IT loopholes led to BB fund heist

Bangladesh Bank had been in constant fear of organised cyber attacks after its ‘quantum leap’ from manual to hi-tech banking operations in recent years—a move that was aimed at gearing up economic activity.

The central bank tried its best to minimise risks, but everything culminated in the heist of $101 million by hackers from its account at the US federal bank.

“We all, governor and deputy governors included, sensed some loopholes after a quantum jump from manual to paperless banking. And it happened finally,” KM Abdul Wadud, a central bank retiree who headed a project on BB’s modernisation, told daily sun last week.

The banker, however, underscored the importance of high-tech banking here with the national economy growing bigger and also defended the regulator’s ‘helplessness’ in such a crisis situation.

He said the authorities put their best effort to protect security of the country’s financial system and treasury by initiating measures for the central bank and enacting policy guidelines on IT adaptation and security for banks.

Under the financial sector strengthening project, Wadud said, the BB installed national payment gateway and switch to establish infrastructure regarding paperless banking and carrying out all other functions with clients online.

“Former governor [Dr Atiur] took the project in line with the government’s ‘Vision 2021’ with intent to digitise Bangladesh and this technology was vital as the economy was growing steadily.”

The hi-tech banking has ensured financial inclusion, which helps the country’s GDP [gross domestic product] growth.

Banking services have reached about 70 per cent of the total citizens via mobile banking and the scope for easy banking (opening an account at Tk 10 only) by farmers, students and disadvantaged segments of the population.

Digital era has begun but with a sheer lack of manpower with IT (information technology) skills. And this caused a major concern over IT security with possible threats from both domestic and external elements, Wadud observed.

He said a radio link was enabled by installing RTGS (real-time gross settlement) linked to Swift server last year. It was earlier used for reserve operations only.

“Hackers made it possible to connect Swift server with the radio link as they reached the dealing room (reserve operations office) in the BB headquarters. It wasn’t possible if someone remained on duty in the dealing room.”

“Sending malware to the Swift server wouldn’t be possible if anyone was on duty and computer remained offline. So, hacking can only happen if the dealing room is without a vigilante and computer is switched off,” he argued.

The enabling of radio link with Swift server was opposed by deputy governor Nazneen Sultana, but another influential deputy governor supported it.

“Finally, it was done. But I saw the governor unhappy with it,” Wadud said.

Cyber thieves struck the BB’s account at Federal Reserve Bank of New York on February 4 and managed to take away $101 million under five forged payment orders, out of 35 orders or more with the plot to steal $950 million.

The hackers first broke into the Swift (Society for Worldwide Inter-bank Financial Transactions) system of the central bank and stole data from reserve operation computers to generate forged payment orders.

Of the stolen sum, $20 million was laundered to Sri Lanka, which was recovered with the aid of local authorities immediately, and $81 million to the Philippines, which went already outside the banking system in the absence of proper vigilance by local authorities.

An investigation is going on there to this end.

Dr Atiur initiated online or paperless banking system with the help of the World Bank. The authorities also thought of security aspects amid growing risks of cyber crimes across the globe.

Meanwhile, the BB’s IT security initiatives were checked and verified by several reviews and studies done by BIBM [Bangladesh Institute of Bank Management] on the local banking sector.

Under the hi-tech banking system, ATMs (automated teller machines), POSTs (point of sales terminals), mobile banking and internet banking are becoming popular among clients to reduce time and avoid traffic congestion in the city.

The BB’s infrastructure includes automated clearing house system (ACHS) and electronic fund transfer (EFT) with instant verification system.

With growing concerns, a BIBM study recommended a lot to enhance IT security as the country’s economy is expanding over the years.

Local banks use security software imported from India and even hire manpower from the neighbouring country and beyond. Some banks also outsource IT operations and security. All these constitute great security risks.

The BIBM recommendations included the use of proper core banking solutions (CBS), document management system, business intelligence software and e-banking solutions to avoid risks.

Its study on IT operations of banks recommended last December that the BB may form a committee to meet once a year to review IT operations, security and financial sector’s necessity as IT is always in the course of development and hackers also find new paths to dodge.

In Bangladesh, some local entrepreneurs produced IT security software for banks, but the majority lost market due to weak security features.

Local software include Bexibank, Florabank, PCbank, Infinity, Kranti, Ababil, A to Z and Stellar.

The BIBM study shows 53 per cent banks here depend on foreign software, 28 per cent use local software, 16 per cent in-house software and 3 per cent use software produced through a joint venture.

In Bangladesh, some 56 banks are in commercial operations, 10 of them foreign banks. Foreign banks use their respective software.

Only three local banks using own (in-house) software are Islami Bank Bangladesh, Pubali Bank and Uttara Bank.

The study said the BB trained its manpower in IT at home and abroad and handed a piece of private notebook for professional use. But local banks are averse to spending money much for developing IT skills of its manpower.

source : the daily sun

Post a Comment