The vulnerabilities that allowed hackers to steal $81m (£56m) by carrying out a cyberattack on Bangladesh Bank, considered to be one of the biggest attacks so far, was introduced by Swift (Society for Worldwide Interbank Financial Telecommunication) technicians, Bangladesh police have alleged.
Mohammad Shah Alam, the head of the criminal investigation department of Bangladesh police, who is currently heading the investigation, said the technicians introduced loopholes while connecting the real-time gross settlement (RTGS) system to Swift. "We found a lot of loopholes. The changes caused much more risk for Bangladesh Bank", Reuters reported Alam as saying.
According to a Bangladesh Bank official, the technicians seemingly failed to ensure the security of the system. As a result, the messaging system at the bank was widely accessible without any firewalls and left with a rudimentary switch, the news agency's report says.
"It was the responsibility of SWIFT to check for weaknesses once they had set up the system. But it does not appear to have been done," the bank official said.
Bangladesh Bank officials have said the governor and a lawyer would discuss the recovery of the stolen $81m with the head of the Federal Reserve Bank of New York and a Swift executive.
The faulty connection that led to the cyberattack
There are about 8,000 banks across the globe that use Swift as a means for fund transfer and other communications. The messaging system is connected to the RTGS systems installed at the banks.
The RTGS enables transfer large amounts of money between domestic banks and the central bank. The system was installed at Bangladesh Bank in October 2015, after which it was connected to Swift. In February, the hackers sent fraudulent messages on the Swift system to the New York Fed to transfer about $1bn from Bangladesh Bank's account.
According to the police, the technicians linked RTGS to Swift computers on the same network that was connected to about 5,000 central bank computers. The technicians could have instead set up a separate local network (LAN), without connecting the rest of the bank or the internet, the police have said.
Another flaw pointed out by the police is the lack of a firewall between the RTGS and Swift to block malicious traffic.
While making the connection between the RTGS and Swift, the technicians set up a wireless connection to access computers in the Swift room from other offices inside the bank. But they failed to disconnect the remote access that runs with a simple password.
They even failed to disable a USB port on the computer attached to the Swift system to prevent the installation of the malicious software. The hackers are said to have used malware to modify the Swift messaging app.
The Bangladesh police are seeking interviews with the Swift technicians. "Whether it is intentional or negligence, we are trying to find out," Alam said.