The Bangladesh Bank Heist

There is a tremendous investigation to conduct including the identities of all the potential recipients of the transfers, the detailed questioning of BB and SWIFT staff, working numerous international linkages to gain access to all of these people

With the continued delay in publication of the Farashuddin Report on the Heist of Bangladesh Bank’s funds from the Federal Reserve Bank of New York numerous mysteries remain.  We list here a number of questions that remain to be answered. We hoped that the report would answer these questions relevant to the determination of who was behind the Heist.

1.    There were a large number of transfers ordered of which only a handful have been identified where the beneficiary of the transfer was in the Philippines or Sri Lanka.  But there were many others ordered.  What countries were these to receive the funds and who are account holders?  This seems to us to be a very valuable source of information on the organizers of the heist.  Did they actually expect to get a significant portion of one billion dollars?  Were other transfers window dressing to confuse the investigators?  Were there any patterns to these 30 failed transfers where transfers are made to certain countries, organization or Computer Internet Protocol Address?
2.    Will the Farashuddin Report that will be published in the future be the same as the one written in April 2016?  Has the Report been undated or have the authors changed their minds from the early period based on new information?  When the Report is published will it identify any changes from the April version?
3.    The big question is whether the SWIFT terminals in Bangladesh Bank could be hacked so that an outside person could send a transfer order apparently from Bangladesh Bank without any action by someone inside the terminal room?   Or is the SWIFT system such that action by an insider at the terminal is necessary?  What is the conclusion of the Farashuddin Report on this key question? 
4.    If the SWIFT terminals are unsecured and transfers can be sent without physical access, why were the terminals kept unsecure and vulnerable to be accessed remotely?  Why did the Security consultant appointed by Bangladesh Bank, Mr. Rakesh Asthana, an Indian National and the founder/Managing Director of World Informatix not advise Bangladesh Bank to secure SWIFT Terminals with powerful routers, Gateways and with Strict Security policies in accordance to the reference architecture of SWIFT Terminal layout? 
5.    If the conclusion is that an insider is essential for the transfer does the Report indicate how such person or persons could be identified?  Did the Report provide a path forward for CID?
6.    If the answer to Q3 is that this could be done without a physical presence at the SWIFT terminal then did the Report indicate that there was evidence of hacking into the Bangladesh Bank system?  
7.    Continuing from Q6 did the Report contain a description of the malware used and was it possible to describe the purpose and actions of the malware?
8.    Continuing from Q7 could the analysts conclude anything from the style of the programming of the malware?  Did this point towards any known hacking group?
9.    Does the Report conclude that Bangladesh Bank staff were negligent in management of the SWIFT system’s installation and connection with the Bangladesh Bank’s Local Area Network?
10.    Does the Report conclude that the physical security with respect to passwords and access to the dongle needed was satisfactory?  
11.    Does the Report conclude that control of the physical access to the SWIFT terminals was satisfactory?
12.    Was there CCTV surveillance of the terminals?  If so was it functioning?
13. Was there CCTV surveillance of access to the room containing the SWIFT terminals?  Is so was it functioning?
14.    Does the Report conclude that the SWIFT personnel who worked on the system during 2015 were involved in this Heist?  Does the Report identify the nationalities of the SWIFT personnel?
15.    Is the Report satisfied with the cooperation received from SWIFT as an organization?
16.    Did SWIFT provide information to the Bangladesh Government on the security clearances obtained for its staff working for Bangladesh Bank?
