Atiur blames global money transfer system for heist

block

The former governor of Bangladesh’s central bank has defended himself and his colleagues in the $81 million cyber heist in February.
He told New York Times in an interview that flaws in the global money transfer system – and not any misstep by him – are to blame for the brazen heist. Atiur Rahman, who resigned from his post in March after the heist, told the NYT that the loss had been a “systemic failure” and that “Bangladesh should not be blamed for something going wrong in the chain”. In particular, he blamed the Federal Reserve Bank of New York, where the central bank had placed the money. “If you want to take $500 out of your account in the US, you’ll be asked several questions,” Atiur told NYT. “But here, millions are going, and you’re not asking any questions.”
The New York Fed, he added, “should have immediately called someone in Bangladesh – the governor or someone.” Atiur also said that he tapped an online security firm a year ago to help the bank beef up its defences but that it could be hired only after the theft because of bureaucratic delays.
His comments go to the heart of fears in the international banking community, says the NYT.
The theft exposed weaknesses in the way the world’s banks, companies and other financial institutions transfer money around the globe. SWIFT – the system they use to move that money and through which the money was transferred out of the New York Fed – has since said it has seen other such attempts to steal money from the global banking system. In the case of Bangladesh Bank, the thieves used stolen credentials to try to transfer nearly $1 billion of the central bank’s money at the New York Fed to accounts around the world.
About $81 million was ultimately transferred to casinos in the Philippines, where much of it disappeared.
A spokeswoman for the New York Fed declined to comment on Aitur Rahman’s remarks but told NYT that the theft had not been the result of a breach of its computer systems. Some experts have said the theft was the result of weaknesses in Bangladesh Bank itself. Local news reports have said the bank used $10 routers and no firewalls. But Atiur disputed the notion that the bank’s digital security was lax.
“I made cybersecurity the top of the agenda,” he told NYT, adding, “I smelt a year back that this could be a problem. It was my bad luck that this happened now.” He said that the bank had tapped Mandiant, a security firm owned by FireEye Inc of the US, as an adviser before the theft, but bureaucratic tangles in Bangladesh had kept Mandiant from fully joining until after the incident. Dan Wire, a spokesman for FireEye, declined to comment.
SWIFT executives have also been frustrated that some of its users have been slow to disclose a breach in their systems and – in one case – failed to inform the consortium of an attack at all, the NYT report said. SWIFT representatives have suggested to federal officials in the US that banks that cannot maintain a basic level of digital security may have to be removed from the network, a decision that could economically marginalise certain parts of the world. A spokeswoman for SWIFT – which stands for Society for Worldwide Interbank Financial Telecommunication – declined to comment on Atiur Rahman’s remarks but told NYT : “Security weaknesses at individual customer firms have an impact on others in the wider financial system, which means that the industry as a whole has to respond by renewing and enhancing its security.”
Atiur told NYT that an investigation was continuing and that there might have been negligence at Bangladesh Bank. But he said he was not responsible for any wrongdoing. “As a governor, I’m not supposed to look at each and every small thing.” “Maybe someone’s password was compromised,” he added. “It was a departmental failure and not the fault of the governor. It was a high dosage attack, like a 15 on the Richter scale attack. Other parties could have helped or warned Bangladesh. You cannot imagine my shock.”
On speculation that someone within the bank had actively helped the thieves, he said, “If there’s a criminal, catch him, but don’t blame anyone without reason.” He had resigned after the theft for the greater good of the bank, Atiur said. But he defended his conduct after the theft. The former governor has been criticised for not reporting the theft to the government for a month. “I wanted to save the financial system and the image of the country,” he said. “It could be a mistake, but it was not a crime,” he told NYT, adding, “People should not expect that I’ll be technically so smart that I would know from the start what happened.”
To steal the money, the thieves sent transfer orders to the New York Fed using the Bangladesh Bank’s credentials. The heist was well timed – it took place during Thursday night in Bangladesh, on the eve of the country’s weekend. When workers there discovered the transfers on Saturday, they tried to reach the New York Fed, which was closed for its weekend. Atiur Rahman contends that the New York Fed did not do enough to verify that the orders were real. “There was a terrible lack of efficiency from the Fed,” he said. “We were sending mails, faxes, but there was no one to pick that up. We need a hotline.”
In May, representatives of the Fed, Bangladesh Bank and SWIFT met in Basel, Switzerland, to discuss protecting the global financial system from these types of attacks. Atiur also laid some of the blame on the Philippines, where the theft has exposed what critics say are holes in efforts to counter money laundering. “If the Fed really wants to help, it only needs to make one small phone call to the Philippines central bank governor and order it to return the money,” he said. “It’s the credibility of the system that’s at stake.” In March, the agency that tackles money laundering in the Philippines filed criminal charges against two businessmen, accusing them of breaking the country’s money-laundering laws by receiving some of the money from the heist. A spokeswoman for the governor of the Filipino central bank, Amando Tetangco Jr, wrote in an email, “Charges have been filed against those who have been identified as being involved in the Bangladesh heist. We await the decision of the courts.”

block