NY Fed, BB, SWIFT to work jointly

The Federal Reserve Bank of New York, Bangladesh Bank and SWIFT have vowed to work together to recover the $81 million that Bangladesh lost in a reserve heist three months ago.

The three parties yesterday held a meeting in Basel of Switzerland to discuss the cyber fraud that took place in early February. They issued a joint statement after the meeting.

The statement, published on the New York Fed's website, said the parties provided details on the steps taken and also shared information on cyber and physical vulnerabilities illustrated by the event.

“All parties stated their concern over this event and their continued commitment to work together to normalise operations.

“The parties also agreed to pursue jointly certain common goals: to recover the entire proceeds of the fraud and bring the perpetrators to justice, and protect the global financial system from these types of attacks,” said the statement.

NY Fed President William Dudley, BB Governor Fazle Kabir and senior SWIFT officials attended the meeting.

This was the first time the BB governor held a face-to-face meeting with top officials from the Society for Worldwide Interbank Financial Telecommunication (SWIFT) and the NY Fed since the heist on February 4.

The joint meeting could bring the three parties closer and pave the way for Bangladesh to get back the stolen money that entered the Philippines.

So far BB officials have blamed the NY Fed for not doing enough to prevent the cyber theft.

About SWIFT, they said the Brussels-based organisation's system with the central bank was compromised in stealing the reserves.

The promise to work jointly may help Bangladesh enhance its cooperation with the Federal Bureau of Investigation (FBI) of the US on the issue.

Quoting the people familiar with the investigation, the Wall Street Journal in a report yesterday said interactions between the FBI and Bangladesh officials haven't always been easy since the heist, and the US State Department has intervened in an attempt to foster a better working relationship.

The FBI and federal prosecutors in Manhattan are investigating the cyber attack.

The BB delegation, which includes BB Lawyer and Queen's Counsel Ajmalul Hossain, went to the Swiss city to attend the meeting in an effort to convince the NY Fed to put pressure on the Philippines so that Rizal Commercial Banking Corporation, where the stolen money was wired, returns the funds to the BB.

The central bank's strategy is not to go for lawsuit. Rather, it wants to recover the money through arguments, by pointing to the faults of all the parties involved in the world's biggest cyber heist, according to a number of BB officials.

WHAT US INVESTIGATORS SAY

US investigators suspect the theft of $81 million was partly an inside job, the WSJ reported.

However, Criminal Investigation Department (CID) investigators, who are probing the matter in Bangladesh, didn't confirm the FBI claim.

Quoting people familiar with the matter, the WSJ report said FBI agents have found evidence pointing to at least one bank employee acting as an accomplice. The evidence suggests a handful of others may also have assisted hackers in navigating Bangladesh Bank's computer system.

The hackers tried to steal nearly $1 billion in an attack that involved an extensive penetration of BB computers, dozens of orders on the official interbank fund-transfer network and a money trail that ran through the Philippines' murky casino business, according to investigators.

In February, around $100 million went missing from the BB account with the NY Fed. Authorities are still piecing together what happened.

The attackers successfully transferred $100 million out of the BB account. The BB has been able to recover about $20 million so far.

BB Spokesman Subhankar Saha said the FBI hadn't informed the bank that one or more of its employees could have acted as accomplices in the heist.

“The central bank is pursuing this case with utmost vigour and if anyone within the bank is found to be involved, we will take legal action as appropriate,” he told the WSJ.

BB and its lawyers have suggested some of the blame lies with SWIFT, a Brussels-based cooperative of financial institutions that operates a crucial messaging system among thousands of banks.

The BB lawyers have also hinted some responsibility may lie with the NY Fed, which stopped as suspicious most of the 35 transfer orders sent by the attackers but let five through.

At a conference in Miami last week, Richard Dzina, NY Fed executive vice president, said the bank acted on properly authenticated message instructions.

Meanwhile, SWIFT has rejected the allegation by the BB and CID officials against it, according to Reuters.

The global messaging system termed the allegation “false, inaccurate and misleading.”

“The accusations have no basis in fact,” it said in a statement on its website.

SWIFT said it was not responsible for any of the issues cited by the officials, or party to the related decisions.

“As a SWIFT user like any other, Bangladesh Bank is responsible for the security of its own systems interfacing with the SWIFT network and their related environment -- starting with basic password protection practices -- in much the same way as they are responsible for their other internal security considerations.”

The comments from SWIFT came after Reuters reported quoting CID officials that the BB became more vulnerable to hackers when SWIFT technicians connected Bangladesh's first real-time gross settlement system to SWIFT messaging three months before the heist.

Shah Alam, additional deputy inspector general of the CID, told The Daily Star, “We stand by our comments.”

“There is a difference between the way SWIFT had planned to work and the way it actually did. We found some loopholes."

Asked, Alam said he read the WSJ report on the FBI findings.

“The report does not say a BB employee was involved in the heist. The FBI has found insider's involvement. It is nothing new.

“We have already said we found some loopholes in the BB's IT system. One system had been isolated and it was connected. As a result, hackers got the chance to do the hacking.”