SWIFT technicians left the Bangladesh central bank vulnerable to cyberattacks when they connected it to a new transaction system, authorities investigating the recent US$81 million cyber theft at the bank told Reuters.
If true, these new revelations should serve as a wake-up call to corporate treasurers and other finance professionals concerned about the security of SWIFT, in particular, and about cybersecurity, in general.
Both the Bangladesh police and a senior central bank official said in the Reuters article that when the technicians connected SWIFT to Bangladesh’s real-time gross settlement (RTGS) system, they opened the bank up to vulnerabilities.
“We found a lot of loopholes,” said Mohammad Shah Alam, head of the criminal investigation department of the Bangladesh police. “The changes caused much more risk for Bangladesh Bank.”
“If this is the result of procedures not being followed, it is clear that when it comes to fraud, you can’t cut corners—the criminals don’t”
In a statement dated May 9, SWIFT said the allegations were “false, inaccurate and misleading” and “have no basis in fact.”
SWIFT said it was not responsible for any of the issues cited by officials, nor was it party to any related decisions. “As a SWIFT user like any other, Bangladesh Bank is responsible for the security of its own systems interfacing with the SWIFT network and their related environment—starting with basic password protection practices—in much the same way as they are responsible for their other internal security considerations,” SWIFT said.
On May 10, representative from SWIFT, Bangladesh Bank and the New York Federal Reserve Bank met in Switzerland to discuss the cyber fraud event. “President William Dudley from the New York Fed and Governor Fazle Kabir from the Bangladesh Bank attended the meeting,” a joint statement issued after the meeting reported.
“The parties provided details on the actions taken and exchanged information about the cyber and physical vulnerabilities illustrated by this event. All parties stated their concern over this event and their continued commitment to work together to normalize operations.”
“The parties also agreed to pursue jointly certain common goals: to recover the entire proceeds of the fraud and bring the perpetrators to justice, and protect the global financial system from these types of attacks,” said the joint statement.
Lessons for treasury
Magnus Carlsson, manager of treasury and payments at the Association for Financial Professionals (AFP), warned against jumping to conclusions before determining what exactly happened in this incident.
Certainly it is in the Bangladesh Bank’s best interest to point the finger at another entity amid this massive cyberfraud. But Carlsson added: “If this is the result of procedures not being followed, it is clear that when it comes to fraud, you can’t cut corners—the criminals don’t.”
If the allegations about the SWIFT technicians turn out to be true, the incident underscores the importance of treasury keeping a close eye on anywhere the money can move. Unfortunately, according to Craig Jeffery, managing partner for US consultancy Strategic Treasurer, many treasury departments aren’t doing that.
First, limiting access to certain systems is essential for treasury. “You don’t want to grant unfettered access,” Jeffery said. “It’s more important than ever that you understand who can come in and what the access points are.”
Jeffery stressed that no matter what third parties are brought in to install software—SWIFT, a treasury management system (TMS) provider, etc.—the onus is on treasury to make sure they don’t leave your systems vulnerable.
“If you grant them the rights to come in and work on your machine remotely and they leave it up—those are things that treasury is responsible for as a steward,” Jeffery said. “Treasury isn’t IT security, but they are in charge of protecting the accounts and making sure that that the structure provides adequate defense.”
According to police, the technicians also did not install a firewall to block malicious traffic, and used an old, rudimentary networking switch to control access to SWIFT
For treasury to have a proper security framework, it needs to be involved in and aware of what IT is doing to secure the exterior and the interior, he continued. “They need to know what those layers are, and need to know whether they’re adequate or not.”
Said Jeffery: “I think people have long been living without enough security, and treasury needs to take a leadership role. They’re ultimately responsible for protecting the liquid assets of the firm; and that involves people, IT and external providers—whether it’s SWIFT, their banks or different software providers.”
But is treasury generally taking that leadership role? Not that Jeffery has observed. However, he believes the Bangladesh Bank incident may be the wake-up call that treasury departments need.
“They need to take those steps to address this,” he said. “Every organization, US$500 million and up, should have a treasury security framework. They should identify the layers of security that they have in place, and they should be reviewing those because those standards will need to change over time. They need to make sure that the layers of security they have are protected.”
Fortunately, some treasurers do recognize their responsibility here. Patricia Hui, senior corporate treasury manager for Mentor Graphics Corporation and an AFP board member, noted that while her company is not a user of the SWIFT Alliance software, this incident sends a good message to all treasury departments about the importance of monitoring all financial transactions that are executed via TMS and/or banking portals.
“We must partner with IT to ensure our network is secured and all security updates are applied in a timely fashion. Employee education on fraud awareness and prevention is also critical,” she said.
The Bangladesh cyberfraud
According to the Reuters story, the RTGS system, which enables domestic banks and the central bank to settle large transfers between themselves, was installed at Bangladesh Bank in October 2015. Bangladeshi police said that the technicians connected the RTGS system to SWIFT computers that were on the same network as about 5,000 of the central bank’s other computers—all of which are accessible from the open internet.
What technicians typically do instead is set up separate local area network (LAN) that cannot connect to the rest of the bank or the internet.
According to police, the technicians also did not install a firewall to block malicious traffic, and used an old, rudimentary networking switch to control access to SWIFT, as opposed to a more sophisticated one that would have given the bank the ability to control access to the network.
Furthermore, the technicians reportedly set up a wireless connection so that they could access computers in the locked SWIFT room from other offices within the bank while they worked. But once they were finished, they did not disconnect that remote access, and left it accessible through a single password.
Lastly, the technicians did not disable a USB port on the SWIFT computer. This made the computer vulnerable to malware that could be installed through a thumb drive. An anonymous central bank official told Reuters that this port was active until the heist was revealed.
Reuters has not been able to independently verify the allegations by the Bangladeshi officials, but noted that if they are true, the case could undermine confidence in the SWIFT network.
About the Author
Andrew Deichler is Editorial Manager at the Association for Financial Professionals, a US-headquartered professional society that represents finance executives globally. This article first appeared at afponline.org under the title "SWIFT-Bangladesh Bank Claims Are a Wake Up Call for Treasury." It was re-edited for clarity and conciseness, and updated with the latest SWIFT statement.
Copyright © 2016 Association for Financial Professionals. All rights reserved.