DAWN.COM Logo

Today's Paper | April 30, 2024

How a simple spelling mistake helped stop a $1bn digital bank heist

Andrea Peterson Published March 13, 2016

It was just a few letters off: Someone misspelled “foundation” as “fandation” on an online payment transfer request. But that simple typo helped stop hackers from getting away with a nearly $1 billion digital heist last month, Reuters reports.

Hackers broke into the Bangladeshi central bank’s computer systems, according to anonymous officials at the financial institution cited by Reuters, stealing the credentials needed to authorize payment transfers. The attackers used the stolen information to ask the Federal Reserve Bank of New York to make massive money transfers — nearly three dozen of them — from the Bangladeshi bank’s account with the Fed to accounts at other financial institutions overseas.

Four transfers to accounts in the Philippines, totaling abut $80 million, worked. But then a fifth request, for $20 million to be sent to an apparently fictitious Sri Lankan nonprofit, was flagged as suspicious by a routing bank due to the “fandation” error.

The Bangladesh central bank was able to stop that transaction after the routing bank asked for confirmation. “The Sri Lankan bank did not disburse it immediately, and we could recover the full amount,” the central bank told the Financial Times.

The requests waiting to be processed — amounting to a total of between $850 million and $870 million, according to an unnamed official cited by Reuters — were also halted. So if it weren’t for that typo, the attackers may have escaped with an even bigger payday.

Bangladesh’s finance minister has blamed the incident on the Federal Reserve and said his government will “file a case in the international court against” the financial institution, according to local outlet the Dhaka Tribune.

A New York Fed spokesperson denied the accusation, telling The Washington Post in a statement that “there is no evidence of any attempt to penetrate Federal Reserve systems in connection with the payments in question” or that the institution’s systems were compromised. According to the spokesperson, the payment instructions were “fully authenticated” using standard methods.

“The Fed has been working with the central bank since the incident occurred and will continue to provide assistance as appropriate,” the spokesperson said.

