Mohammadi News Agency News – Features – Photo
It is becoming more visible day by day that SWIFT technicians left Bangladesh Bank system vulnerable to hackers. Bangladesh’s central bank became more vulnerable to hackers when technicians from SWIFT, the global financial network, connected a new bank transaction system to SWIFT messaging three months before a $81 million cyber heist, Bangladeshi police and a bank official alleged.
Technicians from SWIFT (Society for the Worldwide Interbank Financial Telecommunication), connected a new bank transaction system to SWIFT messaging three months before an $81 million cyber heist. And that time Bangladesh become more vulnerable to hackers.
Mohammad Shah Alam, the head of the criminal investigation department of the Bangladesh police who is leading the probe into one of the biggest cyber-heists in the world, said the vulnerabilities introduced by the technicians as they linked SWIFT to Bangladesh’s first real-time gross settlement (RTGS) system.
“We found a lot of loopholes,” Alam said in an interview in Dhaka. “The changes caused much more risk for Bangladesh Bank.”
A senior central bank official said the SWIFT employees made errors in connecting the RTGS to the central bank’s messaging platform.
According to the Bangladesh bank officials, the technicians did not appear to have followed their own process to make sure that the system was secured. He also added that he was not authorized to publicly comment because of the ongoing investigation.
As a result SWIFT messaging at the central bank was widely accessible, including remote access with only a simple password, police said. It had no firewalls and only a rudimentary switch.
“It was the responsibility of SWIFT to check for weaknesses once they had set up the system. But it does not appear to have been done,” said the bank official.
Natasha de Teran, SWIFT’s chief spokeswoman, said she had no comment on the allegations by authorities in Bangladesh. She therefore denied comment on any aspect of the Bangladesh project, including whether the firm had extended any employees or outside contractors to Bangladesh Bank.
The officials from Dhaka discussed their findings with Reuters ahead of a meeting this week in Basel, Switzerland where Bangladesh Bank officials have said their governor and a lawyer appointed by the bank will discuss recovery of about $81 million stolen by the hackers with the head of the Federal Reserve Bank of New York and a senior executive from SWIFT.
Officials of Bangladesh Bank said they believed SWIFT and also the Federal Reserve Bank of New York to take some responsibility for the cyber heist occurred in February. SWIFT has declined comment on that claim.
“NO INHERENT RISK”
Bangladesh Bank installed the RTGS (real-time gross settlement) in October last year, which enables domestic banks and the central bank to settle large transfers between themselves, and then connected to SWIFT.
Hackers attempted to steal $951 million from the Bangladesh central bank’s account from February 4 to 5 when Bangladesh Bank’s offices were closed. The perpetrators managed to compromise Bangladesh Bank’s system, observe how transfers are done, and gain access to the bank’s credentials for payment transfers, which they used to send about three dozen requests to the FedBank to transfer funds to Sri Lanka and the Philippines.
30 transactions worth $851 million were prevented by the banking system but five requests were granted; $20 million to Sri Lanka (later recovered, and $81 million lost to the Philippines, entering the Southeast Asian country’s banking system on February 5, 2016. This money was laundered through casinos and some later transferred to Hong Kong.
A spokesman for Bangladesh Bank declined comment on the investigation into the heist.
He said, however, that RTGS continued to work well, noting that a large number of countries use SWIFT messaging for similar systems. “There is no inherent risk in this,” he said.
Bangladeshi police said the technicians linked the RTGS to SWIFT computers on the same network as about 5,000 central bank computers that are accessible from the open Internet.
Police further added that they chose to use a rudimentary old one they had found unused in the bank at the time of installing a networking switch to connect to SWIFT, rather than a more sophisticated, managed switch that gave the bank the ability to control access to the network.
The technicians also failed to install a firewall between the RTGS and the SWIFT room so that the bank could block malicious traffic from coming into the facility.
REMOTE ACCESS
Police and the Bank officials said that the technicians created a wireless connection so they could access computers in the locked SWIFT room from other offices inside the bank during performing the job. But they failed to disconnect the remote access, which was only secured with a simple password.
They also failed to disable a USB port on the computer attached to the SWIFT system, as is usual for critical networks to prevent malicious software from being installed through a tainted thumb drive, police also added.
But another central bank official familiar with the SWIFT room operations confirmed that the port was “active” until the heist came to light. He had no explanation.
The hackers used malicious software to modify the SWIFT messaging software to help hide their tracks.
Bangladeshi police said they have asked SWIFT to facilitate interviews with the SWIFT technicians. “Whether it is intentional or negligence, we are trying to find out,” said Alam.
As of September 2010, SWIFT linked more than 9,000 financial institutions in 209 countries and territories, who were exchanging an average of over 15 million messages per day (compared to an average of 2.4 million daily messages in 1995). SWIFT transports financial messages in a highly secure way but does not hold accounts for its members and does not perform any form of clearing or settlement.
New York Fed executive Richard Dzina said at a conference last week that bank workers “acted properly” in releasing the funds. The system was penetrated, he said, because the hackers had acquired valid credentials to order the transfers.
However, the U.S. FBI, which is leading investigations into the case, has made no comment so far.
