21 March 2009

Sumitomo: Anatomy of $423m Fraud that failed

The Register offers a fascinating analysis of one of the most audacious Bank heists of the past few years, and the story of the patient investigation which led to the conviction earlier this year of most of its suspects.

It has elements of a classic heist -- the inside man, recruited with thoughts of greed to compromise internal security controls (in this case, tampering with cameras and giving the criminals access to the bank at weekends), the hackers, and the money launderers.

The technology used was simple and readily available -- a commercial keystroke logging software package, installed on critical PCs in a trading room to capture account details and passwords. The target was the Swift system -- the world-wide and widely trusted system for transferring money between banks around the world. Sumitomo was the victim -- and if it wasn't for a crucial lack of vital information, the crooks would have got away with it.

Accomplices around the world -- in Spain, Dubai, Turkey, Israel, Singapore and Hong Kong -- were ready to assist with laundering of the money, seeking to withdraw the large sums from counterparty banks. Luckily, the banks never received the wire transfers, because the Swift forms had not been correctly filled out, and the bank's internal controls prevented the losses.

The lesson here is that insiders can always be compromised, but robust internal controls with strict separation of duties can prevent most issues. The criminals were unlucky (or incompetent) because they failed to fill out the Swift forms correctly -- had they done so, it is likely they would have made a great deal of money. Another lesson is that username/password pairs are not enough -- at least two-factor authentication should be used.

Most importantly however, is that Sumitomo Bank made the correct decision in reporting this crime as soon as possible to the authorities, and diligent police work led, four years after the fact, to the successful prosecution of most of those responsible.

No comments: