First job out of college was at JP Morgan treasury division. Was surprised when working on SWIFT system I had read so much about, it was literally just a fax to TIFF system. Basically just an image viewer.
At the time, 10 years ago, we didn't even have ability to parse or OCR the images. I was really disappointed in how low tech this was, and how easy it would have been to make it better.
Perhaps I only saw a piece of it, and it did have more going on. But I always thought "what's preventing someone from faxing in a false trade?" We would execute any trade that got faxed in if the letter head and account numbers looked normal.
Worked at a bank. Usually stayed late/came early/irregular hours. Therefore had access code to the key safe, for confirming everyone put their keys in the key safe.
But this was for front office and back office. Access to all keys. Small team, 10 people.
That's important.
Knew how much we had in the petty cash bank account. Usually around USD 40MM. Liquidity usage, etc. Also had access to the cheque book (via key locked cabinet), where via sealed internal mail, cash payment requests (cheque) were sent to the banking department.
Speaking to a friend in the banking department, he remarked that whitelists of authorised payment receivers where being introduced. Being introduced? "Sure, if a payment request comes in, and it is authorised correctly (signature, in case of cheques), we send it ASAP." "Do you telephone the signer to verify? No." "Any transaction limits?" "No." This was 2005.
Could have walked away with USD 40MM - then fled rapidly to another country. But didn't. Well, did go to another country.
2 factor authentication is essential, and whitelists too - a central bank doesn't change their account number. The FED seems to have had neither.
I find ZH amusing.. In some ways I think it's the anti hackers news.. Hyper negative about the future.. Constant hate for new tech.. (Fear of skynet).. The system is always rigged and the little guy will never succeed... Posts by Right coast angry ex-traders.. The comments are inane...the cherry picked stories out of left field but plausible. Etc. The one place the two sites do often intersect is the fear and loathing of government surveillance.. I vote to give ZH stories a fair shake...
I read it every day. If only to contextualize the other news sources I read. FWIW I throw in some infowars when something big happens so I can see how certain segments will try to spin something.
I tried corroborating the claim that the hackers were Chinese. Couldn't find a reliable source. Anyone have anything? For future reference, Zero Hedge is a low-quality source.
It's a penalized site on HN, but this article was vouched for by established users. If there's a more substantive article for this particular story, we can change the URL, but so far the only other one we saw was merely about a spelling mistake. Occasionally the low-quality source has the higher-quality article.
The zerohedge article has more information than either of those articles. It uses those two as sources, plus some Philippine newspapers. Right now it gives a fairly effective summary of the situation. Switching to either of those would be a downgrade, in my opinion.
The zerohedge article is misleading (e.g. "And yes, it does appear that hackers managed to bypass the Fed's firewall") and lacks any semblance of objectivity.
Agence France-Presse/SCMP: Suspected Chinese hackers stole the money from Bangladesh’s foreign exchange account on February 5, according to a Dhaka central bank official and media reports.
VICE: "The Fed had the responsibility to keep the money safe," Shamim Ahamad, press minister at the Bangladesh Embassy in Washington, told VICE News. "We are suspecting that Chinese hackers have done it."
The Chinese hackers thing seems dubious. From another article:
"""
Security experts said that to pull off the attack, cyber criminals had to first gather information about Bangladesh Bank's procedures for ordering transfers, so that the fraudulent requests would not raise red flags.
In addition to stealing credentials for processing transfers, the hackers likely spied on Bangladesh Bank staff to get a deep understanding of the central bank's operations, according to experts in banking fraud.
Kayvan Alikhani, a senior director with security firm RSA, said that in addition to user names and passwords for accessing SWIFT, the hackers likely needed to obtain cryptographic keys that authenticated the senders.
So SWIFT, the backbone of international monetary transfers, doesn't have some sort of automated way to verify that requests are legitimate? It would seem to me that once a request is received, the only secure thing to do would be to send a hash of the request back to a known system belonging to the originator to verify that the request was authorized.
If SWIFT security is really as bad as this incident seems to suggest, I'm shocked that more fraudulent transfers don't occur.
At least in consumer usage, SWIFT transfers are "push", not pull as you may be used to with American ACH. So the concept of verifying a request doesn't make sense.
It sort of sounds (from the public information) like the Bangladeshi bank's credentials were compromised and used to make fraudulent transfer requests to the NY Fed.
That's not really a problem with SWIFT. Arguably the NY Fed should have flagged the requests as suspicious, but that's probably a best-effort kinda thing.
