THE FALLACY OF BANK HACKING AND HOW DIGITAL MONEY IS ACTUALLY STOLEN
If a theme is repeated all too often, the things you see on the screen becomes all too familiar. They become normalised. Over time, the average person begins to think those behaviour are normal. That's how cultures get hijacked.
The real-time flowing cash display is pure cinematic fictionAs an illustration, let's take a look at how hackers move digital money out of financial institutions are portrayed. These can be seen in classics such as Firewall (Harrison Ford - 2006), Swordfish (John Travolta, Huge Jackman - 2001), The Italian Job (2003), Inside Man (Denzel Washington - 2006), Wall Street: Money Never Sleeps (2010), Margin Call (2011), etc.
User Interface (UI) is everything you see and interact with on a screen. UI is the visual and interactive layer between a human and a system You see things like buttons, menus, text fields, icons, sliders, progress bars, dashboards, touch gestures, etc. The progress bar you see -- 10% uploaded....20 % uploaded...30% uploaded, is a lie, not reality. It is simply to create a false confidence in the users that the system is working, not a real depiction of the progress. Imagine you download something, and the screen hangs while the downloading is taking place. You would think something has gone wrong. Long ago I helped develop apps with an encoder named Hadeep. When the system is doing some work, his UI is simply a flashing sign that says "Deep Thinking.....", an ingenious play on his own name! This is all about behavioural design - building user confidence..
The feature image above is a typical UI in a Hollywood movie showing a digital bank heist in progress.
Depending on the movie, Hollywood may show only the money flowing out of an account, or into a receiving account. The feature image shows both accounts, one being drained, the other building up, in real-time. You see a meter like gauge of cash moving continuously in real time - hundreds, thousands, millions. After you have watched your 3rd movie, you probably think that's what actually happens. Movies shape perception, that is why it is a perfect propaganda tool.
That's how Hollywood activism normalises their version of the world to their audience. The last two decades Hollywood have been trying to tell you the world is full of woke people, of a topsy turvy world of inversed morality. That is why the sale of Warner Brothers to Netflix is very dangerous. Netflix sits on the extreme left of the ldeological divide. 99% of Netflix and Warner Bros employees contribute to the Democratic Party. A huge megaphone will be given to progressive leftist activists to practically monopolise the ability to influence culture. Politics is downstream of culture. This is why Trump will try to stop this sale at all cost.
Coming back to our digital money heist. Those with knowledge of systems and banking knows the Hollywood portrayal is utter nonsense.
Data transfers over networks in packets. All those text, video and audio files, those images that you upload or download, they are broken up into discrete blocks called packets in standard structured ways and transmitted over the networks. In fact, the various packets that make up your transfer do not even move via the same networks. But they all arrive at the same destination where they are re-structured back into the same exact message. This process, known as packet switching, is the foundational method for transmitting data on modern networks. There is no linearity in data transfers. Data does not stream like one continuous uninterrupted river. No digital money moving a dollar at a time from one account into another.
Hollywood's invention is direct database access, editable balances, instant deposits and glowing meters. None of that exists in modern banking.
You cannot teleport money from POSB into a Swiss bank accountFrom movies you get the impression hackers get into an account and change balances. That's impossible. In a real bank, balances are not editable fields. If you view at ATM or your online bank app, you see a balance of $1,000,000. But in the database there is no such line of $1,000,000 that the hacker can edit. A balance is a derived value calculated from a ledger full of transactions. Each transaction has full details of source, destination, amount, time, authorisation, audit trial. Even if the hacker can somehow change the display to now show "zero" or $5,000,000 balance, the reconciliation would fail, the display gets reversed, and alerts triggered immediately. This is why bank's don't fear balance tampering. Banks fear fraudulent transactions and process abuse.
In order to change balances, money must move through the bank's own rails by means such as internal transfer systems, interbank payment systems, approved message formats, valid credentials etc and processed via the bank's systems.
That is why criminals must use impersonal accounts (they use fronts, shell companies, nominee, trust, ghost corporations), compromise credentials, abuse internal processes, or corrupt insiders.
All movements in and out of an account must originate from a transaction via the banks apps, such as ATMs, over-the-counter transactions, settlement arising out of pre-dated transactions such as foreign exchange, loan servicing, trade transactions, charge card payments, remittances, etc. That is, they all originate from the various financial products offered by the bank. Safe for self-services at ATM and online apps, all transactions are processed normally in an environment with segregation of duties, dual-controls, and documentation. There are some exceptions of adjusting entries - these are passed under tight controls.
Deposits cannot appear out of nowhere. You cannot type a number and drag money into it. A deposit requires proof of origin -- cash deposit at ATM, cheques through the clearing house system, wire transfers with originating bank confirmation, an internal credit with a matching debt elsewhere, etc and transactions get updated into the account via the bank's internal processes.
