Security vulnerabilities
Police now believe both the Bangladesh bank and Swift could have done more to stop the hackingMIT News

In what is considered to be the most damaging financial cyberattack in history, hackers targeting the Bangladesh central bank were able to steal roughly $81m (£56m, €71m) in a scheme that was previously thought to have involved a crack team of Ocean's Eleven-style fraudsters.

Yet evidence has emerged, courtesy of Reuters, which claims the troubled bank was failing to use even the most basic security standards at the time of the incident. This included not using a firewall to protect its computer networks and relying on cheap second-hand switches (routers) costing as little as $10 (£7) to connect to the secure 'Swift' messaging system that was reportedly exploited in the cyberattack.

"It could be difficult to hack if there was a firewall," Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police's criminal investigation department, told Reuters in an interview. The police official added the lack of sophisticated 'switches' has made it extremely difficult for investigators to find out how the culprits infiltrated the system or where they were located.

This is a case that has involved high-profile resignations of banking officials and even an abduction. However, the hack itself will likely go down in history for being thwarted by a typo.

The incident occurred in early February when cybercriminals – who remain at large – attempted to steal a massive $951m from the Bangladesh bank's account at the Federal Reserve in New York. The hackers were able to take control of the bank's network, steal credentials for the Swift messaging system and then use malware to attack the computers used to authorise transactions. Eventually, the stolen funds were traced to accounts and casinos based in the Philippines. The full picture, however, is still to come to light.

Now, fresh developments show that police now believe both the Bangladesh bank and the Brussels-based Swift could have done more to stop the hacking. Referencing Swift, the chief investigator on the case said: "It was their responsibility to point it out but we haven't found any evidence that they advised before the heist."

Atiur Rahman speaking at an IMF conference
Former Bangladesh Central Bank governor Atiur Rahman said the hack was 'like a military attack' and he had no idea where it originatedFlickr/International Monetary Fund

Meanwhile, a spokesperson for the Bangladesh bank said Swift officials had informed the institution to upgrade its technology – but only after an inspection following the money had been stolen. "There might have been a deficiency in the system in the Swift room," said spokesman Subhankar Saha, who also confirming that the technology was old and needed to be upgraded. He added: "Two [Swift] engineers came and visited the bank after the heist and suggested to upgrade the system."

Security experts have expressed shock that the bank was using such under-prepared technology to protect its customers' funds. "You are talking about an organisation that has access to billions of dollars and they are not taking even the most basic security precautions," Jeff Wichman, a consultant with cyber firm Optiv told Reuters.

So far, Swift has remained quiet about the cyberattack, and declined to comment on the latest development. In a previous statement, it said the attack was related to an "internal operational issue" and that its core messaging system was not compromised. For now, the investigation continues. Most recently, Bangladesh police said it had identified 20 foreign suspects believed to have played a part in the hacking. They consist of 12 Philippine nationals and eight Sri Lankans, the police confirmed.