying Swift
payment orders," the Wells Fargo lawyers said in their motion to
dismiss the case.
If BDA's reasoning were to prevail, banks would have to "contact
their customers multiple times whenever a payment order is
received…and it would eviscerate the efficiencies that wire
transfers and SWIFT payment orders were designed to promote."
It is unclear whether bank regulators or U.S. criminal
investigators were ever notified of the Ecuadorean hack.
The Bangladesh hacking heist has led to tensions between the
bank and Swift, which is based on the outskirts of Brussels.
Bangladesh investigators have suggested Swift employees may have
taken steps that left the bank's computers more vulnerable to an
attack. Swift has warned banks to be more vigilant against hackers
getting into their systems, and noted that the hackers didn't
penetrate their core messaging network.
Write to Devlin Barrett at devlin.barrett@wsj.com and Katy Burne
at katy.burne@wsj.com
(END) Dow Jones Newswires
May 19, 2016 18:35 ET (22:35 GMT)
Copyright (c) 2016 Dow Jones & Company, Inc.
Wells Fargo (NYSE:WFC)
Historical Stock Chart
From Mar 2024 to Apr 2024
Wells Fargo (NYSE:WFC)
Historical Stock Chart
From Apr 2023 to Apr 2024