Real financial crimes happen not by hacking balances, but by abusing legitimate pathwaysEvery method of digital theft still uses the bank's own payment systems. The common real methods are:
- Confidential theft: The attacker logs in as the user and transfers money via the normal bank process by phishing, SIM swaps and malware. These are the usual ways the attacker steals the user's passwords.
- Process exploitation: Fake invoices, payroll fraud, refund abuse, over-crediting then withdrawing before reconciliation.
- Insider abuse: Employees with posting/payment authority, override rights, manual adjustments.
- Interbank timing: Float exploitation, settlement delays, cross-timing gaps.
Almost every major banking scandal is a failure of AML (anti-money laundering) or compliance, not hacking.AML is a control framework -- laws, rules, systems and controls -- designed to prevent criminals from hiding illegal money, moving it through banks and making it look legitimate. Basically, AML answers 3 questions -- who are you (KYC - know your customer), where is source of the money, and does the transaction makes sense? If any answer looks wrong, it is flagged. Management reviews transaction, customer history, requests documents if necessary, then decides to release, hold or report. That's why some transactions get delayed. If suspicious, bank files a Suspicious Transaction Report to the regulatory authority. The customer is not told. Bank does not inform customer. Bank provides intel, regulator does investigation.
For AML monitoring, banks have 2 tasks:
- Observation: Watch out for what seems unusual in relation to the transaction and the customer, such as -- sudden large transfers, unusual destinations, rapid in-out movement, structuring (many small amounts), mismatch with income profile, etc.
- Screening: Continuous checks against sanctions list, terrorist lists, PEPs (politically exposed persons), other watchlists.
Just like auditors who do not, and cannot, check all transactions, AML does not watch everything live like CCTV. Audits are test-based, AML is probabilistic and risk-based. Audits look for exceptions, AML looks for patterns.
Even when someone uses valid credentials, banks still ask the same 3 questions. That's why criminals don't do one big transfer, one account, in one single moment. They do many steps, many accounts and over many days or months.
Banks look out for unusual transactions and decide whether it is worth checking. They are not looking out for illegal transactions. AML failures may get banks fined, lose banking licence, or get cut off from the global system. Thus banks risk annoying customers over regulatory finding of negligence.
Danske Bank, Estonian branch (2007-2015):
Non-resident clients (from Russia, Azerbaijan, Moldova, Ukraine) moved Euro 200 billion in suspicious transactions. Accounts were legal. Moved through normal banking channels. Transactions were red-flagged internally. Head office failed to act for years. Finally reported by whistleblowers. These transactions were sanctions evasion by oligarch networks moving corrupt money. This was compliance failure, not a technical one. Consequence - huge fines. Bank exited Estonia.
HSBC in Mexico and US (2000-2010):
Mexican drug cartels moved hundreds of billions in cash and wire transfers through the bank. Again, transactions passed through legitimate HSBC channels. It was total AML failure. Deficient controls, internal warnings ignored, KYC failure, huge cash deposits accepted without raising questions. Consequence - US$1.9 billion fine. No criminal prosecutions of executives.
1MDB:
Goldman Sachs helped raise US$6.5 billion in bonds for 1Malaysia Devt Berhad. US$4.5 billion were misappropriated (estimated by US Dept of Justice). But this was not AML failure. Red flags were raised (PEPs, offshore accounts, unclear source of funds, purchase of luxury items) across various banks involved, but stood down. It was a classic case of relationship managers outranking administrative compliance managers! Consequence - Goldman Sachs fined in US a sum of US$5 billion, paid compensation to Malaysia; BSI Bank, Singapore, shut down; Falcon Private Bank shut down; DBS, StandChart, UBS & Credit Suisse fined with remediation; Tim Leissner, head for S.E. Asia, Goldman Sachs jailed in US (a short 2 years because he assisted in investigation); Roger Ng (Goldman Sachs, Malaysia, head investment banking) jailed 10 years in US; Yeo Jiawei ( BSI wealth planner) jailed 4.5 years in Singapore. The three management convictions were due to personal enrichment.
A classic case of hacking, AML success and failure -- one for the textbooks:
In 2016, Central Bank of Bangladesh purportedly sent 35 SWIFT payments amounting to US$1 billion to the Federal Reserve Bank of US. 5 of the payments went through and 30 were stopped either by the Fed or the various correspondent banks.
Where the hacking succeeded:
Malware allowed hackers to observe the bank's operations for months. SWIFT itself was not hacked. There was obvious collusion in terms of access to passwords; a printer was switched off to prevent early detection; the SWIFT system was not switched off after close of business. It was a case of valid credentials and use of the bank's rails. Nothing to do with the bank's database or ledgers.
