Until October last year, all the international transactions of Bangladesh Bank were maintained by SWIFT security system. But it was customised in October last year to introduce Real Time Gross Settlement (RTGS) system with a view to bringing all the local banks and their branches under one umbrella.
Investigators dealing with the recent $101 million digital heist suspect that the SWIFFT system was weakened due to the customisation and linking it to the RTGS system without installing a strong firewall. For this, it became easier for the criminals to hack
the system.
The RTGS, a part of Bangladesh Bank’s automation system, is an advanced technology that facilitates interbank fund transfers on real time basis, for both local and foreign currency transactions. The central bank is able to monitor online all transactions of the local banks through the RTGS. On the other hand, the SWIFT system has only two ends where a bank has to contact with another using their own unique codes.
In early February, $101m of the Bangladesh Bank funds kept with the Federal Reserve Bank of New York was withdrawn illegally allegedly by hackers who had broken into the SWIFT (Society for Worldwide Interbank Financial Telecommunication) system of the central bank.
The laundered money was moved via transfer requests, with about $81m ending up in some bank accounts in the Philippines. The other $20m went to an account in Sri Lanka. Another $850 million was supposed to be transferred to a personal bank account in the Philippines, but was blocked by the authorities.
Bangladesh Bank filed a case on Tuesday with Motijheel police and it was handed over to the Criminal Investigation Department immediately. The CID has formed a 20-strong committee led by Deputy Inspector General Saiful Alam to investigate the case.
The team started their work on Wednesday and visited the Bangladesh Bank headquarters. They spoke to senior officials of some departments and also seized some computers, printers and server for the sake of investigation.
According to the investigators, SWIFT is a strong security system that cannot be breached easily. When the central bank introduced the RTGS system last October, the security system needed to be customised too. The customisation of SWIFT was conducted without ensuring any strong security measure.
Although the bank claims that they made the changes as per directives of the SWIFT authorities, the investigators are yet to verify the information. The CID is now looking for the IT firm that customised the system and assessing involvement of its members in the heist.
DIG Saiful, who is coordinating the investigation, visited the central bank office with his team yesterday. After around a two-hour-long stay, he told reporters that they were assessing the existing security arrangements at the bank.
Asked about seeking foreign assistance for investigation, he said that they were in touch with the Federal Bureau of Investigation (FBI) members at the US Embassy in Dhaka and already sent a formal e-mail to Interpol.
He said that the CID team would sit with the FBI officials today at the former’s office.
In response to another query, he said that former governor Atiur Rahman would be questioned, if the investigation demanded.
About IT expert Tanvir Hasan Zoha who reportedly went missing on Wednesday night, Saiful said: “It is the police’s duty to find him. But if the family file a complaint to them after completing the legal procedure at the police station, we will see the matter.”
Additional Deputy Inspector General Md Shah Alam, also commandant of CID’s Forensic Training Institute (FTI), told the Dhaka Tribune that the account was definitely hacked.
He said introducing the RTGS system was not the problem. “The fault was not to install any strict security measures such as a strong firewall during the customisation. Only three of the 55 banks of the country use RTGS system.”
Shah Alam also said they would investigate the role of the company that had provided IT support last year and whether the customisation had been done in line with the directives of the SWIFT authorities.
“We are also investigating why the Federal Reserve Bank of New York released the five messages despite raising questions. If they could hold the 30 other messages, why did they not stop the five messages for three to five days more?”
He said they were collecting all necessary information on the matter and hoped to get a clear picture of the scam very soon.
