The Society for Worldwide Interbank Financial Telecommunication (SWIFT) has denied allegations that its technicians introduced security holes into the bank's network while connecting SWIFT to Bangladesh's first real-time gross settlement (RTGS) system.
“SWIFT rejects the false, inaccurate and misleading allegations made by Bangladesh Bank and Bangladesh Police's Criminal Investigation Department (CID) officials to Reuters. The accusations have no basis in fact,” the Brussels-based bank-owned cooperative in a statement posted on its website.
SWIFT says it “was not responsible for any of the issues cited by the officials, or party to the related decisions. As a SWIFT user like any other, Bangladesh Bank is responsible for the security of its own systems interfacing with the SWIFT network and their related environment – starting with basic password protection practices – in much the same way as they are responsible for their other internal security considerations.”
Cyber criminals tried to make fraudulent transfers totaling US$951 million from the Bangladesh central bank's account at the Federal Reserve Bank of New York in February. Most of the payments were blocked, but US$81 million was routed to accounts in the Philippines and diverted to casinos there. Most of those funds remain missing.
Discovery of malware
Following the hack, IT security expert BAE Systems say they had discovered malware that the Bangladesh Bank attackers used to manipulate SWIFT's Alliance Access client software.
In a statement released after BAE’s revelations, SWIFT said it was aware of a malware that aims to reduce financial institutions’ abilities to evidence fraudulent transactions on their local systems. The malware is said to have been installed in the systems of the central bank of Bangladesh, which recently lost US$81 million to hackers.
"We understand that the malware is designed to hide the traces of fraudulent payments from customers’ local database applications and can only be installed on users’ local systems by attackers that have successfully identified and exploited weaknesses in their local security," said SWIFT.
SWIFT stressed that its clients’ key defense continues to be the implementation of “appropriate security measures in their local environments to safeguard their systems.” Users themselves should put such protections in place “to prevent the injection of malware into, or any misappropriation of, their interfaces and other core systems.”
SWIFT has announced the launch of a new facility designed to “assist customers in enhancing their security and to spot inconsistencies in their local database records.”