The Criminal Investigation Department (CID) has almost completed collecting information from Bangladesh Bank in the heist investigation and will start interrogating possible suspects once they analyse the gathered information.
CID Special Superintendent Mirza Abdullahel Baqui told the Dhaka tribune yesterday that the agency had worked at the central bank the entire day.
Meanwhile, sources said the central bank had been violating a standard practice for SWIFT messaging, which may have made the system vulnerable.
In early February, some $101m of the Bangladesh Bank funds kept with the Federal Reserve Bank of New York was withdrawn illegally allegedly by hackers who had broken into the SWIFT system.
SWIFT stands for the Society for Worldwide Interbank Financial Telecommunications, an worldwide interbank communications network that is used to send messages for financial transactions. It has been confirmed that perpetrators of the heist were in control of Bangladesh Bank's SWIFT servers for two entire days, February 5 and 6.
A highly placed source at CID said while collecting information, investigators had found that Bangladesh Bank had ten persons authorised to get into the SWIFT server.
In standard practice, three personnel complete the process of sending a message over the SWIFTNet using SWIFTNet Link (SNL). These personnel are assigned three roles – the Creator/maker, verifier, and authoriser/authenticator.
Ideally they should be three different persons and should depend on each other to complete the whole process. But CID found that each of the ten authorised personnel knew all three steps of the entrance.
Also, whereas the standard practice is to use three computers to complete the process, CID found that the work was done at a single terminal.
Sources said CID was yet to confirm whether the hacking was done from within the central bank, the country or abroad.
Replying to a query, SS Baqui said 27 people work at the SWIFT section and four of them were at work on February 4.
Asked about the standard procedures for SWIFT messaging, Abul Kalam Azad, the joint secretary of SWIFT User Group of Bangladesh, an association of local banks using the SWIFT system, said, “The three steps should be performed by three different persons. If that's not possible, it should be performed by at least two persons, so that no one can access the system from anywhere else.”
Azad, also the head of payment, international division of ICB Islamic Bank Ltd, told the Dhaka Tribune that the other crucial security measure is to isolate the authorised computers.
According to the source, central bank did not have an isolated terminal for SWIFT. However, since the heist the bank has begun to follow the standard practices.
Asking if any reply was given by the INTERPOL, CID spokesperson Baqui said it would take some time.
Another source said investigators were preparing to visit Sri Lanka and Philippines, the countries where the funds were sent out to, so that they could find the beneficiaries of the laundered money. The arrest of criminals there would help identify their Bangladeshi partners, if any, the source said.
Investigators were particularly hopeful of the lead in Sri Lanka, where the money was sent out to Shalika Foundation, a local NGO.
The money laundered from the New York Fed was moved via transfer requests, with about $81m ending up in four bank accounts in the Philippines. The other $20m went to an account in Sri Lanka. Another $850 million was supposed to be transferred to a personal bank account in the Philippines, but was blocked by the authorities.
A 20-member special team under the CID's Deputy Inspector General (DIG) Saiful Alam is investigating the case. The team started working on March 16.
