See

discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/307512855

A Forensic View of Bangladesh Bank Reserve

Heist

Technical Report · September 2016

DOI: 10.13140/RG.2.2.35280.51200

CITATIONS READS

0 285

1 author:

Mizanur Rahman
University of Dhaka
25 PUBLICATIONS 19 CITATIONS

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

An Evaluation of Monetary Policy in Bangladesh View project

Accounting for Capital Market Development (ACMD) View project

All content following this page was uploaded by Mizanur Rahman on 31 August 2016.

The user has requested enhancement of the downloaded file.

 A Forensic View of Bangladesh Bank Reserve Heist
Mizanur Rahman1
University of Dhaka

An unprecedented cybercrime resulted into a huge loss of Bangladesh Bank’s foreign exchange
reserve with the New York Federal Reserve Bank. While the actual reserve loss is 81 million
U.S. dollars, it could be as large as one billion U.S. dollars. At the heart of this problem is an
internal control breakdown that involved not only Bangladesh Bank (BB) but also the New York
Fed and SWIFT messaging system. It is noteworthy that the SWIFT messaging services are used
and trusted by more than 11,000 financial institutions in more than 200 countries and territories
around the world. The news media around the world initially reported the case as a cybercrime
which compromised the IT infrastructure of Bangladesh Bank. No doubt the incident will erode
Bangladesh Bank’s credibility in the global payment system. The reliability of SWIFT as a
secure global payment system is also at risk. New York Fed’s settlement of the first five payment
advices but not the thirty others is dubious. The role of the Philippines central bank and one of its
scheduled commercial banks is at least criminal. This note will demonstrate how this cybercrime
would likely be impossible had there been an effective internal control system in both the central
banks and SWIFT environment.

We can first shed light on how to use SWIFT’s messaging services. In order to use SWIFT
Messaging Services, a customer (in this case, Bangladesh Bank) needed to connect to the SWIFT
environment, known as SWIFTNet. Note that SWIFTNet offers four complimentary messaging
services, all of which are intended to provide seamless straight-through-processing; and those
include: FIN, InterAct, FileAct and WebAccess. It is reported that BB official(s) tried to connect
to the SWIFT environment in the morning of 5 February 2016. It was Friday, a public holiday in
Bangladesh, but a working day in the United States and Europe. BB officials had several ways to
connect to the SWIFT environment: directly via permanent leased lines, the internet, or SWIFT’s
cloud service (Liet2); or indirectly via appointed partners. We do not know which specific
method was used in this case. It is reported that officials on duty then discovered that a printer
connected to SWIFT system went out of order and that they failed to fix the problem. An opacity
is still continuing as to who connected to the SWIFT Messaging Services. Another issue is
whether the malfunctioning of a printer had anything to do with generating valid SWIFT
messages for the New York Fed. A total 35 SWIFT messages were arguably created by hackers
but the staffs observed no warning signals in their system. This is not true. A more serious
question is why the BB internal control system failed to discover this unprecedented scam until 8
February 2016.

A hugely incomplete story is being fed into the public media that cybercriminals hacked the
confidential identifications, accessed into the Bangladesh Bank’s IT system and then generated
valid SWIFT messages. This would be impossible because accessing to SWIFT environment is
subject to robust controls around both physical and logical access. Physical controls must protect
the premises while the logical controls should restrict access based on business needs. Anyone
will assume that specific BB officials were entrusted with managing these controls. Hackers
without conniving with insiders cannot therefore steal the confidential details and generate valid

1
Dr. Mizanur Rahman is a Professor of Accounting and Public Policy in the University of Dhaka. E-mail: mizan@du.ac.bd. Tel:
+88 01817 684202, Fax: +88 02 8615583.

1
SWIFT messages. It is worth reviewing how a valid SWIFT message is created and then
validated within the SWIFT environment.

Any message originating from a customer’s system will be authenticated using SWIFT’s
specialized security and identification technology. State of the art encryptions are added as the
messages leave the customer environment. This indicates that all the messages leaving
Bangladesh Bank and entering the SWIFT environment accompanied encryptions. The encrypted
messages originating from Bangladesh Bank would remain in the protected SWIFT environment,
subject to all SWIFT’s confidentiality and integrity commitments, throughout the transmission
process to SWIFT’s operating centers (OPCs) where the messages would be processed, until they
were safely delivered to the receiver (i.e., the New York Fed in the present case). A big question
is whether this supposed internal control system was working.