Where AML succeeded and failed:
5 payments went through to beneficiary banks, 30 of the payments were stopped by either the Fed or correspondent banks in US. The Fed stopped many but not all the payments. The hackers had broken the payments into 35 smaller payments of a few millions each (that's called structuring). By central bank standards, the size of each payment itself is not suspicious. The AML triggered at the Fed because too many payments coming at the same time; at correspondent banks they saw receiving parties were suspicious (unusual for a central bank to pay private individuals). This underlines the fact that AML is not 100% fool-proof.
Where normal banking controls succeeded:
1 payment of US$20m passed through Fed and correspondent bank and received by beneficiary Commercial Bank of Ceylon. The bank could not apply the funds, ie credit to the ultimate beneficiary account holder Shalika Foundation, because of a spelling error. The payment instruction was for account of "Shalika Fandation". Money was subsequently returned to Bangladesh.
Where AML and bank controls failed miserably:
4 payments totaling US$81m reached Rizal Banking Corp in Philippines. The 4 payments were for different accounts in Jupiter Branch, Makati. AML failed at the head office (private individuals receiving millions is suspicious payments). The funds were credited to the receiving branch where the ultimate beneficiaries maintain their accounts. The 4 accounts were newly opened. The branch CCTV were accidently down on the day account holders came to authorise the transfer of funds to a remittance company. The remittance company did a foreign exchange with the bank and pesos were sent to casino junkets. Multiple bank employees collusion were written all over the place without which the money would not have been released by head office to branch, by branch to account holders, by branch to allow consolidation and layering via a remittance company, by head office to do a same day value of a massive US$81 million FX deal with a small remittance company, and a Chief Cashier that can provide a US$81m worth of peso liquidity for a small branch (at exchange rate of 48, that's about 3.9 billion peso currency notes).
Instead of an immediate lockdown to freeze funds, Manila went on a high profile Congressional inquiry where legislators milk publicity for a coming election, with grandstanding performance asking silly questions, demonstrating a complete lack of understanding of banking operations. Only US$15 million were recovered and returned to Bangladesh. Just to throw this in - the hackers exploited the cross-timing gap mentioned earlier. The SWIFT payments were transmitted after bank closure Thursday night. New York was late evening closing time Thursday night. Manila was opening Friday morning. Dhaka was day-off on Friday. That gave the hacker's compatriots a full Friday and and Saturday morning to clean out and wash the stolen money at the casinos. Dhaka was closed, New York near to closing, Manila was open.
Stealing money from banks never happen in the way Hollywood sells it. There is no way hackers can access banks' database. Theft is always by way of stolen credentials, use of the banks' rails, failure of AML and bank controls, often with collusion of bank employees. Where there is elite capture, criminals walk into the bank by the front door. In the many instances of money laundering incidents in Singapore that went undetected for years, with establishment figures wining and dining in their midst, one wonders whether these Chinese criminals walked through the front door.
This platform has withdrawn it's subscriber widget. If you like blogs like this and wish to know whenever there is a new post, click the button to my FB and follow me there. I usually intro my new blogs there. Thanks.
Just like auditors who do not, and cannot, check all transactions, AML does not watch everything live like CCTV. Audits are test-based, AML is probabilistic and risk-based. Audits look for exceptions, AML looks for patterns.
Even when someone uses valid credentials, banks still ask the same 3 questions. That's why criminals don't do one big transfer, one account, in one single moment. They do many steps, many accounts and over many days or months.
Banks look out for unusual transactions and decide whether it is worth checking. They are not looking out for illegal transactions. AML failures may get banks fined, lose banking licence, or get cut off from the global system. Thus banks risk annoying customers over regulatory finding of negligence.
Where relationship managers outrank compliance managersExamples where banks failed despite AML:
Danske Bank, Estonian branch (2007-2015):
Non-resident clients (from Russia, Azerbaijan, Moldova, Ukraine) moved Euro 200 billion in suspicious transactions. Accounts were legal. Moved through normal banking channels. Transactions were red-flagged internally. Head office failed to act for years. Finally reported by whistleblowers. These transactions were sanctions evasion by oligarch networks moving corrupt money. This was compliance failure, not a technical one. Consequence - huge fines. Bank exited Estonia.
HSBC in Mexico and US (2000-2010):
Mexican drug cartels moved hundreds of billions in cash and wire transfers through the bank. Again, transactions passed through legitimate HSBC channels. It was total AML failure. Deficient controls, internal warnings ignored, KYC failure, huge cash deposits accepted without raising questions. Consequence - US$1.9 billion fine. No criminal prosecutions of executives.