Bloomberg-The Washington Post News Service

Published in Dawn, March 13th, 2016

Read more

On DawnNews
Dawn News English
Comments (31) Closed
N K Ali
Mar 13, 2016 10:10am
That is why proper pronunciation and spelling are very essential to understand what the question and instructions are. Our bankers have to realise the importance of spoken and written English. Salams
Recommend 0
anees from zaida
Mar 13, 2016 10:13am
These hackers need to learn from our politicians - learn how to embezzle, not English.
Recommend 0
Don't ask
Mar 13, 2016 10:23am
So, close!
Recommend 0
A. Khan
Mar 13, 2016 10:29am
Good education is so important. Otherwise invest in spell check software.
Recommend 0
Syed Dilawar M. Shah
Mar 13, 2016 10:41am
Hahaha very well done fandation.
Recommend 0
Farhan Hashwani
Mar 13, 2016 10:49am
100 million is not 1 Billion. infact 1000 million is 1 billion. Farhan Hashwani - from Adelaide Australia
Recommend 0
Arslan Sheikh
Mar 13, 2016 10:51am
Their educational 'fandations' were not so strong. I guess they can now afford good tuition with the stolen money.
Recommend 0
Muhammed
Mar 13, 2016 10:52am
if true - it makes our digital life so scary ? one billion dollar is a whole lot big amount !!!! we all must ensure that we know at least 40% of internet security methods (passowrds, changing them regularly, updating the systems and not to download stuff from internet that is not relevant !!!!!!
Recommend 0
UR
Mar 13, 2016 10:57am
It is a clear message from underworld techies to the governments they can get what they want and besides that they just wanted to show their supremacy which they did with style. 'Fandation' was deliberate not by mistake.
Recommend 0
Skeptic
Mar 13, 2016 11:22am
Nothing more hilarious than a clumsy thief!
Recommend 0
Skeptic
Mar 13, 2016 11:27am
@anees from zaida But those who cannot hack, become Politicians! At least the hacker has some computer skills.
Recommend 0
zak
Mar 13, 2016 11:30am
Could be inside job, how they simply got authorisation data and codes then stole. Something fishy. Must have been destined for swiss banks, where politicians and leaders hide their money.
Recommend 0
SKZ
Mar 13, 2016 11:44am
@zak ..You are right... and most of our politicians are not well educated and one can expect the spelling mistakes from them..
Recommend 0
Sonny Afridi
Mar 13, 2016 11:51am
That would've put a huge dent in their economy. Lucky that the bank notified the BD govt. That's why millions are spent on cyber security
Recommend 0
Philosopher (from Japan)
Mar 13, 2016 11:58am
Don't enjoy what they left should regret what they have earned. Poor internet security.
Recommend 0
Haque Parast
Mar 13, 2016 12:20pm
"Four transfers to accounts in the Philippines, totaling abut $80 million, worked."... abut but not exakt!
Recommend 0
Farhan Kermani
Mar 13, 2016 12:22pm
Its not the spelling mistake that Bangladesh should take a sigh of relief on but think how the same could be prevented in future. Bank heist online could happen again. Put in fool proof measures and sound internal controls.
Recommend 0
Abdulla Hussain
Mar 13, 2016 01:12pm
Just out of curiosity, are such fictitious transfer non recoverable. I am sure the culprits can be apprehended & the amount recovered.
Recommend 0
Shahid
Mar 13, 2016 03:55pm
The person who spelled foundation for fandation should be caught and fined 80m USD and given a jail sentence for such a big spelling mistake.
Recommend 0
Zeezee
Mar 13, 2016 05:07pm
Almost happened with my elder brother here in the UK. He was paying for a property when someone hacked the email. They solicitor received the same mail but the account no. Was different . The solicitor just double checked and found that the account no. was different from the one she thought she had earlier had. The solicitor realised it was a hack into the system and alerted all. Almost £200k would have gone with the wind :p
Recommend 0
Engr.Khan
Mar 13, 2016 06:05pm
Engineers are good at Math and they dont care too much about English....This incident proved that English is as important as Math..:)
Recommend 0
M.Saeed
Mar 13, 2016 09:32pm
There are some genuine mistakes that halt genuine payments. For example, we have genuine spellings of Muhammad, Mohammad and Mohammed, well accepted in the country. Therefore, a person transferring funds to a person with Muhammad in name, might get money held-up under suspense account just because the computer would not accept the different spellings, that people would often write as they are accustomed to write, not noticing the slight difference.
Recommend 0
Ali Dublin
Mar 13, 2016 10:00pm
@Farhan Hashwani ya you didn't read the whole article. Unbelievable, typical, read the whole thing before jumping the guns
Recommend 0
ZAMAN
Mar 13, 2016 10:46pm
A Bangladesjhi data communication engineer experience inSWIFT system suggested that it is unlikely that the transfer had occurred without someone(s) from Bangladesh being physically present in the Bangladesh Bank room where the SWIFT system resides. Chances are that someone around the head person of Bangladesh was involved.
Recommend 0
WAIZ
Mar 13, 2016 10:55pm
@Farhan Hashwani Would you pls also go through the 5th paragrah to understand the one billion dollar heist.
Recommend 0
SMI
Mar 13, 2016 10:58pm
lol how stupid system we have 1. Why there is no verification for such a huge transaction. 2. Why it is difficult to recover such transactions if from and to accounts are known. 3. Why there is no law to request for reverse transaction to receving bank from authorize bank personel for such type of transfer
Recommend 0
ak4pk
Mar 14, 2016 02:32am
But how can such a large sum of money disappear without trace. The money was transferred to a bank account and not on to the back of a truck. There is no reason why the beneficiary account and the account holder cannot be identified. Unless of course the banks are maintaining secretive and untraceable accounts in which case they are aiding and abating crooks. There is no way banks should be allowed to get away with it.
Recommend 0
Naseer
Mar 14, 2016 04:24am
@Farhan Hashwani The attempt was for $1 billion spread over 3 dozen transactions out of which only 4 got thru for $80 million. Read the article again.
Recommend 0
Farhan Hashwani
Mar 14, 2016 12:10pm
@ Nasir - Thanks for correcting me. Farhan Hashwani from Adelaide Australia.
Recommend 0
Maruf Amin
Mar 14, 2016 01:19pm
@Farhan Hashwani they tried to transfer 1billion (1000 million) but failed but they were successfully able to hack 101 Million. Read properly before makkng a comment
Recommend 0
Zak
Mar 15, 2016 01:01pm
I guess in their glee, the person had 'fun' on his mind. Good he did not write ' fundation'.
Recommend 0

Latest Stories

dawn images site

Most Popular

01
02
03
04
05
06
07
08
09

Must Read

Opinion

Editorial

Weathering the storm
Updated 29 Apr, 2024

Weathering the storm

Let 2024 be the year when we all proactively ensure that our communities are safeguarded and that the future is secure against the inevitable next storm.
Afghan repatriation
29 Apr, 2024

Afghan repatriation

COMPARED to the roughshod manner in which the caretaker set-up dealt with the issue, the elected government seems a...
Trying harder
29 Apr, 2024

Trying harder

IT is a relief that Pakistan managed to salvage some pride. Pakistan had taken the lead, then fell behind before...
Return to the helm
Updated 28 Apr, 2024

Return to the helm

With Nawaz Sharif as PML-N president, will we see more grievances being aired?
Unvaxxed & vulnerable
Updated 28 Apr, 2024

Unvaxxed & vulnerable

Even deadly mosquito-borne illnesses like dengue and malaria have vaccines, but they are virtually unheard of in Pakistan.
Gaza’s hell
Updated 28 Apr, 2024

Gaza’s hell

Perhaps Western ‘statesmen’ may moderate their policies if a significant percentage of voters punish them at the ballot box.