NY Fed rejected, then later approved $81 million bank heist

The financial industry has used a messaging system made by the Society for Worldwide Interbank Financial Telecommunication (SWIFT) to securely authenticate transfers between banks for decades. But recent fraudulent money requests have broken the system's impenetrable reputation. Back in February, hackers used this method to steal $81 million from the Federal Reserve Bank of New York, but officials just revealed that those requests had been red flagged and rejected previously in the day -- only to be approved hours later.

The Fed branch had denied 35 fraudulent requests to transfer money from the Bangladesh Bank to accounts in the Philippines and Sri Lanka because they weren't formatted properly for SWIFT messages, kind of like not clicking on spam email after noticing typos. The hackers resubmitted them in proper SWIFT format and they were authenticated by the messaging system, but the Fed blocked 30 of them anyway for later review. It scrubbed one last $20 million request thanks to an actual typo noticed by a German routing bank, but the four that weren't flagged netted the hackers $81 million.

A source told Reuters that anomalies in those last four requests should have alerted the New York Fed: the money was to be paid to individuals, which was rare for the Bangladesh Bank, and the fake names on the requests appeared on some of the other 30 that the Fed had blocked. Yet an investigation after the heist revealed that cheap second-hand switches used to network the Bangladesh Bank's computers and the lack of a proper firewall enabled the hackers to break in and steal bank credentials to make the requests.

In response to this and other similar fraudulent money transfers, the cooperative behind the SWIFT financial messaging system has announced a plan to help banks improve their overall security. But since banks apply SWIFT policies at their discretion, the cooperative's plan hinges mostly on educating banks to avoid compromising their operations.