Analyzing whether blockchain can effectively combat cybercrime from the hacking incident of the Bangladesh Central Bank account

Can blockchain or distributed ledger technology help protect the world's vital financial systems from attacks?

Banks use uniform electronic messages when performing cross-border payments and transfers. These messages consist of specific codes and identifiers and are a common financial term.

Financial institutions perform their duties and use various policies and procedures to comply with relevant legal provisions, verify the information of participants, detect illegal activities, and pay attention to any suspicious phenomena. Each transaction is checked by some special databases, which include blacklist information of some companies and individuals or information of people wanted by the government. A large amount of money is involved in the relevant systems, so these systems have added multiple layers of protection.

But even with the most advanced protection systems, and even with a large group of people monitoring currency transactions, hackers can still successfully steal large amounts of funds.

At the beginning of this year, a serious hacker attack occurred. Bangladesh Bank's account at the Federal Reserve Bank of New York (NYFR) was stolen for $81 million. The hacker originally intended to steal 10亿美元. Fortunately, for some high-value transfers, the NYFR would not transfer all at once. During the transfer process, the hacker accidentally misspelled the name of the recipient, so he only received 8100万美元in the end.

The following are the specific details of the incident.

The whole process of the attack

The incident is still under investigation, but the parties involved are busy shirking responsibility. The New York Fed said that they have successfully intercepted most of the transfer requests. Cyber ​​criminals sent as many as 35 messages to the New York Fed, claiming to be from the Bangladesh Bank, asking for $1 billion, but only a small part of them went through. The New York Fed handles international remittances worth up to $800 billion every day, so $81 million is nothing.

The Bangladesh central bank said that the frequency of hackers sending transfer requests was so suspicious that the New York Fed should have discovered some clues and could have prevented it in advance. In the past year, the Bangladesh central bank has only sent about 2 remittance requests per month, and all of them were transferred to company accounts. It has never sent 35 requests in one day, and they were transferred to personal accounts.

SWIFT, which is responsible for the hardware and software communications and network security of the banking network, has also been relentlessly criticized. The SWIFT network needs to process 25 million communication messages for more than 10,000 banks and companies every day. Some people accuse SWIFT of not doing anything for its network security over the years. SWIFT should have invested in some advanced technology to prevent the attack.

Bangladesh Bank is also not free from responsibility. Some people say that its system was stolen because of the low security level of the bank's network. Hackers successfully implanted a Trojan virus in the bank's system one month before the attack, but the bank was completely unaware, giving the hackers enough time to prepare. Bank staff never monitor transactions online, and only print specific transaction information manually after receiving information from the SWIFT network. The hackers remotely controlled the printer one day in advance, causing it to malfunction. By the time they successfully printed the transaction information sent by the SWIFT network the next day, it was too late.

Finally, the timing of this attack was perfect. The hacker sent the remittance request on Thursday, and by the time the New York Fed sent the confirmation to the Bangladesh Bank, it was Friday and Saturday, when the bank staff were already on vacation. By the time the Bangladesh Bank discovered the problem (that is, after "fixing" the printer), the New York Fed had already started its vacation. Finally, when the New York Fed tried to block the transaction, the funds had already arrived in the Philippines, and it was the Chinese New Year holiday, and Philippine banks were on vacation.

lucky

Among the 35 requests sent by the hacker, the first few were missing important information and were therefore rejected by the New York Fed’s system. Soon, the hacker discovered the problem, corrected the error and resubmitted. At this time, the New York Fed had cleared 5 requests. The rejection of the other requests was purely a fluke. The recipient of the remittance request was in the Philippines, and the address happened to be on Jupiter Street. The word Jupiter in the New York Fed’s system was the name of an Iranian oil tanker. At the time, Iran was sanctioned by the United States, so this part of the request was also unsuccessful.

The vulnerability of global networks

It turns out that global networks, especially those involving currency transactions, are prime targets for hackers, who have mastered advanced technology and are highly organized.

These hackers are proud of their access to vast data resources, some of which are even sponsored by rogue governments, and have committed millions of dollars in fraud. The banking industry is also responsible for this. Every time an attack occurs, most banks remain silent and do not announce it to the public, as if this will help. They should share information and conduct investigations in a spirit of openness and cooperation so that system vulnerabilities can be identified and fixed as soon as possible.

The hackers in the Bangladesh Bank attack were familiar with their systems and knew how to avoid some security zones, mainly targeting the weak links in the international payment network. It is possible that these hackers were also involved in the earlier theft of the Ecuadorian bank's account at Wells Fargo in the United States (loss of $1,200). The two banks are currently in court.

Security firm Symantec believes the hackers are part of a group called Lazarus, which claimed responsibility for the 2014 attack on Sony Pictures and said it was sponsored by the North Korean government.

Blockchain and distributed ledgers

Blockchain is used to support the decentralized virtual currency system Bitcoin. The financial system in the world is centralized and serves the fiat currency, which is issued by the government and occupies a certain economic position in the country. Decentralized systems are inherently trustless because there is no central institution or enterprise in these systems, so any decision is made through consensus reached in the system.

The transaction records in the blockchain are irreversible and unchangeable, which is how ownership is established and Bitcoin transfers are realized. It can also prevent the "legitimate owner" from spending the same Bitcoin twice (double spend). Bitcoin transactions are verified by the consensus of computers or nodes participating in the virtual currency system, and there is no single centralized institution to record transactions. The blockchain ensures the openness of the Bitcoin system (permissionless), without the consent or decision of a central agency, and is therefore anonymous.

The definition of a distributed ledger is much broader. Its creators designed blockchain to work with the Bitcoin system, but the distributed ledger architecture can support all types of systems. For example, the distributed ledger systems in the financial services industry are permissioned to avoid excessive anonymity. The applications of distributed ledger systems are very flexible.

Distributed Ledger Architecture and Risk Management

Fraud prevention systems based on distributed ledgers and the simultaneous operation of multiple databases can effectively combat incidents such as the Bangladesh Bank hack. This system can first record confidential transactions to prepare for future transaction verification, but the system will not fully disclose transaction details (unlike traditional blockchains where all transactions are public). Secondly, the system can also store and update authenticated legal information and information about remitters and recipients.

Today, commercial banks and financial institutions are responsible for running their own internal risk management systems and updating blacklist and sanctions information. Leaving the responsibility of developing risk management systems to commercial banks will only lead to serious technical quality issues. A distributed system can benefit anyone in the international market, not just large banks, but even small banks that lack risk management technology.

Typically, the false positive rate in banking systems is high, and transactions are cancelled if they are even slightly suspicious. However, in fact, most transactions only have information omissions, which are corrected before the transaction request is resubmitted. In this way, bank staff responsible for monitoring transactions will relax their vigilance and think that most transactions are harmless. Distributed ledger systems can be maintained by major central banks and large commercial banks. In the long run, whether a centralized network like SWIFT is still necessary is certainly controversial. Indeed, with standardized ISO formats, distributed systems can run freely or with the help of a few key employees.

Collaborative research on "hybrid" systems

Currently, the central bank is developing some "hybrid" systems, where a single institution centrally manages data, but also encourages the development of a large distributed ledger system to ensure network security. Such systems can be used at the international, regional and local levels, ensuring that centralized institutions in different regions can build another layer of protection for the shared decentralized system.

But developing such a system based on international value transfer usually takes a long time and is very costly. It also requires internal cooperation and may even affect private digital keys, which means that during this period, the system is vulnerable to attacks. However, compared with the old system, this hybrid system can identify fraudulent transactions and money laundering activities faster and has more effective remediation measures.

Note: Even the latest and most advanced technology cannot guarantee that a bank's risk management system is 100% perfect. Hackers' attack methods are usually simple and easy to gain trust, including implanting viruses, disabling monitoring or printing functions, or simply observing the working patterns and weaknesses of relevant personnel, and then choosing the right time to attack, usually weekends or statutory holidays are more favorable for them.