undefined | Better HN

0 pointsacdha1y ago0 comments

Nothing is true in absolute terms but banks care about loss percentages and that’s much better in the real banking sector.

For example, the national bank of Bangladesh was compromised in 2016, believed to be a well-resourced attack by North Korea, and the attacker was able to attempt to transfer $1B. That’s about as severe as it gets, but the U.S. Federal Reserve blocked 85% of the transferred funds and of the remaining funds, all of the money sent to Sri Lanka was recovered, and they were able to recover some of the funds laundered through a corrupt bank in the Philippines whose manager was subsequently charged. About $64M was laundered through casinos which were not at the time required to follow KYC.

https://www.bbc.com/news/stories-57520169

So, not great, but the losses are under 10% of the amount the hackers had access to and there’s still a chance of recovering the rest - that’s survivable with insurance and it’s basically the traditional finance world at its worst in terms of corruption & poor preparation. Compare it to cryptocurrency, where losses on that scale happen multiple times a year rather than once a decade, and the attackers have a much easier time laundering funds through the infrastructure setup for exactly that purpose. North Korea is getting over a billion dollars a year from cryptocurrency, which is much better than the tens of millions at greater risk they got here.

0 comments

which1y ago

The money was only stopped at the Federal Reserve because the address used in some of the wire transactions included the word Jupiter which was a sanctioned entity at the time and the matching was sufficiently fuzzy that this was caught. That was a complete accident. It just as easily could have gone the other way. I just read a case on the layoffs subreddit where a law firm was hacked and one of their clients was tricked into wiring millions of dollars to the wrong account, resulting in the client suing the law firm for negligence and the law firm having to fire a bunch of people. One Latvian guy tricked Google and other large tech companies into wiring him a hundred million dollars total which was only recovered because he was arrested and plead guilty. Business email compromise is a huge plague on society and in many cases the recovered amount is trivial.

The only way you are recovering the bulk of losses if you don't notice the theft very quickly is if the amount is high enough that a prosecutor is interested and it hasn't all been withdrawn as cash yet.

latchkey1y ago

This discussion has really gone off the rails.

All I was saying was that banks have a bug bounty on their head, the next person responded that bank transactions are reversible, which isn't entirely true in all cases.

I wasn't trying to compare sizes or anything like that.

j / k navigate · click thread line to collapse