Bangladesh’s central bank became more vulnerable to hackers when technicians from SWIFT, the global financial network, connected a new bank transaction system to SWIFT messaging three months before a $81 million cyber heist, Bangladeshi police and a bank official alleged.
The technicians introduced the vulnerabilities when they connected SWIFT to Bangladesh’s first real-time gross settlement (RTGS) system, said Mohammad Shah Alam, the head of the criminal investigation department of the Bangladesh police who is leading the probe into one of the biggest cyber-heists in the world.
We found a lot of loopholes,
Alam said in an interview in Dhaka. “The changes caused much more risk for Bangladesh Bank.”
He and a senior central bank official said the SWIFT employees made missteps in connecting the RTGS to the central bank’s messaging platform.
The technicians did not appear to have followed their own procedures to ensure the system was secure, according to the Bangladesh Bank official, who said he was not authorized to publicly comment because of the ongoing investigation.
Because of this, SWIFT messaging at the central bank was widely accessible, including remote access with only a simple password, police said. It had no firewalls and only a rudimentary switch.
“It was the responsibility of SWIFT to check for weaknesses once they had set up the system. But it does not appear to have been done,” said the bank official.
SWIFT’s chief spokeswoman Natasha de Teran said she had no comment on the allegations by authorities in Bangladesh. She also declined comment on any aspect of the Bangladesh project, including whether the firm had deployed any employees or outside contractors to Bangladesh Bank.
Bangladesh Bank officials have said they believed SWIFT, and the New York Fed, bear some responsibility for the February cyber heist. SWIFT has declined comment on that claim.