A band of hackers chose the weekend in four countries as the
opportune moment to break into Bangladesh Bank's systems to steal its
money deposited in an account with the New York Federal Reserve Bank.
The weekly two-day bank holiday starts in Bangladesh at Thursday
midnight and a day later in the US, the Philippines and Sri Lanka.
Knowing that there would be no mutual correspondence immediately,
around midnight of February 4, a Thursday, the hackers forwarded fake
payment orders of the BB.
A total of 35 orders were sent, one after another, which raised the alarm bells of the New York Fed's payment system.
A finance ministry official said the New York Fed deemed the 35
payment orders suspicious and sent queries about them to the BB, but
since it was the weekend a response could not be sent promptly.
Although payments against the orders were suspended, five of them
slipped through, making the hackers $101 million richer. Of the amount,
$81 million were wired to two banks in the Philippines and $20 million
to a bank in Sri Lanka.
Bangladesh is now mulling a legal battle against the New York Fed as
it cleared the payment orders before receiving any reply from the BB.
Sources said the BB would consult the issue with lawyers in the US and file a case if it found any valid grounds.
Yesterday, Finance Minister AMA Muhith said the New York Fed could not evade its responsibilities over the transfer.
Wishing anonymity, a deputy governor of the BB said the New York Fed
failed to do due diligence in dealing with the hacking threat.
However, the New York Fed denied that its payment systems were breached, Reuters reported on Monday.
“To date, there is no evidence of any attempt to penetrate Federal
Reserve systems in connection with the payments in question, and there
is no evidence that any Fed systems were compromised,” said its
spokesperson Andrea Priest in response to queries about the claim.
In all, the BB has around $28 billion in foreign currency reserves.
Of the sum, nearly a third is in the form of liquid assets with the
Federal Reserve Bank in the US and the Bank of England. The rest is
invested in bonds and gold.
A portion of the liquid assets are kept in current accounts in either
of the central banks of the US or the UK to make loan repayments.
The money that was stolen was kept in a current account with the New York Fed.
At its Motijheel headquarters, the BB has a front office called Forex
Reserve & Treasury Department that decides how and where the
central bank's reserves will be kept and used. The decisions are sent to
the Budget & Account Department, known as back office, also located
at the BB office.
Upon receiving the payment order from the front office, the back
office completes various procedures before making the final payment
request through SWIFT, the global provider of secure financial
messaging.
More importantly, three individuals officially known as maker,
checker and authoriser work independently before the final payment
request is made.
Each of the three officials work on separate computers, have passwords and must retype any order anew to be sent.
Under a normal situation, the payment request cannot be made from any other computer even if the passwords are stolen.
After the hacking, the central bank appointed a cybercrime expert
with experience of working with the World Bank. Under his leadership, a
forensic expert team has also started investigations.
The team has examined the computers and related equipment and is yet to find any involvement of anyone at the back office.
It is highly likely that Bangladesh's payment system has been hacked,
and it was done from outside the country, said a finance ministry
official.
The team is now seeing whether the SWIFT system has been hacked, added the official.
The BB has recently introduced real-time gross settlement and other
modern technologies for quick service delivery -- and all these systems
use SWIFT.
The forensic investigation team is now looking at how the system was hacked and the money stolen.
Before anything concrete is known, the investigation has to be finished first, said the official.
Bangladesh Bank Governor Atiur Rahman said digital transactions were
on the rise throughout the world and cybercrime gangs were taking
advantage of the loopholes in technology to launder money.
“Bangladesh is not out of bounds of cyber attacks,” he said at a
conference in Habiganj on Sunday, adding that the entire financial
sector would have to be more active in risk management.
Meanwhile, the BB has succeeded in recovering the $20 million that
flew into Sri Lanka, due to quick correspondence with a bank in the
island nation.
Of the rest $81 million, a big portion has been frozen following talks with two banks in the Philippines.
A BB official said the central bank would be able to recover a big chunk of the money.
