- Human error at central bank aided heist, interim report says
- Indian contractor also faulted for disarming security software
Most days, Mizanur Rahman Bhuiyan would arrive at the Bangladesh central bank’s accounts department to find a stack of printed money-transfer confirmations. On the first Friday of February, he found an empty printer tray.
Printer problems were so routine that Bhuiyan and other bank employees didn’t check their Swift bank-messaging terminal for the day’s money-transfer reports. Had they looked, they might have noticed a red flag: No transactions had been recorded overnight, because hackers had deleted the logs just hours earlier in a bid to steal $1 billion.
That was one missed opportunity among several that might have helped prevent or detect the world’s biggest cyber heist, according to a Bangladeshi government-commissioned inquiry. Other lapses: A contract worker disabled anti-virus software at the bank, while workers kept a “secret notebook” full of IDs and passwords on a server, according to a three-page summary of an interim report from the inquiry prepared in April. A final version of the report, which has not been made public, was completed in May.
“Safeguards in place against any cyber-attack were not adequate at all,” according to the summary.
For all the sophistication of the Bangladesh attackers -- who, among other tactics, disabled the printer attached to the Swift terminal -- human foibles played a central role in helping them spirit away $81 million, according to the summary, which was reviewed by Bloomberg. The intruders were effectively aided by errors and workarounds by central bank employees and contractors, some of them following rote work routines inside a state bureaucracy.
“Investigators asked me why I didn’t read the confirmation messages on the computer monitor when the printer wasn’t working,” Bhuiyan, the accounts and budgeting department employee, said from Dhaka in a June 9 telephone interview. “That was not the practice here. In eight years of my career in this department, I have never read messages on the monitor.”
The Bangladesh hack set global bankers on edge about the security of messages sent over Swift’s network, which connects 11,000 banks worldwide. The country’s government has blamed the messaging cooperative, saying a Swift worker enabled the attack by disabling antivirus software. Bangladesh has also said the Federal Reserve Bank of New York -- where the central bank’s funds were deposited -- should have caught all of the suspicious transfers.
Natasha de Teran, a spokeswoman for Swift, declined to comment on the report. She referred to a May statement in which Swift rejected Bangladeshi accusations that it was responsible for the compromise of the central bank’s security.
The New York Fed, which didn’t immediately respond to a request for comment, said in May that it continually assesses its internal controls and expects central banks to do the same. The security of the Swift channel depends on the security of its end users, it added.
Faster action by employees might have helped the bank foil the heist. According to the summary, it took five days, starting on Thursday, Feb. 4, for intruders to move the money from central bank accounts at the Federal Reserve Bank of New York through the global banking system and on to a remittance company in the Philippines.
The summary -- which identifies six central bank employees it says committed errors, including Bhuiyan -- heaps particular blame on the Indian engineer from a Swift-accredited computer company. Facing difficulties in November 2015 connecting the bank’s system to the Swift network, the engineer, Neela Vannan, removed the antivirus software, it said. That move probably let the hackers copy keystrokes of back-office workers so they could digitally impersonate the workers, the summary said.
Gokul Chandra Das, additional secretary at the Bank and Financial Institutions Division of the Finance Ministry, wouldn’t comment on what was in the final report or whether the six officials would be fired. He said the report would be published “at the right time,” without giving a date.
Vannan, who the summary said also copied the Swift user IDs and passwords of two bank officials, didn’t respond to multiple requests for comment via LinkedIn. Phone and e-mail messages left with the company listed on Vannan’s LinkedIn profile weren’t returned. It’s not clear whether Vannan was subcontracted by Swift or the bank.
“The central bank will act on any recommendation by the Finance Ministry, based on the final report,” central bank spokesman Subhankar Saha said by phone. He wouldn’t comment on the role of Vannan.
When Swift member banks need work done on their systems, they can either hire contractors directly or contact Swift to ask for a technician to be sent out. In the latter case, Swift can send its own employees or can subcontract the job, according to a person familiar with the procedures. That may have been the case with Vannan, whose LinkedIn account says he works for Nelito Systems Ltd., which has managed Swift installations for more than 100 customers, according to its website.
Vannan himself isn’t listed as a certified Swift specialist on the Belgian company’s website, though four other Nelito Systems engineers are named. Nelito officials didn’t respond to multiple voicemail and e-mail messages requesting comment.
‘We Have Evidence’
The interim report, which was prepared six weeks before a final report was delivered on May 30 to Bangladesh’s finance minister, doesn’t say who took the money. It’s possible that the final report provides more insight on the hackers and steps that could have been taken to thwart them.
The interim report and final report both fault Swift in large part for making the network vulnerable. “Swift is mainly responsible for the theft. At the same time, the New York Fed is no less responsible,” Mohammed Farashuddin, a former central bank governor who is leading the government panel on the Bangladesh bank heist, told Bloomberg by phone on June 9, referring to the final investigation report. “We have evidence.”
It’s unclear from the summary whether that evidence goes beyond disconnecting the antivirus software. Farashuddin wouldn’t comment further.
Teran, the Swift spokeswoman, declined to talk about the report or Farashuddin’s statement, referring to the company’s May 9 statement that called such allegations “baseless.”
The Bangladesh episode underscores the wide variation in security policies and decision-making at banks. Employees at the Bangladesh bank relied on physical printouts to see if payments were made and thought little of not getting confirmations because printer malfunctions were so frequent, according to the initial police report filed by Zubair Bin Huda, the other co-director of the accounts and budgeting department.
As for whether central bank employees should have checked their Swift monitor after they found no printouts of transactions, Bhuiyan said: “Even if I had checked the monitor for messages, I wouldn’t have found anything. Hackers deleted all the logs from the computer.”
Workers in the department didn’t immediately inform their supervisors about the printer problems, according to the summary report.
By contrast, large banks -- which routinely process thousands of Swift messages a day -- automate the operation so that confirmations or so-called not-acknowledged messages are routed to back-office software that checks them against payment orders and issues immediate red flags if the two sides don’t match, according to a person familiar with those systems.