Bangladesh's central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT global payment network, an investigator into one of the world's biggest cyber heists said.
The shortcomings made it easier for hackers to break into the system earlier this year and attempt to siphon off nearly $1 billion using the bank's SWIFT credentials, said Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police's criminal investigation department.
"It could be difficult to hack if there was a firewall," Alam said.
The lack of sophisticated switches, which can cost several hundred dollars or more, also means it is difficult for investigators to figure out what the hackers did and where they might have been based, he added. The institute Alam heads includes a cyber crime division.
The police believe both the bank and SWIFT should take the blame for the oversight, Alam said in an interview.
"It was their responsibility to point it out but we haven't found any evidence that they advised before the heist," he said, referring to SWIFT.
A spokeswoman for Brussels-based SWIFT declined comment.
SWIFT has previously said the attack was related to an internal operational issue at Bangladesh Bank and that SWIFT's core messaging services were not compromised.
A spokesman for Bangladesh Bank said SWIFT officials advised the bank to upgrade the switches only when their system engineers from Malaysia visited after the heist.
"There might have been a deficiency in the system in the SWIFT room," said the spokesman, Subhankar Saha, confirming that the switch was old and needed to be upgraded.
"Two (SWIFT) engineers came and visited the bank after the heist and suggested to upgrade the system," Saha said.
Cyber criminals broke into the bank's systems and tried to make fraudulent transfers totalling $951 million from its account at the Federal Reserve Bank of New York in early February.
Most of the payments were blocked but $81 million was routed to accounts in the Philippines and diverted to casinos there. Most of those funds remain missing.
Another $20 million was sent to a company in Sri Lanka but the transfer was reversed because the hackers misspelled the name of the firm, raising a red flag at the routing bank.
The heist, which sent alarm bells ringing across the global financial system about cyber security, has turned into a global whodunit.
Bangladesh police said earlier this week it has identified 20 foreigners involved in the heist but they appear to be people who received some of the payments rather than those who initially stole the money. There is no clue to the identity of the hackers or who was behind the plot.
Bangladesh Bank has about 5,000 computers used by officials in different departments, Alam said.
The SWIFT room is roughly 12 feet by 8 feet, a window-less office located on the eight floor of the bank's annex building in Dhaka. There are four servers and four monitors in the room.
All transactions from the previous day are automatically printed on a printer in the room.
The SWIFT facility should have been walled off from the rest of the network. That could have been done if the bank had used the more expensive, "managed" switches, which allow engineers to create separate networks, Alam said.
Moreover, considering the importance of the room, the bank should have deployed staff to monitor activity round the clock, including weekends and holidays, he said.
Communications between the Fed and the Bangladesh central bank were hampered and the heist was discovered only after a delay because it happened between Feb 4 and 5, over the Bangladeshi weekend.