A breach at Bangladesh Bank has cost the bank USD 81 million, its governor and two of the deputies, not to mention the loss of reputation in being classified as “very incompetent”.1 Termed as the biggest cyber heist, the incident has thrown open a puzzle which bankers, security experts and law enforcement agencies are trying to untangle.
The events after Friday, 5 February, unfolded in a dramatic fashion, nothing less than a Hollywood movie, involving banks, casinos, computers and millions of dollars. On 5 February, the printer in the secure transactions room at Bangladesh Bank was found to be faulty, and officers could not collect the list of transactions executed the day before. The next day, the officers could not open the SWIFT system,2 which was throwing an error: ‘A file is missing or changed’3. February 7, Sunday, is a non-working day for banks in the US. But for Bangladesh, the week begins on Sunday. The authorities at Bangladesh Bank could not reach out to their counterparts at the Federal Reserve Bank in New York to look into this matter, spilling it over to Monday. The timing of the entire incident is fascinating; Monday, 8 February was a holiday in the Philippines in view of the Chinese New Year4. In the meantime, a series of transactions was made to transfer money from the account of Bangladesh Bank at the Federal Reserve Bank to casinos in the Philippines and a NGO in Sri Lanka. In total, USD 81 million, described as payment for infrastructure projects, including bridges, a power station and the Dhaka metro, disappeared from casino accounts in the Philippines.
The Bangladesh Bank authorities have put the blame on the Federal Reserve Bank in New York. The Federal Reserve Bank processed the transactions because they were legitimate, and that is how an automated system like Swift works. Since the money landed at casinos in the Philippines, the authorities cannot trace the disappeared millions as casinos are not covered by the anti-money laundering act. And, on top of everything, the CCTV cameras at the bank branch where some of the money was withdrawn were out of order.
The first challenge in this cyber heist would be fixing accountability. In the entire chain of transactions, it could be an insider job, a malware, serious security negligence on the part of bank employee(s) or a loophole in the security process. The second and most important issue is the confidence in the security of automated messaging systems for banking transactions. The incident has also raised questions about the vulnerability of the international banking system, which rests upon information technology and the principles of information security. The international banking system relies on the SWIFT messaging system to authenticate wire transfer transactions. In this case, instructions for payment to the beneficiary account were authenticated by the SWIFT messaging system as per the standard authentication protocols in place. However, stolen credentials for sending SWIFT messages can compromise the entire security architecture.
The money landed at casinos in the Philippines, and not surprisingly, casinos are not covered under Philippines’ Anti-Money Laundering Law5 — the third challenge, absence of a legal mechanism. This has complicated the pursuit, as casinos are not liable to participate or cooperate in the investigations. In principle, the investigation would terminate where the money has exited the financial system and diffused into the darkness of the unregulated money laundering network.
A truly multinational crime, the entire incident is a blend of talent, timing and technology, meticulously drawn indeed. The people involved in the heist knew the banking system inside-out, and may be they had access to the credentials for sending SWIFT messages. The accounts in question were opened in May 2015. The transactions were timed at the weekend, for an operational lag between the time zones of the US and Bangladesh, which observe weekly off on different days. The preceding Monday was a Chinese New Year holiday. The money lost its trail in the casinos of the Philippines, which again are out of the reach of law. This would call for a re-examination of the payment procedures authentication, messaging systems, cyber and information security processes across global financial institutions and the international banking system. The crime has surpassed many jurisdictions and areas of responsibility of various entities, spread across the globe. Even if the investigations reveal the technical reason behind the breach, issues of jurisdiction, accountability and dearth of international laws governing cyber or money laundering crimes would await another Bangladesh Bank and another billion dollar breach.
Views expressed are of the author and do not necessarily reflect the views of the IDSA or of the Government of India