Lies, Damned Lies, And More Sta­tis­tics The Great Bank Heist Of Bangladesh

Any­one with an in­ter­est in how re­search forms pub­lic pol­icy should pay at­ten­tion to p-val­ues In­sti­tu­tions in the de­vel­op­ing world are most vul­ner­a­ble to at­tacks by hack­ers

Bloomberg Businessweek (North America) - - Bloomberg View -

De­ci­sions af­fect­ing mil­lions of peo­ple should be made us­ing the best pos­si­ble in­for­ma­tion. That’s why re­searchers, pub­lic of­fi­cials, and any­one with views on so­cial pol­icy should pay at­ten­tion to a con­tro­versy in sta­tis­tics. The les­son: Watch out if you see a claim of the form “x is sig­nif­i­cantly re­lated to y.”

At is­sue is a sta­tis­ti­cal test that re­searchers in a wide range of dis­ci­plines, from medicine to eco­nom­ics, use to draw con­clu­sions from data. Let’s say you have a pill that’s sup­posed to make peo­ple rich. You give it to 30 peo­ple, and they wind up 1 per­cent richer than a sim­i­lar group that took a placebo.

Be­fore you can at­tribute this dif­fer­ence to your magic pill, you need to test your re­sults with a nar­row and dan­ger­ously sub­tle ques­tion: How likely would you be to get this re­sult if your pill had no ef­fect what­so­ever? If this prob­a­bil­ity, or so-called p-value, is less than a stated thresh­old—of­ten set at 5 per­cent—the re­sult is deemed “sta­tis­ti­cally sig­nif­i­cant.”

The prob­lem is, peo­ple tend to place great weight on this dec­la­ra­tion of sta­tis­ti­cal sig­nif­i­cance with­out un­der­stand­ing what it re­ally means. A low p-value doesn’t, for ex­am­ple, mean that the pill al­most cer­tainly works. Any such con­clu­sion would need more in­for­ma­tion—in­clud­ing, for a start, some rea­son to think the pill could make you richer.

In ad­di­tion, sta­tis­ti­cal sig­nif­i­cance isn’t pol­icy sig­nif­i­cance. The size of the es­ti­mated ef­fect mat­ters. It might be so small as to lack prac­ti­cal value, even though it’s sta­tis­ti­cally sig­nif­i­cant. The con­verse is also true: An es­ti­mated ef­fect might be so strong as to de­mand at­ten­tion, even though it fails the p-value test.

Th­ese reser­va­tions ap­ply even to sta­tis­ti­cal in­ves­ti­ga­tion done right. Un­for­tu­nately, it very of­ten isn’t. Re­searchers com­monly en­gage in “p-hack­ing,” tweak­ing data in ways that gen­er­ate low p-val­ues but ac­tu­ally un­der­mine the test. Ab­surd re­sults can be made to pass the p-value test, and im­por­tant find­ings can fail. De­spite all this, a good p-value tends to be a pre­req­ui­site for pub­li­ca­tion in schol­arly jour­nals. As a re­sult, Over one week­end in Fe­bru­ary, hack­ers man­aged to ex­tract tens of mil­lions of dol­lars from Bangladesh’s cen­tral bank be­fore any­one no­ticed. Now the bank’s in tur­moil, its gov­er­nor has re­signed, and much of the cash is miss­ing.

The scheme started when in­trud­ers in­serted mal­ware into Bangladesh Bank’s sys­tem in Jan­uary. With in­for­ma­tion ev­i­dently gleaned from the at­tack, they were able to di­vert funds from the bank’s ac­count at the New York Fed us­ing the Swift mes­sag­ing sys­tem. Of­fi­cials only wised up when the thieves tried to move an ad­di­tional $850 mil­lion to sus­pect ac­counts, and a rout­ing bank no­ticed a com­i­cal spell­ing er­ror in one re­quest. By then, some $81 mil­lion was long gone.

Cen­tral banks in the de­vel­op­ing world, with­out much in the way of dig­i­tal se­cu­rity, are es­pe­cially at risk. Bangladesh had amassed some $28 bil­lion in for­eign-cur­rency re­serves, and its cen­tral bank had alarm­ingly lax de­fenses—a hacker’s dream. Also, of­fi­cials at Bangladesh Bank kept quiet for more than a month and never quite got around to in­form­ing the coun­try’s fi­nance min­is­ter. The pil­fered cash made its way across the globe.

Cy­ber­se­cu­rity, though bor­ing, is ev­ery­one’s re­spon­si­bil­ity. (“I am not a tech­ni­cal per­son,” the now ex- gov­er­nor of Bangladesh Bank said.) All too of­ten, ma­li­cious hacks come down to sim­ple hu­man er­ror. Mak­ing bet­ter use of en­cryp­tion, ac­cess con­trols, and strong ver­i­fi­ca­tion sys­tems can help, but noth­ing can sub­sti­tute for vig­i­lance. Pre­vent­ing hack­ers from mov­ing the money they’ve si­phoned off re­quires global co­op­er­a­tion. The thieves in this case laun­dered much of the cash through casi­nos in the Philip­pines. Not coin­ci­den­tally, Filipino law­mak­ers have ex­empted casi­nos from anti-money-laun­der­ing re­quire­ments. Tight­en­ing re­stric­tions would be wise. But there are still far too many places where lax laws, or chaos, pro­vide a wel­come home for dirty money. <BW>

Newspapers in English

Newspapers from Canada

© PressReader. All rights reserved.