Investments Lending Servicing

Three things to learn from the New York Fed hack

Think your company is immune? Think again

Federal Reserve

In one of the boldest cybersecurity breaches to date, hackers tried to steal $1 billion from the New York Federal Reserve Bank, and almost got away with it, ending up with about $80 million. 

From a Reuters report:

The hackers breached Bangladesh Bank's systems and stole its credentials for payment transfers, two senior officials at the bank said. They then bombarded the Federal Reserve Bank of New York with nearly three dozen requests to move money from the Bangladesh Bank's account there to entities in the Philippines and Sri Lanka, the officials said.

The hackers, whose "footprints" indicate they operated from outside of Bangladesh, transferred the money to casinos in the Philippines, according to the Reuters article.
 
The fact that large transfers were being requested by private entities, not other banks, finally raised red flags at the NY Fed and prevented the transfer of $850-$870 million.
 
But you operate a small business and don't have billions sitting around in bank vaults. Surely your company doesn't have to worry about a hack, right?
 
Wrong. A quick read of the Fed hack reveals several elements that hold true for your business as well:
 
1. The hackers got in with stolen credentials 
As we reported recently, the days of getting an email from a Nigerian prince are gone — the kind of threats you are most likely to face, phishing, come from trusted sources that have been compromised, whether that's an email from your boss or your best customer. 
 
2. Humans are often the problem, and sometimes the solution
Most phishing hacks target employees, who unwittingly click on a suspect link, opening the door to thieves.
 
In this case, human error worked for the bank, since hackers made a typing error, misspelling Foundation as Fandation. This triggered a human to question what was going on and saved the Fed and the Bangladesh Bank almost a billion dollars.
 
Takeaway? Turn your biggest weakness into your front-line offense by training employees to question anything that looks off. 
 
3. One simple step in authentication could have saved a bundle

According to a Bloomberg report, there is disagreement over whether the Fed followed procedures when it received the transfer orders. From their coverage: 

A Fed spokeswoman said instructions to make the payments from the central bank’s account followed protocol and were authenticated by the SWIFT codes system. There were no signs the Fed’s systems were hacked, she said.

A Bangladesh official said the Fed should’ve checked the payment orders with the central bank to ensure they were authentic, even if they used the correct SWIFT codes.

That one missing step in verification, checking with the central bank, cost both banks big time.

But before you get too judgmental, consider what might be missing in your process. Still using a fax machine? Do employees ever get impatient with encrypted email and just send something out to clients on an unsecured line? Do any of your employees use a wireless mouse or keyboard? 

The size of your business or your business' bank account is no indication of the number of attacks being directed your way. Often the most valuable thing you have to offer is the data residing in your files.

Consider that in 2015, almost 1 million new malware threats were released every day, according to CNN Money. In February of this year alone, Identity Theft Resource Center confirmed serious security breaches on more than 45 companies. Some of these companies, like the New York Fed or the Department of Homeland Security, are obviously big targets. Others were small medical practices and CPA offices. 

The bottom line? Treat the possibility of a cybersecurity attack as an if, not when, scenario, and learn from the mistakes of others.

Need help? Find the FDIC's cybersecurity awareness resources here, and the FFIEC's cybersecurity assessment tool here

Other HousingWire stories on this topic:

Here's proof your cybersecurity efforts might totally fail

Reprints

Services Guide

Comments powered by Disqus