Black Friday is Now! Don’t miss out on up to 60% OFF InvestingProCLAIM SALE

Exclusive - Technicians from SWIFT left Bangladesh Bank exposed to hackers - police

Published 09/05/2016, 02:20
© Reuters. Commuters pass by the front of the Bangladesh central bank building in Dhaka

By Sanjeev Miglani, Serajul Quadir and Jim Finkle

DHAKA/BOSTON (Reuters) - Bangladesh's central bank became more vulnerable to hackers when technicians from SWIFT, the global financial network, connected a new bank transaction system to SWIFT messaging three months before a $81 million cyber heist, Bangladeshi police and a bank official alleged.

The technicians introduced the vulnerabilities when they connected SWIFT to Bangladesh's first real-time gross settlement (RTGS) system, said Mohammad Shah Alam, the head of the criminal investigation department of the Bangladesh police who is leading the probe into one of the biggest cyber-heists in the world.

    "We found a lot of loopholes," Alam said in an interview in Dhaka. "The changes caused much more risk for Bangladesh Bank."

He and a senior central bank official said the SWIFT employees made missteps in connecting the RTGS to the central bank's messaging platform.

The technicians did not appear to have followed their own procedures to ensure the system was secure, according to the Bangladesh Bank official, who said he was not authorised to publicly comment because of the ongoing investigation.

Because of this, SWIFT messaging at the central bank was widely accessible, including remote access with only a simple password, police said. It had no firewalls and only a rudimentary switch.

"It was the responsibility of SWIFT to check for weaknesses once they had set up the system. But it does not appear to have been done," said the bank official.

    SWIFT's chief spokeswoman Natasha de Teran said she had no comment on the allegations by authorities in Bangladesh. She also declined comment on any aspect of the Bangladesh project, including whether the firm had deployed any employees or outside contractors to Bangladesh Bank.

Reuters was not able to independently verify the allegations by Bangladeshi officials about the SWIFT technicians. If they are validated, however, that could undermine confidence in the cooperative that is the backbone of global financial transactions.

The officials in Dhaka discussed their findings with Reuters ahead of a meeting this week in Basel, Switzerland where Bangladesh Bank officials have said their governor and a lawyer appointed by the bank will discuss recovery of about $81 million stolen by the hackers with the head of the Federal Reserve Bank of New York and a senior executive from SWIFT.

Bangladesh Bank officials have said they believed SWIFT, and the New York Fed, bear some responsibility for the February cyber heist. SWIFT has declined comment on that claim.

"NO INHERENT RISK"

The RTGS, which enables domestic banks and the central bank to settle large transfers between themselves, was installed at Bangladesh Bank in October last year and then connected to SWIFT. In February, hackers sent fraudulent messages, ostensibly from the central bank in Dhaka, on the SWIFT system to the New York Fed seeking to transfer nearly $1 billion from Bangladesh Bank's account there.

Most of the transfers were blocked but about $81 million was sent to a bank in the Philippines and much of that money remains missing.

A spokesman for Bangladesh Bank declined comment on the investigation into the heist.

He said, however, that RTGS continued to work well, noting that a large number of countries use SWIFT messaging for similar systems. "There is no inherent risk in this," he said.

    According to the Bangladeshi police, the technicians linked the RTGS to SWIFT computers on the same network as about 5,000 central bank computers that are accessible from the open Internet.

Instead, they should have set up a separate local area network, or LAN, that could not connect to the rest of the bank or the Internet, police said.

The technicians also failed to install a firewall between the RTGS and the SWIFT room so that the bank could block malicious traffic from coming into the facility.

    When they installed a networking switch to control access to SWIFT, they chose to use a rudimentary old one they had found unused in the bank, rather than a more sophisticated, managed switch that gave the bank the ability to control access to the network, police said.

    

REMOTE ACCESS

During the job, the technicians set up a wireless connection so they could access computers in the locked SWIFT room from other offices inside the bank. When they finished, they failed to disconnect the remote access, which was only secured with a simple password, police and the bank official said.

    They also failed to disable a USB port on the computer attached to the SWIFT system, as is usual for critical networks to prevent malicious software from being installed through a tainted thumb drive, police said.

Police did not provide any evidence for any of the assertions.

But another central bank official familiar with the SWIFT room operations confirmed that the port was "active" until the heist came to light. He had no explanation.

The hackers used malicious software to modify the SWIFT messaging software to help hide their tracks.

Bangladeshi police said they have asked SWIFT to facilitate interviews with the SWIFT technicians. "Whether it is intentional or negligence, we are trying to find out," said Alam.

SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, is used by about 8,000 banks around the world to order funds transfers and other communications. It is connected to RTGS systems installed at scores of banks worldwide, and there have been no reports of problems elsewhere with connections between those two systems.

The U.S. FBI, which is leading investigations into the case, has made no comment so far.

New York Fed executive Richard Dzina said at a conference last week that bank workers "acted properly" in releasing the funds. The system was penetrated, he said, because the hackers had acquired valid credentials to order the transfers

Former central bank governor Mohammed Farashuddin, who is heading an internal probe by Bangladesh Bank into the heist, said SWIFT needed to review its technology in the wake of the heist.

© Reuters. Commuters pass by the front of the Bangladesh central bank building in Dhaka

"It seems to be a case of extreme carelessness," he told Reuters. He declined to provide more details saying a final report was due in the next few weeks.

Latest comments

Risk Disclosure: Trading in financial instruments and/or cryptocurrencies involves high risks including the risk of losing some, or all, of your investment amount, and may not be suitable for all investors. Prices of cryptocurrencies are extremely volatile and may be affected by external factors such as financial, regulatory or political events. Trading on margin increases the financial risks.
Before deciding to trade in financial instrument or cryptocurrencies you should be fully informed of the risks and costs associated with trading the financial markets, carefully consider your investment objectives, level of experience, and risk appetite, and seek professional advice where needed.
Fusion Media would like to remind you that the data contained in this website is not necessarily real-time nor accurate. The data and prices on the website are not necessarily provided by any market or exchange, but may be provided by market makers, and so prices may not be accurate and may differ from the actual price at any given market, meaning prices are indicative and not appropriate for trading purposes. Fusion Media and any provider of the data contained in this website will not accept liability for any loss or damage as a result of your trading, or your reliance on the information contained within this website.
It is prohibited to use, store, reproduce, display, modify, transmit or distribute the data contained in this website without the explicit prior written permission of Fusion Media and/or the data provider. All intellectual property rights are reserved by the providers and/or the exchange providing the data contained in this website.
Fusion Media may be compensated by the advertisers that appear on the website, based on your interaction with the advertisements or advertisers.
© 2007-2024 - Fusion Media Limited. All Rights Reserved.