Just a couple weeks after a malware breach at SWIFT, which resulted in the theft of $81.0 million from the Bangladeshi central bank, blame for the attack has started to circle over the international payments network, given allegations that SWIFT technicians inadvertently facilitated vulnerabilities with a new transaction system, according to a recent Reuters report.
The new world of online trading, fintech and marketing – register now for the Finance Magnates Tel Aviv Conference, June 29th 2016.
Late last month, hackers managed to modify SWIFT’s client software, exposing several vulnerabilities across such a globally diverse system. The Bangladesh Bank attack in April also succeeded in manipulating SWIFT client software known as Alliance Access. This followed a previous attempt back in February in which cyber criminals tried to transfer upwards of $951 million from the Bangladeshi central bank’s account at the Federal Reserve Bank of New York.
Bangladeshi police are alleging that their systems were exposed to a greater threat of breaches after SWIFT technicians connected a new bank transaction system just three months before the $81.0 million heist.
More specifically, the genesis of the issue stems from the connection of SWIFT to Bangladesh’s first real-time gross settlement (RTGS) system. These sentiments were echoed by Mohammad Shah Alam, the acting Head of the Criminal Investigation Department of the Bangladesh police, who is also tasked with leading the probe into the heist.
Legal Risk Factor Beneath Ripple’s Lawsuit from SECGo to article >>
Shah Alam also stated that SWIFT employees conducted several missteps in connecting the RTGS to the central bank’s messaging platform, which does not appear to follow basic SWIFT procedure. Unfortunately, for the Bangladesh Bank, these lapses may have helped facilitate a breach, as there were no firewalls present and only a basic password protection measure in place.
“It was the responsibility of SWIFT to check for weaknesses once they had set up the system. But it does not appear to have been done,” noted a Bangladesh bank official.
SWIFT’s RTGS helps enable domestic banks and central banks to settle and transfer large sums amongst themselves – this same module was installed at Bangladesh Bank back in October 2015, consequently being connected to SWIFT. While upwards of $1 billion from Bangladesh Bank’s account were initially targeted by the hacking, roughly $81.0 million was stolen and sent to a bank in the Philippines, the vast majority of which has not been accounted for.
For its part, SWIFT has stated that there is no inherent risk in its RTGS platform however, which has yet to report other issues or vulnerabilities of this caliber to date. Bangladeshi police reiterated their stance however, as the link between RTGS and SWIFT was lucid at best, and was integrated on the same network as 5,000 central bank computers that are currently accessible from the open internet.
Asleep at the Wheel?
Bangladeshi police pointed to the lapses conducted by SWIFT technicians during the process such as the failure to disconnect remote access measures, such that a simple password could bypass all security measures. The remote access was originally set up to help foster a wireless connection so that they could access computers in the locked SWIFT room and could work with other offices inside the bank during the setup.
Moreover, a USB port on the computer attached to the SWIFT system was also not disconnected, possibly creating a port of entry for malicious software. Bangladeshi police said they have asked SWIFT to facilitate interviews with the SWIFT technicians. “Whether it is intentional or negligence, we are trying to find out,” reiterated Shah Alam, in a recent statement on the matter.