Cyber theft of int’l reserve: Security Holes or Insider(s) Involvement?
By Shamsul Huq Zahid
Bangladesh’s banking sector was already reeling from the shocks of the Hall-Mark and BASIC Bank scams, but then came in a shock with a far greater dimension, quavering the Central Bank.
The attempt was made to rob Bangladesh of around $1 billion out of its reserves by taking advantage of weak surveillance in the glass-walled backroom (secure transactions room) of the Bangladesh Bank (BB). However, the international hackers were only successful in transferring $101 million. This led to the resignation of the BB Governor along with two of his deputies and a few more. More importantly, this incident which also involves the Federal Reserve Bank of New York, a few banks of the Philippines and Sri Lanka, has immensely dented the image of the Bangladesh’s banking system internationally.
The BB must be considering itself rather fortunate that the Fed had stopped payments against 30 transfer orders of the hackers on its suspicion. Had the Fed executed all the fake payment orders, Bangladesh would have lost nearly $1 billion.
Out the $101 million transferred successfully by the hackers $81 million entered four accounts held with Rizal Commercial Banking Corporation (RCBC) of the Philippines and $20 million deposited in an account of a non-governmental organization (NGO) in Sri Lanka. Bangladesh luckily retrieved $20 million sent to Sri Lanka simply because of misspelling of the word ‘Foundation’. However, the possibility of retrieving the fund that has gone to the Philippines remains very slim for it has, apparently, already left the country.
What is interesting is that all institutions down the chain, Bangladesh Bank in Dhaka, technology providers including Swift, New York Fed and banks in the Philippines, have denied fault in executing the ‘fake’ instructions to transfer millions of dollar from BB accounts with the New York branch of Fed. Swift has claimed its network had not been compromised and the Fed said there was no evidence that anyone had attempted to penetrate its systems in connection with the payments in question.
Leaving everybody, bankers at home and abroad, politicians in Bangladesh and the Philippines, stakeholders and the common citizens eager to know how the cyber criminals executed their plan. People are also wondering whether anyone at the BB’s transactions room was also involved in this cyber heist which sent tremors around the world among banks and corporations.
The malfunctioning of the printer at the transactions room of the BB detected on the 5th of February (Friday) last actually was the signal that the cyber criminals were transferring the fund. But the transactions room personnel did fail to read the signal and understand the fact that Bangladesh had become the victim of one of the most successful major bank robberies in the world history. The full picture of the crime emerged on 9th of February. But it was too late. The money transferred to the Philippines by the hackers made its way out of that country through its burgeoning casino industry that is exempted from anti-money laundering measures.
BB officials claim that cyber thieves have somehow inserted malicious software, known as malware, into the central bank’s computer system sometime back. However, there is strong suspicion that there was ‘insider involvement’.
There is no denying that the cyber theft of a part of the country’s reserve held with the Fed has sent tremors to all levels of the government and the banking industry. But a lot of drama unraveled when the scandal became public in the early part of March.
The local media first came to know from the Filipino daily, the Inquirer, about the heist. The BB kept the incident a secret and tried to hide it from almost everyone, including the Finance Minister. What remains a mystery is who were actually in the know of things from the beginning. The explanation given by the former Governor, Dr. Atiur Rahman, in support of the hiding of information about the cyber theft appeared to be untenable.
The incident also had brought to light the bitter relations between the incumbent finance minister and the immediate past BB governor. Undeniably, the former had valid reasons to feel aggrieved for not being informed of the cyber heist by the latter.
However, prior to any other steps, there is an urgent need to identify the people, if there were any, involved in the siphoning off the country’s hard-earned reserves through hacking. And, at the same, the BB must invest necessary funds for upgrading the cyber security systems in its transactions room to prevent the cyber thieves from making fresh attempts in the future. The Federal Reserve Bank of New York must also answer to at least one question: why did it not wait a bit for an answer from the BB’s end for the query it had made about transferring $101 million? The Fed can cite the use of the secured Swift system by the BB. But there was surely something that aroused suspicion in the minds of Fed people. Therefore, it should have waited for some more time before transferring the money.
It is difficult to predict the actions to be taken by our policymakers since they tend to forget even the gravest occurrences quickly. If they try to address it, they usually do it employing ad-hoc measures.
Nevertheless the relevant authorities should take lessons from the Philippines. The central bank, senate, anti-money laundering council (AMLC) and many other relevant agencies of that country are very concerned over the involvement of a local bank, remittance company and casino industry in the laundering of such a huge fund belonging to another country. They are quizzing the top officials of the RCBC, local businessmen and relevant others rather seriously and they are talking about regulatory and legal reforms to stop the recurrence of such an incident. The same level of activity, to be honest, is not visible in Bangladesh, the lone victim of the cyber heist in question.
Hackers targeted Bangladesh reserves for they detected holes in the security systems. The holes need to be plugged and the systems need to be made foolproof or else the hackers might strike again.