17.    Why did the Governor of Bangladesh Bank at the time keep the Heist secret from senior officers of the Government?  Why from the public?  Did he act on his own in this instance?
18.    Two Deputy Governors of Bangladesh Bank were fired shortly after the incident.  Did the Report support this?  Did the report call for a more judicial process with respect to actions against Bangladesh Bank staff?  Did the Report recommend personnel actions against BB staff in addition to the removal of the two deputy governors?
19.    What did the Report recommend in terms of regular external evaluations of the cyber-security of BB’s computer networks?
20.    Did the Report recommend taking legal action against SWIFT and/or the Federal Reserve Bank of New York?
21.    Did the Report recommend civil action to recover the lost money from the then Governor of Bangladesh Bank?
22.    Did the Report recommend any changes in the independence of the central bank from oversight by the Ministry of Finance?
23.    What consultants were working on computer systems and computer system security at the time of the Heist?  Did the Report assess their role in these events and what conclusions were reached with respect to involvement, willing provision of relevant information, and actions taken after the Heist was discovered?
24.    Will the Report from the investigation company FireEye which was appointed by Bangladesh Bank be made public? 
25.    After the Heist was discovered what actions were taken by the Governor including hiring of external consultants to investigate?  Does the Report evaluate these actions and make any recommendations about future work of such groups with respect to the Heist?  Did these reports from consultants after the Heist answer Question 3?
26.    Did the Report recommend any actions to improve security at the many SWIFT terminals throughout the banking system?  Did the Report suggest oversight of security of nationwide SWIFT terminals by Bangladesh Bank or the Ministry of Finance?  
In previous articles we gave our answer to Question 3: an insider was necessary to be physically present at the SWIFT terminal to execute the transfer orders.  We are anxious to learn of the Farashuddin’s Report view of this matter.  
Whatever the answer to Q3 one has to hope that the perpetuators of this theft will be caught and punished.  This is a complex task involving many countries and advanced procedures related to computer hacking and tracking international fund transfers.  The best entry points for such an investigation is tough questioning of Bangladesh Bank officers involved with the SWIFT system, consultants working on BB systems, and SWIFT staff working on the BB SWIFT system.  It is the breaking of one or more of this group that will lead to the kingpin behind the theft.  We are not sure if the international cooperation needed with the United States, India and Siri Lanka has been forthcoming.  Our sense is investigation of Bangladesh Bank staff has been limited.
The entire incident reflects a lack of serious understanding of the world today by the Ministry of Finance, Bangladesh Bank and the commercial banks.  Our world is one of serious attacks on computer systems both to gain information and to steal. In the industrial world there is a great deal of theft in the banking system much of which is unknown.  The thieves are far ahead of the guardians!  
We believe that a computer hacking ring based in China possibly Macao or Hong Kong corrupted staff in Bangladesh Bank and SWIFT staff in South Asia.  The Heist was done by humans sending properly authentication transfer orders using information gained through hacking BB systems and providing this to an insider who executed the transfer orders.  These orders were then processed through a complex system set up in many countries but turned out successfully in only one.  Nevertheless it was the largest bank heist in history.  There is a tremendous investigation to conduct including the identities of all the potential recipients of the transfers, the detailed questioning of BB and SWIFT staff, working numerous international linkages to gain access to all of these people.  We wonder if the Farashuddin Report grasped the scale of the criminal investigation required and if the Government is providing the needed support to the police to conduct this daunting investigation.

