The former governor of the Bangladesh central bank has claimed the Federal Reserve Bank of New York should be held accountable for its role in the successful cyber-heist which resulted in hackers stealing a massive $81m by exploiting money transfer systems.
Atiur Rahman, who resigned from his post after the full scope of the theft came to light, told The New York Times (NYT) that "Bangladesh should not be blamed for something going wrong in the chain" however admitted the scenario was a "systemic failure."
Rahman said: "If you want to take $500 out of your account in the US, you'll be asked several questions. But here, millions are going, and you're not asking any questions. [The NY Fed] should have immediately called someone in Bangladesh — the governor or someone.
"There was a terrible lack of efficiency from the Fed. We were sending mails, faxes, but there was no one to pick that up. We need a hotline."
In February, hackers exploited weak security at the Bangladesh bank to implant malware and compromise its connection to the Swift messaging system – used by over 10,000 banks around the world to communicate securely and transfer funds.
The criminals sent 35 transfer orders requesting that $951m (€841m, £647m) be sent from the Bangladesh Bank's account at the New York Fed to a number of accounts across the globe. In total, five of these were passed by the Fed, worth $101m, however one transfer of $20m was later stalled due to a spelling error on the request.
The investigation into the incident remains ongoing four months later, with the £81m still missing. Now, Rahman has moved to absolve himself of blame even though he was in charge during the time of the hack.
"Maybe someone's password was compromised," he told the NYT. "It was a departmental failure and not the fault of the governor. It was a high dosage attack, like a 15 on the Richter scale attack. Other parties could have helped or warned Bangladesh. As a governor, I'm not supposed to look at each and every small thing."
However, experts analysing the breach have gathered evidence that weak security at the Bangladesh bank played a key role aiding the hackers. As previously reported, investigators found the central bank was not using adequate firewalls and had cheap $10 routers connected to Swift.
For his part, Rahman remains adamant he took security seriously. "I made cybersecurity the top of the agenda," he claimed, adding it was simply "bad luck" the hack happened on his watch.
As the probe gathers pace, a separate inquiry by the Bangladesh government reportedly slams the bank for its cybersecurity procedures, according to south-east Asia's leading financial daily newspaper, the Business Times.
The paper spoke to an accounting employee at the bank, called Mizanur Rahman Bhuiyan, who disclosed that a number of critical red-flags were missed when the hack occurred – including failing to check the daily 'transfer confirmations' that print overnight. On this occasion, the printer was broken. "Investigators asked me why I didn't read the confirmation messages on the computer monitor when the printer wasn't working," said Bhuiyan. "That was not the practice here. In eight years of my career in this department, I have never read messages on the monitor."
Many missed opportunities
He added: "Even if I had checked the monitor for messages, I wouldn't have found anything. Hackers deleted all the logs from the computer." The Business Times notes this was only one of many missed opportunities missed due to faulty equipment or inadequate procedures.
In the report, which was completed in May this year however does not yet have a public release date, other lapses are said to include a worker disabling anti-virus software in the bank and staffers keeping a 'secret notebook' of ID numbers and passwords on a computer server.
The report allegedly identified six Bangladesh bank employees that made mistakes – including Bhuiyan – alongside contracted employees working to maintain the connection to the Swift network however officials have refused to say if they will be dismissed from the bank.
Meanwhile, officials from the Brussels-based Swift have said organisations that don't urgently update cybersecurity measures could face suspension. Chief executive Gottfried Leibbrandt told The Financial Times: "We could say that if the immediate security around Swift is not in order we could cut you off, you shouldn't be on the network. The days when you needed to break into a bank and carry guns and blow torches are over. You can now rob a bank from just your own PC and that does change the game completely."