A few months ago, we reported the incredible story of how hackers stole $100 million from Bangladesh Central Bank by way of the New York Federal Reserve. Now, thanks to a little noticed lawsuit, details are emerging that hackers had initially stolen another $12 million from a bank in Ecuador, Banco del Austro, although the bank was able to get back about $2.8 million of the stolen money.
The Ecuadorean bank filed a lawsuit in New York federal court this year, accusing Wells Fargo of failing to notice red flags in a dozen January 2015 transactions, leading to $12 million being transferred from its account, mostly directed to banks in Hong Kong. In addition to Hong Kong, $1.5 million was transferred to an account in Los Angeles, and $1 million was sent to a bank in Dubai the WSJ reports.
While unclear whether or not there is a connection between the Ecuadorean bank and Bangladesh Bank thefts, there are similarities in method. Hackers accessed the bank's system to log onto the SWIFT network after hours and redirected transactions to new beneficiaries with new amounts.
Banco del Austro's lawsuit argues that Wells Fargo should have noticed several anomalies in the transfers and, at a minimum, asked questions about them. The lawsuit points to twelve suspect transfers that were carried out over a 10-day period in January 2015, citing an example of a $3,000 payment order to a company in Miami being altered to send $1.4 million to an account in Hong Kong.
"The unauthorized transfers were made in unusual times of day, in unusual amounts, to unusual beneficiaries in unusual geographical locations. Despite the numerous anomalies in the unauthorized transfers, [Wells Fargo] inexplicably failed to block them and/or alert BDA of the suspicious activity." BDA's lawyers argue in the filing.
Wells Fargo said in a motion to dismiss the case "BDA and Wells Fargo agreed that SWIFT authentication was a commercially reasonable security procedure for verifying SWIFT payment orders."
One major concern is that a spokesman for SWIFT said that the network was never told of the hack.
"We need to be informed by customers of such frauds if they relate to our products and services, so that we can inform and support the wider community. We have been in touch with the bank concerned to get more information and are reminding customers of their obligations to share such information with us."
After the hack of Bangladesh, SWIFT officials have been aggressively notifying customers about malicious software on the perimeter of their messaging network, noting that hackers have not penetrated its core network.
So once again, wire transfer anomalies were missed by Wells Fargo, just as the NY Fed had missed similar red flags as $100 million was being stolen from Bangladesh bank. Perhaps some of the recruiting effort spent on getting the brightest mathematicians to come write complex algorithms for the banks can be redirected to IT staffing, because unless measures are taken to enhance cyber security at these banks, these cyber heists will only become more frequent, and much more lucrative.