> a total of $100 million that was brought into the country’s banking system, sold to a black market foreign exchange broker, transferred to at least three large local casinos, sold back to the money broker and moved out to overseas accounts.
Here's how I think that this heist went and I am just speculating here based solely on the info in the report:
- They first wired the money to multiple accounts of a secondary financial institution (Remittance or FX business) which is characterized by heavy and frequent transactions so as not to raise suspicions.
- They collected the money with the help of the facilitator in that organization.
- They exchanged the dollars into pesos and likely in counterfeit bills at very lucrative rates just to account for the risks hoping for more rewards from the operation.
- They took the money and deposited them in the casinos for ships settling debts and laundering the money in the process.
- They traded the chips for authentic cash from the casinos and then went back to their FX broker to exchange it back in USD.
- Finally, they reached out to their man at the FX/remittance business to have the funds wired overseas to the final recipients and probably masked with other legitimate transactions for better security for them.
Why would you mix a money stealing operation with a money counterfitting one? It doesn't make sense. And we are talking huge sums here, the fake money would quickly show up everywhere in that area.
Having money in an account is useless as long as it can be traced to the fraudulent transfer. So you move the money through a casino or any other large scale cash flow, such as counterfeiting (buy fake money for cents in the fake dollar and then sell it at a loss somewhere else)
Treasury ops at banks live in fear of clients getting ripped off like this. The liability is probably not the Fed's, but the reputation hit from large value transfer fraud is enough that loss of client business is a very real possibility.
Consider also that the Fed is also facing competition in the intra-government "hold my cash" business from the Chinese, and this could be the first reputational domino in a real geopolitical shift in how funds are held and managed internationally.
"In other words, the Fed was funding gamblers, only these were located in Philippine casinos, not in the financial district. Ironically, that's precisely what the Fed does, only it normally operates with gamblers operating out of Manhattan's financial district."
Have you ever been to a casino? You buy chips with cash, then you play with the chips, then you cash the (remaining) chips in for cash. There is no tracking of where each chip came from.
EDIT: Although maybe you're right, if the "gamblers" deposited funds to the casino via wire, direct from the fed, and then exchanged them for chips. So the casinos should presumably have some record of who came to claim that wire in chips.
I'm surprised they haven't started putting RFID tags in every chip so they can track exactly how much each player spends at each game. Combined with proper record keeping, if chips were ever stolen, you could flag them and make sure they can't be redeemed for cash. Maybe in Vegas?
Casino chips have had RFID tags for years.[1][2] The tracking is getting quite good. Casinos can know how much players bet, lost, and won.[3] The casino chip RFID vendors have solved the tag collision problem quite well; casinos can inventory big stacks of chips all at once, obtaining the serial number of each chip.
Chips can be flagged or invalidated by serial number.
Where I live the $5k chips and up are tagged. Or they were, ten years ago when I stopped playing. They may all be tagged now.
Casinos have cameras at the cage, and beyond that cash transactions in a casino have the same reportability as cash transactions everywhere. If it's in the US that means IRS paperwork at $10k. I have no idea what the limits are in the Philippines, but I'll bet they have video of the people who collected the money.
Play craps? You'll cycle chips pretty much all of your chips, and chips you throw to one side get replaced with chips from another side when making field bets -- for example.
Typical player tracking is done through comp cards, where they account for your buy-ins at the table, and buy out at the cashier.
> There is no tracking of where each chip came from.
Do you have evidence for this? I find it rather plausible that casinos have anti-fraud measures built into their chips to allow tracking of where each chip came from.
Depends on how much cash your throwing around. Casino's tend to track there high rollers with great precision, but if your tossing out < 1,000$ total it's not an issue.
PS: In the US the government requires casino's to track large winnings for the IRS they hand out W9's.
The best way to legally launder money is to use a casino. You bring in your dirty money, exchange it for chips. Then sit on your chips for a week, maybe a month, then go back and cash out your chips for clean money.
Meanwhile, all the cash you moved through the casino is now scattered to some 50-100 different banks as it gets deposited in their daily drops and then transferred as necessary between the banks. In a few weeks, the dirty money is albeit untraceable.
You showed up with lets say $50k at the casino, you departed with the same $50k. If you'll be investigated, you still can't justify the money you walked in with.
Criminal 1 buys $50k in chips using wired funds. Gives chips to criminal accomplices 2, 3 and 4.
