Bangladesh has some US$28 billion in foreign currency reserves with alarmingly rickety fences around it: A hacker’s dream. A comical typo saved the Bangladesh central bank from losing as much as US$1 billion to hackers. But of the US$101 million stolen, US$81 million is yet to be found. Now the Bangladesh central bank is in turmoil. Its governor as well as some top officials have resigned and removed. The country’s leading cyber-crime experts have been kidnapped, and the Federal Bureau of Investigation is assisting the Bangladesh authorities amid suggestions of insider help for the theft. There are lessons to be learnt: Central banks make fat targets. Those in the developing world, with lots of new capital but not as much digital fortification, are especially at risk.Banking system needs world-class cybersecurity
Leading Bangladeshi bankers have urged the new governor of Bangladesh Bank (BB) to instill world class security infrastructure
in the countrys banking sector
Prof. Sarwar Md. Saifullah Khaled
Bangladesh has some US$28 billion in foreign currency reserves with alarmingly rickety fences around it: A hackers dream. A comical typo saved the Bangladesh central bank from losing as much as US$1 billion to hackers. But of the US$101 million stolen, US$81 million is yet to be found. Now the Bangladesh central bank is in turmoil. Its governor as well as some top officials have resigned and removed. The countrys leading cyber-crime experts have been kidnapped, and the Federal Bureau of Investigation is assisting the Bangladesh authorities amid suggestions of insider help for the theft. There are lessons to be learnt: Central banks make fat targets. Those in the developing world, with lots of new capital but not as much digital fortification, are especially at risk.
Meanwhile, leading Bangladesh bankers have urged the new governor of Bangladesh Bank (BB) to instill world class security infrastructure in the countrys banking sector. They made the suggestion when a delegation of the Association of Bankers, Bangladesh (ABB) called on the newly appointed governor of the central bank on March 21, 2016. About 40 chief operating officers (CEOs) and managing directors of different banks met with the new governor at his office in Motijheel, Dhaka.
Following the meeting, Bangladesh central bank spokesman briefed newsmen about the proceedings of the courtesy meeting. The spokesman said the banking leaders greeted the new governor offering extensive cooperation in his job as chief of the central bank. Moreover, they urged the new governor to take measures to enhance cyber security of the central bank in particular and the whole banking system of the country in general.
They mentioned that some of the private banks have already installed world-class cyber security system. Ex-finance secretary Fazle Kabir was appointed as the central bank governor by the government following resignation of Dr. Atiur Rahman from the post against the backdrop of the more than US$100 million heist by cyber hackers from Bangladesh Banks account with the New York Federal Reserve Bank.
Surprisingly enough the officials at the Bangladesh Bank kept quiet for more than a month, a grim reminder of how crucial information sharing is. Even after a successful heist, preventing hackers from moving the money requires global co-operation. The thieves in this case laundered much of the cash through casinos in the Philippines where casinos are exempted from otherwise strict anti-money-laundering requirements.
The heist has also shown that the Society for Worldwide Interbank Financial Telecommunication (SWIFT) messaging system is not 100 percent impregnable too. While, Brussels-based SWIFT, a co-operative owned by some 3,000 global financial institutions, can advise members to follow certain minimum security standards. According to IT experts there is no organisation with regulatory oversight of how central banks and other financial institutions secure their networks. The puzzling episode should serve as a wakeup call for the future of global financial organisations, that are one of the most securely connected in the world, to dig deeper to counter the ever mutating cyber security threats.
But the ongoing Bangladesh Bank heist investigation has taken a new turn with the statement of the SWIFT claiming that the hackers could not breach its system. Almost all the commercial banks including Bangladesh Bank are the members of the SWIFT. Chief Executive Officer (CEO) Tottfried Leibbrandt of the SWIFT in a letter informed all its members that its system was not hacked. Earlier, the US Federal Reserve Bank New York wing also denied about the hacking of its system. Now onus of the cyber heist lies on Bangladesh Bank.
So far, it was the general perception that SWIFT system failure could be the major cause for the cyber heist. The SWIFT statement raised the question; if the SWIFT system remained in the right track then how the money was transferred. Investigators have taken the SWIFT statement seriously and now firmly believe about the connivance between Bangladesh Banks insiders with the hackers. The SWIFT provides separate secret code to its members for operation of the system. The CEO of SWIFT in his letter also cautioned its Bangladesh users about invasion of malware and asked to take all sorts of protection to prevent malware attack.
According to a Kaspersky Lab report last April 2015 depending on the country, from a quarter to more than half of the organisations in the region have said they faced viruses and other malware, phishing and software vulnerabilities in the past year 2015. Despite the irreversibly speeding up Internet-of-Things technology, the fact remains that even the most secure IT installations in the world are not always beyond a breach.
But cyber security, though prosaically boring, is everyones responsibility. The explanation I am not a technical person from the now ex-governor of Bangladesh Bank cannot help. Making better use of encryption, access controls and strong verification systems with constant updating can help, but nothing can substitute for training and vigilance. Hackers only have to get lucky once, but the financial world needs be on alert round the clock.
In the meanwhile Bangladeshi bankers have urged the concerned authorities to enhance cyber security throughout the whole banking system of the country particularly the central bank and the bankers of Philippines urged the authorities to tighten regulators for money changers. The regulators are reviewing foreign exchange rules in Philippines to prevent money launderers from using the black market. The review is aimed at finding out better ways of tracking the flow of money into the Philippines, after the laundering through the countrys financial system of US$81 million stolen by computer hackers from the American accounts of the central bank of Bangladesh in last month February 2016.
The review is taking a look at the role that the black market possibly played in transferring the US$81 million from the Rizal Commercial Banking Corp. (RCBC) branch on Jupiter Street in Makati City, where the hackers had wired it, and transferring the dirty money to other banks and casinos. The Bankers Association of the Philippines (BAP) is asked to better regulate the foreign exchange sector. According to industry estimates, 85 percent of foreign exchange transactions in the Philippines are conducted outside the banking system. They are required to be registered and are also covered by the anti-money laundering law like the banks. But doubts persist whether it would be at all possible to recover these US$81 million because all money was converted into the Philippines local currency and transferred to different gambling centers. If the return of the heist reserves is at all possible, no one knows when.
The writer is a retired Professor of Economics