SWIFT’s core messaging platform operates with a layered security model backed by a secure
application development process and ‘state-of-the-art’ hardware-based Public Key Infrastructure
(PKI) technology. SWIFT-specific public keys, digital certificates and digital signatures are
variously used to authenticate senders and to validate the integrity of the message sent. In the
case of Bangladesh, it is learned that independent BB officials dealt with these three
authentication instruments. One official had the SWIFT-specific public key, the second official
had the digital certificate and the third official provided the finger print in order to create a valid
SWIFT message. While the first two authentication instruments could be hacked or stolen, the
instrument of finger print would be impossible to be hacked. The fact that a staggering 35 valid
messages were generated and then transmitted through SWIFTNet indicates an internal control
breakdown within Bangladesh Bank. And it should be easy to identify and then prosecute those
who were responsible for managing the authentication instruments.

How does a SWIFT message transmit via SWIFTNet? SWIFT verifies signatures to confirm
message integrity and validates certificates to authenticate the senders. SWIFT ensures that
messages are delivered to the intended recipient in the appropriate sequence and offers end-to-
end security, allowing senders to apply signatures for the receivers, enabling receivers to verify
the message integrity and authenticate the senders. Thus, the data in messages can be issued and
controlled exclusively by the sending and receiving institutions and message originators are able
to provide message recipients with means of verifying that the message has not been modified
during the transmission. It therefore appears that SWIFT-specific public key, digital certificate
and digital signature have all been duly used from within the Bangladesh Bank in the process of
creating encrypted SWIFT messages, only to be sent via the secured SWIFT system. This would
be impossible from an external and independent IT platform.

SWIFT claims that it applies strict security, confidentiality and integrity protections to
customers’ messages. SWIFT has controls and procedures in place to protect message data from
unauthorized changes to messages, and to detect corruption of messages. Furthermore content
validation features are used to ensure that only validated messages are processed and delivered in
the relevant sequence to the intended recipient. All services provided by SWIFT are monitored
and supported on a continuous and real time basis by teams of technical specialists located
within geographically diverse control centers. SWIFT has customized service management

2
 platforms and their support professionals are able to react instantly to any security issues, and to
take necessary actions to protect customers’ interests. SWIFT officials visiting Bangladesh Bank
after the heist claimed that payment advices were duly generated and SWIFT system was not
hacked. This claim appears not substantiated as explained below.

A Wall Street Journal review of 35 payment orders indicates that SWIFTNet failed to deliver the
content validation check. For example, five payment orders were executed to fake
beneficiaries—four in the Philippines and the fifth in Sri Lanka. Most importantly, purpose
statement in each case was bogus and fraudulent. For example, a $30.0 million payment was
settled to a beneficiary called Jessie Christopher M. Lagrosas and for a project named Mass
Transit Dhaka. It is thus evident that the purported content validation process did not work in the
SWIFT environment. The New York Fed claimed that the payment order it approved had been
duly authenticated by SWIFT. An unresolved question is how the SWIFT validated the 35
payment orders and what further check New York Fed carried out as a part of its own internal
control system.

Finally, the role of New York Fed is dubious. The New York Fed claimed that the payment
instructions in question were fully authenticated by SWIFT messaging system in accordance
with standard authentication protocols. Carolyn B Maloney, Ranking Member in the U.S. House
of Representatives, raised several questions about this claim. Those are reproduced below.

 Firstly, is it appropriate to rely solely on authentication from SWIFT for payments from
the accounts of foreign central banks?

 Secondly, why the New York Fed block the last 30 transfer orders, but not the first 5
orders? What was it about the last 30 orders that raised the New York Fed’s suspicions?

 Thirdly, the New York Fed requested from Bangladesh Bank for reconfirmation of all 35
payment orders, but executed payments for the first 5 orders without receiving any
reconfirmation. What is the New York Fed’s policy regarding reconfirmation and was it
observed in this case?

 Finally, why did New York Fed not question the apparent misspelling in the $20 million
transfer order to the Sri Lankan account, as a correspondent bank did?

An international inquiry is needed to fully understand the total ring which is behind this
unprecedented cybercrime. While the Philippines Senate was leading the inquiry, the
Government of Bangladesh and its central bank authority maintained an opacity from the very
beginning. Dr. Atiur Rahman, the past governor who handled the case at the outset, kept it secret
for more than a month before international media began reporting of the incident. Furthermore, a
high-powered inquiry committee led by a former BB governor, Dr. Mohammed Farashuddin,
though produced a report about the heist, the government kept it unpublished for no apparent
reason. This continued opacity is further hurting a potential recovery of the stolen money. The
evolving platform of international payment settlement is also at risk.

View publication stats