Bangladesh demands return of heist money from Philippines

A printer “error” helped Bangladesh Bank discover a transfer of nearly $1 billion from their account to bank accounts in the Philippines and Sri Lanka by hackers.

Photo by: Reuters
Photo by: Reuters

John Gomes, Bangladesh's ambassador to the Philippines, gestures during a money laundering hearing at a hotel in metro Manila, Philippines May 19, 2016.

The $81 million heist, which the experts have said has been one of the biggest in the history of cyber crimes, was carried out after the hacking of the computer of an official at Bangladesh’s central bank, a Bangladeshi diplomat confirmed on Thursday.

John Gomes, Bangladesh Ambassador to the Philippines, revealed this while briefing a Philippine panel investigating how the stolen $81 million from Bangladesh central bank ended up in Manila. He also said that the hackers were neither Filipino nor Bangladeshi. The envoy also demanded Philippines' authorities to immediately return millions of dollars recovered from this high-profile hacking theft. But Filipino officials warned that resolving the case could take months.

How Bangladesh’s $81 million heist money ended up in Manila?

On February 4, some hackers used SWIFT credentials of Bangladesh Central Bank employees to send more than 36 requests to the Federal Reserve Bank of New York seeking to transfer nearly $1 billion from Bangladesh Bank's account to bank accounts in the Philippines and Sri Lanka.

The hackers managed to get $81 million sent to Rizal Commercial Banking Corporation in the Philippines with four different transfer requests and an additional $20 million sent to Pan Asia Banking in a single request. However, the Bangladesh Bank somehow managed to halt $850 million in other transactions. The $81 million was deposited into four accounts at a Rizal branch in Manila on February 4.

What role did ‘technicians’ play in the heist?

The Bangladeshi authorities had requested SWIFT (Society for Worldwide Interbank Financial Telecommunication) to help its police question technicians who made upgrades to the bank’s system to connect a new bank transaction system months before February's $81 million cyber heist. Bangladesh's Criminal Investigation Department (CID) sent an email to SWIFT on Monday saying that it wants to interview the technicians in Dhaka next week.

Investigators believe that the technicians introduced some security holes when they connected SWIFT to Bangladesh's first real-time gross settlement (RTGS) system.

"We have some specific and tangible evidence against the (SWIFT) technicians," said a CID official currently linked to the heist investigation. "They have to defend themselves. The technicians may have acted without the knowledge of SWIFT, in their personal capacity."

Who are those technicians?

Around half a dozen technicians, including some of whom are contract employees, were involved in installing and upgrading the new system at Bangladesh’s central bank. Bangladesh has also invited senior SWIFT officials to Dhaka who declined to be named because of the ongoing investigations. The names and nationalities could not be revealed due to the issue being a sensitive one.

The investigators believe that the technicians did not follow their own procedures to ensure the system was completely protected, this being the reason SWIFT messaging at the Bangladesh Bank became very easily accessible.

Bangladeshi authorities blame SWIFT

The Bangladeshi panel investigating the heist has accused SWIFT of making a number of mistakes in connecting up the local network. However, SWIFT has rejected the allegations. SWIFT claims its financial messaging system was secure and had not been breached by the hackers during the heist.

The RTGS, which enables domestic banks and the central bank to settle large transfers between themselves, was installed at Bangladesh Bank in October last year and then connected to SWIFT.

The “fandation” fiasco

One of the hackers misspelled “foundation” in the NGO's name as “fandation”, prompting a routing bank, Deutsche Bank, to seek clarification from the Bangladesh central bank, which stopped the transaction, one of the officials said. There is no such NGO with the name Shalika Foundation in Sri Lanka.

What is SWIFT?

SWIFT (Society for Worldwide Interbank Financial Telecommunication) is a consortium that operates a trusted and closed computer network for communication between member banks around the world.

Based in Brussels, the consortium was founded in 1970s. The National Bank of Belgium and a committee composed of representatives from the US Federal Reserve, the Bank of England, the European Central Bank, the Bank of Japan and other major banks oversee the affairs of SWIFT.

How does SWIFT work?

Financial institutions and brokerage houses that use SWIFT have codes to identify each institution as well as credentials that authenticate and verify transactions. With some 11,000 users, the SWIFT platform processes about 25 million communications a day, most of them money transfer transactions.

How a printer “error” revealed the heist?  

It was actually a printer “error” that helped Bangladesh Bank discover the heist. The bank’s SWIFT system is configured to automatically print out a record each time a money transfer request goes through. The printer works 24 hours so that when workers arrive each morning, they check the tray for transfers that were confirmed overnight. But on the morning of Friday February 5, the director of the bank found the printer tray empty. When bank workers tried to print the reports manually, they could not do so. The software on the terminal that connects to the SWIFT network indicated that a critical system file was missing or had been altered.

The investigation goes on

FireEye Inc., the company hired by the bank to conduct the forensics investigation, claimed to have identified digital fingerprints of hacking groups from Pakistan and North Korea. However, it has not found enough data to determine whether the third group, the actual culprit, was a criminal network or the agent of another nation.

Was it done through a USB port?

FireEye is yet to determine how the hackers first entered the bank’s network. One possibility is that malware was introduced into the network by someone inside the bank or a technician working with the bank. Malware can be introduced quickly onto a network by someone inside with something as simple as a thumb drive in an open USB port. The forensics investigation has not found any evidence of this so far.

Is it very easy?

Almost all the financial institutions in the world use online transaction networks to transfer money with ease.

The ease with which the hackers manipulated and hacked the interbank system and the significant resources used to create and customise the malware raise the possibility of more attacks against international institutions, people involved in the bank probe said.

The heist shocked the financial world

An advertising billboard of a cyber security company is seen during the annual Banking Vietnam 2016 forum in Hanoi, May 19, 2016.

The $81-million has shocked the financial world and made them review their cyber security measures. Major central banks including Bank of England, Sweden's Riksbank have instructed and issued warnings to their respective banks to enhance measures to secure computers connected to the SWIFT bank messaging network.

The Bank of England ordered its banks to conduct a "compliance check" to confirm whether they are following security practices recommended by SWIFT.

Sweden's Riksbank also called on all users of the central bank's RIX payments system to follow the SWIFT recommendations for large transactions. 

Singapore's central bank asked banks to maintain a high-level of security for their critical IT systems in the wake of recent cyber attacks. Meanwhile, regulators in the Philippines are busy crafting regulations to help banks and other financial institutions to avoid cyber heists and minimise damage after any systems' breach.

TRTWorld and agencies