The Market Monitor Minding the Nation's Business
Investigations in Bangladesh into the electronic theft of $81 million from the country’s central bank have zeroed in on some technicians from the bank bolstering the claim of the local Rizal Commercial Banking Corp. (RCBC) through which the pilfered funds were channeled that it did nothing wrong.
RCBC said in an earlier statement that the Bangladesh Bank was to blame for the heist, and so any liability should not be passed on.
Information technology (IT) technicians of Bangladesh Bank were suspected to have hooked up their transactions system to the public Internet giving hackers access, Mohammad Shah Alam, a Bangladesh police deputy inspector-general who is heading investigations in Dhaka, said.
Alam said investigations have focused on why a password token protecting the SWIFT international transactions network at Bangladesh Bank was left inserted in the SWIFT server for months leading up to the heist. It is supposed to be removed and locked in a secure vault after business hours each day.
The failure to remove the token allowed hackers to enter the system when it was not being monitored, first to infect it with malware and then to issue fake transfer orders, he said.
Alam’s comments followed months of assertions by Bangladesh authorities that central bank officials were guilty of nothing more than negligence in the heist, in which the hackers moved money out of the bank’s account at the Federal Reserve Bank of New York and sent it to individual accounts in RCBC.
Bangladesh Bank Spokesman Subhankar Saha declined comment on the investigation. He said the bank has not been told of any plans to detain any of its employees.
No suspects in the Bangladesh central bank, however, had been arrested, Alam said, because the investigations were incomplete.
They were under watch and their movements monitored, but he was awaiting “specific information” on any communications they may have had with the hackers or with those who received the funds.
Help has been sought from police in the Philippines, Japan, Sri Lanka and China — countries where the hackers are believed to have links, he said.
Alam said the investigation had shown that central bank IT technicians were most likely to have provided the inside help.
“There were a number of other things, which if the Bangladesh Bank people had not done, the hacking would not have been possible,” he told publications in Bangladesh.
Alam said he believed the IT technicians connected the Bangladesh central bank’s SWIFT network to the public Internet last year while linking the network to the bank’s domestic payments system, the Real Time Gross Settlement System (RTGS). SWIFT is used only for international transactions.
Linking it to the Internet made the highly secure network accessible from any outside computer.
The work on linking SWIFT to the RTGS was supervised by SWIFT contractors but carried out by Bangladesh Bank technicians, Alam said.
It was not known who was responsible for leaving the token that was supposed to protect the SWIFT system inserted in the server, Alam added.
At least half-a-dozen bank officials shared responsibility for safekeeping of the token, he said.
Once in the system, the hackers introduced six types of malware, which captured keystrokes and screenshots and also delayed detection of fraudulent transactions, a separate report by Fireye Inc’s Mandiant forensics division, which investigated the heist stated.
The malware was customized for Bangladesh Bank’s systems, Alam said, adding someone must have provided the hackers with technical details about the central bank’s computer network.
On the evening of Feb 4, the hackers initiated fake transfer orders that sought to move nearly $1 billion from Bangladesh Bank’s account at the New York Fed, mostly to accounts at RCBC.
They needed two types of passwords to carry out the transactions – the hardware token and additional credentials used by bank officials. These password credentials were either given to them by someone or were captured from previous transactions by the malware that logged keystrokes, Alam said.
Many of the transfer orders initiated by the hackers were blocked or reversed by intermediary banks, but $81 million made it to accounts in fake names at RCBC. Most of the funds then disappeared into the country’s loosely regulated casino industry and have not been tracked down since.
The Anti-Money Laundering Council (AMLC) has accused seven RCBC officials of money laundering in a complaint filed at the Department of Justice.
The council has also filed complaints of money laundering against Kim Wong, a long-time RCBC client and a casino owner and agent in Manila, an associate of his and the owners of remittance agency Philrem. No links with the heist have been proven and no one has been arrested.
“The statement of the Bangladesh investigator indicating acts of criminal negligence on the part of certain Bangladesh Bank officials validates what RCBC had been saying all along, and that is that Bangladesh Bank’s own acts are the cause of its own loss,” RCBC’s lawyer Thea Daep said in a statement. “They cannot pass on liability to RCBC that had nothing to do with the theft of the funds.”
Daep said RCBC would study legal options to see if Bangladesh Bank can be sued in court for making the accusations. LUIS LEONCIO