1MDB:
Goldman Sachs helped raise US$6.5 billion in bonds for 1Malaysia Devt Berhad. US$4.5 billion were misappropriated (estimated by US Dept of Justice). But this was not AML failure. Red flags were raised (PEPs, offshore accounts, unclear source of funds, purchase of luxury items) across various banks involved, but stood down. It was a classic case of relationship managers outranking administrative compliance managers! Consequence - Goldman Sachs fined in US a sum of US$5 billion, paid compensation to Malaysia; BSI Bank, Singapore, shut down; Falcon Private Bank shut down; DBS, StandChart, UBS & Credit Suisse fined with remediation; Tim Leissner, head for S.E. Asia, Goldman Sachs jailed in US (a short 2 years because he assisted in investigation); Roger Ng (Goldman Sachs, Malaysia, head investment banking) jailed 10 years in US; Yeo Jiawei ( BSI wealth planner) jailed 4.5 years in Singapore. The three management convictions were due to personal enrichment.
A classic case of hacking, AML success and failure -- one for the textbooks:
In 2016, Central Bank of Bangladesh purportedly sent 35 SWIFT payments amounting to US$1 billion to the Federal Reserve Bank of US. 5 of the payments went through and 30 were stopped either by the Fed or the various correspondent banks.
Where the hacking succeeded:
Malware allowed hackers to observe the bank's operations for months. SWIFT itself was not hacked. There was obvious collusion in terms of access to passwords; a printer was switched off to prevent early detection; the SWIFT system was not switched off after close of business. It was a case of valid credentials and use of the bank's rails. Nothing to do with the bank's database or ledgers.
Where AML succeeded and failed:
5 payments went through to beneficiary banks, 30 of the payments were stopped by either the Fed or correspondent banks in US. The Fed stopped many but not all the payments. The hackers had broken the payments into 35 smaller payments of a few millions each (that's called structuring). By central bank standards, the size of each payment itself is not suspicious. The AML triggered at the Fed because too many payments coming at the same time; at correspondent banks they saw receiving parties were suspicious (unusual for a central bank to pay private individuals). This underlines the fact that AML is not 100% fool-proof.
Where normal banking controls succeeded:
1 payment of US$20m passed through Fed and correspondent bank and received by beneficiary Commercial Bank of Ceylon. The bank could not apply the funds, ie credit to the ultimate beneficiary account holder Shalika Foundation, because of a spelling error. The payment instruction was for account of "Shalika Fandation". Money was subsequently returned to Bangladesh.
Where AML and bank controls failed miserably:
4 payments totaling US$81m reached Rizal Banking Corp in Philippines. The 4 payments were for different accounts in Jupiter Branch, Makati. AML failed at the head office (private individuals receiving millions is suspicious payments). The funds were credited to the receiving branch where the ultimate beneficiaries maintain their accounts. The 4 accounts were newly opened. The branch CCTV were accidently down on the day account holders came to authorise the transfer of funds to a remittance company. The remittance company did a foreign exchange with the bank and pesos were sent to casino junkets. Multiple bank employees collusion were written all over the place without which the money would not have been released by head office to branch, by branch to account holders, by branch to allow consolidation and layering via a remittance company, by head office to do a same day value of a massive US$81 million FX deal with a small remittance company, and a Chief Cashier that can provide a US$81m worth of peso liquidity for a small branch (at exchange rate of 48, that's about 3.9 billion peso currency notes).
Instead of an immediate lockdown to freeze funds, Manila went on a high profile Congressional inquiry where legislators milk publicity for a coming election, with grandstanding performance asking silly questions, demonstrating a complete lack of understanding of banking operations. Only US$15 million were recovered and returned to Bangladesh. Just to throw this in - the hackers exploited the cross-timing gap mentioned earlier. The SWIFT payments were transmitted after bank closure Thursday night. New York was late evening closing time Thursday night. Manila was opening Friday morning. Dhaka was day-off on Friday. That gave the hacker's compatriots a full Friday and and Saturday morning to clean out and wash the stolen money at the casinos. Dhaka was closed, New York near to closing, Manila was open.
Stealing money from banks never happen in the way Hollywood sells it. There is no way hackers can access banks' database. Theft is always by way of stolen credentials, use of the banks' rails, failure of AML and bank controls, often with collusion of bank employees. Where there is elite capture, criminals walk into the bank by the front door. In the many instances of money laundering incidents in Singapore that went undetected for years, with establishment figures wining and dining in their midst, one wonders whether these Chinese criminals walked through the front door.
This platform has withdrawn it's subscriber widget. If you like blogs like this and wish to know whenever there is a new post, click the button to my FB and follow me there. I usually intro my new blogs there. Thanks.