At a financial conference in Frankfurt, SWIFT's chief executive, Gottfried Leibbrandt, claims that the cooperative’s payment network was not hacked in the $81 million heist on the Bangladesh central bank in February.
"At the end of the day we weren’t breached, it was from our perspective a customer fraud," says Leibbrandt. "I don’t think it was the first, I don’t think it will be the last."
Cyber criminals tried to make fraudulent transfers totaling US$951 million from the Bangladesh central bank's account at the Federal Reserve Bank of New York in February. Most of the payments were blocked, but US$81 million was routed to accounts in the Philippines and diverted to casinos there. Most of those funds remain missing.
Following the hack, IT security expert BAE Systems say they had discovered malware that the Bangladesh Bank attackers used to manipulate SWIFT's Alliance Access client software.
In a statement released after BAE’s revelations, SWIFT said it was aware of a malware that aims to reduce financial institutions’ abilities to evidence fraudulent transactions on their local systems. The malware is said to have been installed in the systems of the central bank of Bangladesh, which recently lost US$81 million to hackers.
"We understand that the malware is designed to hide the traces of fraudulent payments from customers’ local database applications and can only be installed on users’ local systems by attackers that have successfully identified and exploited weaknesses in their local security," said SWIFT.
SWIFT has also denied allegations that its technicians introduced security holes into the bank's network while connecting SWIFT to Bangladesh's first real-time gross settlement (RTGS) system.
“SWIFT rejects the false, inaccurate and misleading allegations made by Bangladesh Bank and Bangladesh Police's Criminal Investigation Department (CID) officials to Reuters. The accusations have no basis in fact,” the Brussels-based bank-owned cooperative in a statement posted on its website.
SWIFT says it “was not responsible for any of the issues cited by the officials, or party to the related decisions. As a SWIFT user like any other, Bangladesh Bank is responsible for the security of its own systems interfacing with the SWIFT network and their related environment – starting with basic password protection practices – in much the same way as they are responsible for their other internal security considerations.”