Bangladeshi police and banking officials say that the connection of SWIFT messaging to a new bank transaction system could have led to the $81 million cyberheist at the central bank of Bangladesh. That change was made three months before the hack occurred.
The specific issue seems to have been with how SWIFT was connected with Bangladesh’s first real-time gross settlement (RTGS) system.
“We found a lot of loopholes,” noted Mohammad Shah Alam, head of the criminal investigation department of the Bangladesh police who is leading the probe into one of the biggest cyberheists in the world. “The changes caused much more risk for Bangladesh Bank.”
Officials noted that technicians linked the RTGS to SWIFT computers on the same network as about 5,000 central bank computers that are accessible from the open Internet. The preferred safety method would have involved setting up a LAN not accessible via the open Web.
Banking officials are further alleging that SWIFT diverted from its own standard operating procedures that guarantee the security and inaccessibility of the system. This left the system open to remote access with only a single password and had no firewall protection and only a rudimentary switch.
“It was the responsibility of SWIFT to check for weaknesses once they had set up the system. But it does not appear to have been done,” said a bank official.
SWIFT’s chief spokeswoman, Natasha de Teran, offered no comment on the allegations or on any aspect of the Bangladesh project.
As of yet, there has been no independent verification of the claims made against SWIFT.
Bangladesh Bank officials have maintained that responsibility for the massive hack is somewhat shared by SWIFT and the New York Fed (where the funds were stolen from).
Former central bank Governor Mohammed Farashuddin, who is heading an internal probe by Bangladesh Bank into the heist, said SWIFT needed to review its technology in the wake of the heist.
“It seems to be a case of extreme carelessness,” he told Reuters. He declined to provide more details, saying a final report was due in the next few weeks.