CA2, CA3 and CA4 come into the casino a few different times over several months, gamble for while for a net zero gain or loss, and then convert their "winnings" from chips into cash in chunks of $5k or so - flying under the radar.
C1 never needs to come back to the casino where the police might catch him - and he is the only one who is linked to the big heist.
The large value chips have rfid tags in them. You would be investigated. You'd need to play some game with a slight loss to the casino to swap them out.
The implication in the article is that the casinos weren't directly involved in the money laundering. Those who were perpetrating it brought the money into the casinos (ie bought chips with "dirty" money), engaged in otherwise legitimate looking behavior at the casinos, and then cashed out the chips for cash. Apparently, the loop on this was tight enough not to fool investigators.
The point of money laundering is to conceal the path of funds. Changing your money into chips and then your chips into money (at different times) accomplishes this. Casinos are remarkably light on the documentation side compared to financial institutions. When you change money into chips you don't get a receipt or have to sign anything, you just get chips. Similarly, you don't need to do anything special to switch chips back into cash. If you're trying to make the funds look really legitimate you can even pay tax on your gambling "winnings".
I don't get how any of this could have happened. So many WTFs. Fraudulent bank wires are reversible, even months after. And how in the world do they not check who they send the money to?
ZeroHedge is full of conspiracy theories about the banks, Fed, EU, and the Western World in general. On the other hand, whatever Russia or China does, especially militarily, is great and shows good leadership.
Even this article starts by accusing the Fed multiple times of not noticing the fraudulent wire transfers, when in fact towards the end they say that the feds stopped 90% of the fraudulent transfers and notified the Bangladesh central bank of irregularities!
Yes, they do criticize China when they "blatantly props up the market" as ZH would say, but only because it would stink too hard to not say anything when the credo of ZH is that "governments manipulate markets and thats a bad thing".
But if you read the articles, you'll see that ZH has a very favorable opinion of China, especially when it provokes the US, like the current situation in the Spratly islands
However Russia, I never ever saw a bad article about them, or especially about Vlad, which is the current ZH hero.
This is probably an unpopular opinion, but I feel the same way about Vice. Its not news, its entertainment. And when you can't disambiguate the two, its fucking dangerous.
They're usually extremely misleading if not completely false. The headlines are all cherry-picked doom and gloom that appeals to the Infowars crowd.. There was a period during the GFC where their reporting was a bit more reflective of reality but it's completely jumped the shark since then. From someone who works in finance, ZH is complete garbage.
ZH was good in 2009. Then it slowly went downhill. It became an anti HFT/anti Fed site, then a gold-bug site, and now a pro Russia/China outlet.
Typical ZH logic: when gold goes up, it's the smart investors noticing the corruption of the "markets" and acting accordingly. When gold goes down, it's the HFTs and the Feds slamming it down because if it goes up it destroys the faith in the US Dollar. If it spikes up, it smart money doing a play. If it spikes down, it's blatant manipulation by someone without a "fiduciary duty" (ie: they imply that the seller doesn't care that he loses money because it sells quickly instead of working the order more slowly)
zerohedge.com has been banned on HN for years. This particular story was vouched for by established users, so we left it unkilled.
On HN we care about about the quality of the story, not the site. Of course, the two are related; sites are penalized or banned here according to the probability of their stories not being good based on past experience. But it's important to leave room for exceptions.
They hacked the Bangladesh Central Bank, but stole money from the New York Fed. It is even debatable if the NY Fed is even at fault given that the hackers had legitimate credentials to make the transfer (the Bangladeshis are arguing that the NY Fed is still responsible because they should have flagged the Casinos as unusual and stopped it).
You'd think that with accounts as large as these they would have a "whitelist" of valid accounts to transfer funds to, and some long convoluted process to add additional whitelist entries.
ZH hates the fed so I'm sure they're eager to imply that the fed is somehow at fault, even if doing so is a stretch. Notice all the non-value add editorial jabs at the fed sprinkled throughout the piece.
"... by way of the New York Federal Reserve". That's ambiguous enough to make it not at all obvious what an accurate, neutral title would be. We're happy to have people suggest one, but don't have time to study this case.
At the time, 10 years ago, we didn't even have ability to parse or OCR the images. I was really disappointed in how low tech this was, and how easy it would have been to make it better.
Perhaps I only saw a piece of it, and it did have more going on. But I always thought "what's preventing someone from faxing in a false trade?" We would execute any trade that got faxed in if the letter head and account numbers looked normal.