DHAKA: Bangladesh's central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT global payment network, an investigator into one of the world's biggest cyber heists said.
The shortcomings made it easier for hackers to break into the Bangladesh Bank system earlier this year and attempt to siphon off nearly $1 billion using the bank's SWIFT credentials, said Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police's criminal investigation department.
"It could be difficult to hack if there was a firewall," Alam said in an interview.
The lack of sophisticated switches, which can cost several hundred dollars or more, also means it is difficult for investigators to figure out what the hackers did and where they might have been based, he added.
Experts in bank security said that the findings described by Alam were disturbing.
"You are talking about an organisation that has access to billions of dollars and they are not taking even the most basic security precautions," said Jeff Wichman, a consultant with cyber firm Optiv.
Tom Kellermann, a former member of the World Bank security team, said that the security shortcomings described by Alam were "egregious," and that he believed there were "a handful" of central banks in developing countries that were equally insecure.
Kellermann, now Chief Executive of investment firm Strategic Cyber Ventures LLC, said that some banks fail to adequately protect their networks because they focus security budgets on physically defending their facilities.
Cyber criminals broke into Bangladesh Bank's system and in early February tried to make fraudulent transfers totalling $951 million from its account at the Federal Reserve Bank of New York.
Most of the payments were blocked, but $81 million was routed to accounts in the Philippines and diverted to casinos there. Most of those funds remain missing.
The police believe that both the bank and SWIFT should take the blame for the oversight, Alam said in an interview.
"It was their responsibility to point it out but we haven't found any evidence that they advised before the heist," he said, referring to SWIFT.
SWIFT has previously said the attack was related to an internal operational issue at Bangladesh Bank and that SWIFT's core messaging services were not compromised.
A spokesman for Bangladesh Bank said SWIFT officials advised the bank to upgrade the switches only when their system engineers from Malaysia visited after the heist.
Source: Oman Observer