SWIFT technicians left the Bangladesh central bank vulnerable to cyberattacks when they connected it to a new transaction system, authorities investigating recent $81 million cyber theft at the bank told Reuters. If true, these new revelations should serve as a wake-up call to corporate treasurers concerned about the security of SWIFT in particular and cybersecurity in general.
Both the Bangladesh police and a senior central bank official said in the Reuters article that when the technicians connected SWIFT to Bangladesh's real-time gross settlement (RTGS) system, they opened the bank up to vulnerabilities. "We found a lot of loopholes," said Mohammad Shah Alam, head of the criminal investigation department of the Bangladesh police. "The changes caused much more risk for Bangladesh Bank."
Magnus Carlsson, AFP's manager of treasury and payments, warned against jumping to conclusions before determining what exactly happened in this incident. Certainly it is in the Bangladesh Bank's best interest to point the finger at another entity amid this massive cyberfraud. But Carlsson added: "If this is the result of procedures not being followed, it is clear that when it comes to fraud, you can't cut corners—the criminals don't."
Lessons for treasury
If the allegations about the SWIFT technicians turn out to be true, the incident underscores the importance of treasury keeping a close eye on anywhere the money can move. Unfortunately, according to Craig Jeffery, CCM, AAP, managing partner for Strategic Treasurer, many treasury departments aren't doing that.
First, limiting access to certain systems is essential for treasury. "You don't want to grant unfettered access," Jeffery said. "It's more important than ever that you understand who can come in and what the access points are."
Jeffery stressed that no matter what third parties are brought in to install software—SWIFT, a treasury management system (TMS) provider, etc.—the onus is on treasury to make sure they don't leave your systems vulnerable. "If you grant them the rights to come in and work on your machine remotely and they leave it up—those are things that treasury is responsible for as a steward," he said. "Treasury isn't IT security, but they are in charge of protecting the accounts and making sure that that the structure provides adequate defense."
For treasury to have a proper security framework, it needs to be involved in and aware of what IT is doing to secure the exterior and the interior, he continued. "They need to know what those layers are, and need to know whether they're adequate or not," he said. "I think people have long been living without enough security, and treasury needs to take a leadership role. They're ultimately responsible for protecting the liquid assets of the firm; and that involves people, IT and external providers—whether it's SWIFT, their banks or different software providers."
But is treasury generally taking that leadership role? Not that Jeffery has observed. However, he believes the Bangladesh Bank incident may be the wake-up call that treasury departments need. "They need to take those steps to address this," he said. "Every organization, $500 million and up, should have a treasury security framework. They should identify the layers of security that they have in place, and they should be reviewing those because those standards will need to change over time. They need to make sure that the layers of security they have are protected."
Fortunately, some treasurers do recognize their responsibility here. Patricia Hui, MBA, CTP, senior corporate treasury manager for Mentor Graphics Corporation and an AFP board member noted that while her company is not a user of the SWIFT Alliance software, this incident sends a good message to all treasury departments about the importance of monitoring all financial transactions that are executed via TMS and/or banking portals. "We must partner with IT to ensure our network is secured and all security updates are applied in a timely fashion. Employee education on fraud awareness and prevention is also critical," she said.
How SWIFT may have contributed to the Bangladesh Bank cyberfraud
According to the Reuters story, the RTGS system, which enables domestic banks and the central bank to settle large transfers between themselves, was installed at Bangladesh Bank in October 2015. Bangladeshi police said that the technicians connected the RTGS system to SWIFT computers that were on the same network as about 5,000 of the central bank's other computers—all of which are accessible from the open internet. What technicians typically do instead is set up separate local area network (LAN) that cannot connect to the rest of the bank or the internet.
According to police, the technicians also did not install a firewall to block malicious traffic, and used an old, rudimentary networking switch to control access to SWIFT as opposed to a more sophisticated one that would have given the bank the ability to control access to the network.
Furthermore, the technicians reportedly set up a wireless connection so that they could access computers in the locked SWIFT room from other offices within the bank while they worked. But once they were finished, they did not disconnect that remote access, and left it accessible through a single password.
Lastly, the technicians did not disable a USB port on the SWIFT computer. This made the computer vulnerable to malware that could be installed through a thumb drive. An anonymous central bank official told Reuters that this port was active until the heist was revealed.
Reuters has not been able to independently verify the allegations by the Bangladeshi officials, but noted that if it can, it could further undermine confidence in the SWIFT network.
UPDATE: 4:50 p.m., 5/9/16
In a statement, SWIFT vehemently denied the allegations, claiming that they are "false, inaccurate and misleading" and "have no basis in fact."
SWIFT said it was not responsible for any of the issues cited by officials, nor was it party to any related decisions. "As a SWIFT user like any other, Bangladesh Bank is responsible for the security of its own systems interfacing with the SWIFT network and their related environment—starting with basic password protection practices—in much the same way as they are responsible for their other internal security considerations," SWIFT said.
SWIFT added that it would be meeting with Bangladesh Bank and New York Federal Reserve Bank officials on Tuesday to discuss the bank's security issues and the "baseless" allegations.