The writers are economists

The Bangladesh Bank Heist

There is a tremendous investigation to conduct including the identities of all the potential recipients of the transfers, the detailed questioning of BB and SWIFT staff, working numerous international linkages to gain access to all of these people

With the continued delay in publication of the Farashuddin Report on the Heist of Bangladesh Banks funds from the Federal Reserve Bank of New York numerous mysteries remain. We list here a number of questions that remain to be answered. We hoped that the report would answer these questions relevant to the determination of who was behind the Heist. 1. There were a large number of transfers ordered of which only a handful have been identified where the beneficiary of the transfer was in the Philippines or Sri Lanka. But there were many others ordered. What countries were these to receive the funds and who are account holders? This seems to us to be a very valuable source of information on the organizers of the heist. Did they actually expect to get a significant portion of one billion dollars? Were other transfers window dressing to confuse the investigators? Were there any patterns to these 30 failed transfers where transfers are made to certain countries, organization or Computer Internet Protocol Address? 2. Will the Farashuddin Report that will be published in the future be the same as the one written in April 2016? Has the Report been undated or have the authors changed their minds from the early period based on new information? When the Report is published will it identify any changes from the April version? 3. The big question is whether the SWIFT terminals in Bangladesh Bank could be hacked so that an outside person could send a transfer order apparently from Bangladesh Bank without any action by someone inside the terminal room? Or is the SWIFT system such that action by an insider at the terminal is necessary? What is the conclusion of the Farashuddin Report on this key question? 4. If the SWIFT terminals are unsecured and transfers can be sent without physical access, why were the terminals kept unsecure and vulnerable to be accessed remotely? Why did the Security consultant appointed by Bangladesh Bank, Mr. Rakesh Asthana, an Indian National and the founder/Managing Director of World Informatix not advise Bangladesh Bank to secure SWIFT Terminals with powerful routers, Gateways and with Strict Security policies in accordance to the reference architecture of SWIFT Terminal layout? 5. If the conclusion is that an insider is essential for the transfer does the Report indicate how such person or persons could be identified? Did the Report provide a path forward for CID? 6. If the answer to Q3 is that this could be done without a physical presence at the SWIFT terminal then did the Report indicate that there was evidence of hacking into the Bangladesh Bank system? 7. Continuing from Q6 did the Report contain a description of the malware used and was it possible to describe the purpose and actions of the malware? 8. Continuing from Q7 could the analysts conclude anything from the style of the programming of the malware? Did this point towards any known hacking group? 9. Does the Report conclude that Bangladesh Bank staff were negligent in management of the SWIFT systems installation and connection with the Bangladesh Banks Local Area Network? 10. Does the Report conclude that the physical security with respect to passwords and access to the dongle needed was satisfactory? 11. Does the Report conclude that control of the physical access to the SWIFT terminals was satisfactory? 12. Was there CCTV surveillance of the terminals? If so was it functioning? 13. Was there CCTV surveillance of access to the room containing the SWIFT terminals? Is so was it functioning? 14. Does the Report conclude that the SWIFT personnel who worked on the system during 2015 were involved in this Heist? Does the Report identify the nationalities of the SWIFT personnel? 15. Is the Report satisfied with the cooperation received from SWIFT as an organization? 16. Did SWIFT provide information to the Bangladesh Government on the security clearances obtained for its staff working for Bangladesh Bank? 17. Why did the Governor of Bangladesh Bank at the time keep the Heist secret from senior officers of the Government? Why from the public? Did he act on his own in this instance? 18. Two Deputy Governors of Bangladesh Bank were fired shortly after the incident. Did the Report support this? Did the report call for a more judicial process with respect to actions against Bangladesh Bank staff? Did the Report recommend personnel actions against BB staff in addition to the removal of the two deputy governors? 19. What did the Report recommend in terms of regular external evaluations of the cyber-security of BBs computer networks? 20. Did the Report recommend taking legal action against SWIFT and/or the Federal Reserve Bank of New York? 21. Did the Report recommend civil action to recover the lost money from the then Governor of Bangladesh Bank? 22. Did the Report recommend any changes in the independence of the central bank from oversight by the Ministry of Finance? 23. What consultants were working on computer systems and computer system security at the time of the Heist? Did the Report assess their role in these events and what conclusions were reached with respect to involvement, willing provision of relevant information, and actions taken after the Heist was discovered? 24. Will the Report from the investigation company FireEye which was appointed by Bangladesh Bank be made public? 25. After the Heist was discovered what actions were taken by the Governor including hiring of external consultants to investigate? Does the Report evaluate these actions and make any recommendations about future work of such groups with respect to the Heist? Did these reports from consultants after the Heist answer Question 3? 26. Did the Report recommend any actions to improve security at the many SWIFT terminals throughout the banking system? Did the Report suggest oversight of security of nationwide SWIFT terminals by Bangladesh Bank or the Ministry of Finance? In previous articles we gave our answer to Question 3: an insider was necessary to be physically present at the SWIFT terminal to execute the transfer orders. We are anxious to learn of the Farashuddins Report view of this matter. Whatever the answer to Q3 one has to hope that the perpetuators of this theft will be caught and punished. This is a complex task involving many countries and advanced procedures related to computer hacking and tracking international fund transfers. The best entry points for such an investigation is tough questioning of Bangladesh Bank officers involved with the SWIFT system, consultants working on BB systems, and SWIFT staff working on the BB SWIFT system. It is the breaking of one or more of this group that will lead to the kingpin behind the theft. We are not sure if the international cooperation needed with the United States, India and Siri Lanka has been forthcoming. Our sense is investigation of Bangladesh Bank staff has been limited. The entire incident reflects a lack of serious understanding of the world today by the Ministry of Finance, Bangladesh Bank and the commercial banks. Our world is one of serious attacks on computer systems both to gain information and to steal. In the industrial world there is a great deal of theft in the banking system much of which is unknown. The thieves are far ahead of the guardians! We believe that a computer hacking ring based in China possibly Macao or Hong Kong corrupted staff in Bangladesh Bank and SWIFT staff in South Asia. The Heist was done by humans sending properly authentication transfer orders using information gained through hacking BB systems and providing this to an insider who executed the transfer orders. These orders were then processed through a complex system set up in many countries but turned out successfully in only one. Nevertheless it was the largest bank heist in history. There is a tremendous investigation to conduct including the identities of all the potential recipients of the transfers, the detailed questioning of BB and SWIFT staff, working numerous international linkages to gain access to all of these people. We wonder if the Farashuddin Report grasped the scale of the criminal investigation required and if the Government is providing the needed support to the police to conduct this daunting investigation. The writers are economists