Bloomberg Businessweek (North America)
Lies, Damned Lies, And More Statistics The Great Bank Heist Of Bangladesh
Anyone with an interest in how research forms public policy should pay attention to p-values Institutions in the developing world are most vulnerable to attacks by hackers
Decisions affecting millions of people should be made using the best possible information. That’s why researchers, public officials, and anyone with views on social policy should pay attention to a controversy in statistics. The lesson: Watch out if you see a claim of the form “x is significantly related to y.”
At issue is a statistical test that researchers in a wide range of disciplines, from medicine to economics, use to draw conclusions from data. Let’s say you have a pill that’s supposed to make people rich. You give it to 30 people, and they wind up 1 percent richer than a similar group that took a placebo.
Before you can attribute this difference to your magic pill, you need to test your results with a narrow and dangerously subtle question: How likely would you be to get this result if your pill had no effect whatsoever? If this probability, or so-called p-value, is less than a stated threshold—often set at 5 percent—the result is deemed “statistically significant.”
The problem is, people tend to place great weight on this declaration of statistical significance without understanding what it really means. A low p-value doesn’t, for example, mean that the pill almost certainly works. Any such conclusion would need more information—including, for a start, some reason to think the pill could make you richer.
In addition, statistical significance isn’t policy significance. The size of the estimated effect matters. It might be so small as to lack practical value, even though it’s statistically significant. The converse is also true: An estimated effect might be so strong as to demand attention, even though it fails the p-value test.
These reservations apply even to statistical investigation done right. Unfortunately, it very often isn’t. Researchers commonly engage in “p-hacking,” tweaking data in ways that generate low p-values but actually undermine the test. Absurd results can be made to pass the p-value test, and important findings can fail. Despite all this, a good p-value tends to be a prerequisite for publication in scholarly journals. As a result, Over one weekend in February, hackers managed to extract tens of millions of dollars from Bangladesh’s central bank before anyone noticed. Now the bank’s in turmoil, its governor has resigned, and much of the cash is missing.
The scheme started when intruders inserted malware into Bangladesh Bank’s system in January. With information evidently gleaned from the attack, they were able to divert funds from the bank’s account at the New York Fed using the Swift messaging system. Officials only wised up when the thieves tried to move an additional $850 million to suspect accounts, and a routing bank noticed a comical spelling error in one request. By then, some $81 million was long gone.
Central banks in the developing world, without much in the way of digital security, are especially at risk. Bangladesh had amassed some $28 billion in foreign-currency reserves, and its central bank had alarmingly lax defenses—a hacker’s dream. Also, officials at Bangladesh Bank kept quiet for more than a month and never quite got around to informing the country’s finance minister. The pilfered cash made its way across the globe.
Cybersecurity, though boring, is everyone’s responsibility. (“I am not a technical person,” the now ex- governor of Bangladesh Bank said.) All too often, malicious hacks come down to simple human error. Making better use of encryption, access controls, and strong verification systems can help, but nothing can substitute for vigilance. Preventing hackers from moving the money they’ve siphoned off requires global cooperation. The thieves in this case laundered much of the cash through casinos in the Philippines. Not coincidentally, Filipino lawmakers have exempted casinos from anti-money-laundering requirements. Tightening restrictions would be wise. But there are still far too many places where lax laws, or chaos, provide a welcome home for dirty money. <BW>