Bangladesh bank in $81m cyber robbery 'had no IT security'

No firewall and only second-hand $10 switches between payments system and the internet

The $81m (£60m) cyber heist that hit the Central Bank of Bangladesh in February has been blamed on almost non-existent IT security.

According to investigators, the bank had not even installed a firewall and used second-hand switches bought for $10 to network computers connected to the SWIFT global payments system.

The bank's catastrophically inept IT security made it easy for hackers to break into the organisation and arrange the heist, and it has also made it difficult for investigators to find out where the hackers might have come from and exactly how they executed the robbery.

"It could be difficult to hack if there was a firewall," Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police's criminal investigation department, told Reuters.

Tom Kellermann, a former member of the World Bank security team, added that the security shortcomings described by Alam were "egregious", but suggested that "a handful" of central banks in developing countries were equally insecure.

SWIFT, meanwhile, says that its core messaging services - used by banks around the world to transfer funds - were not compromised. While many organisations audit their suppliers to make sure their IT security is adequate, police in Bangladesh claim that SWIFT IT specialists visited the bank to examine its security only after the heist had taken place.

It is not clear whether the bank's security was intentionally bad or whether equipment that should have secured the organisation's network, including its payments systems, had been stolen.

It is not uncommon in countries where corruption is endemic for funds allocated to investment to be pilfered, or for new equipment simply to be walked out of the office - often by senior management lining their own pockets.

The Central Bank of Bangladesh was hit in February when attackers broke into its systems and set up a series of fraudulent transfers totalling $951m from its account with the US Federal Reserve Bank of New York to accounts controlled by the fraudsters.

However, a glaring spelling mistake in one of the payments by Deutsche Bank, one of the correspondent banks involved in the transfer, led to the transfers being stopped after $101m had been transferred, with only $20m traced and returned.

The security breach arguably makes it one of the top 10 biggest cyber security blunders of all time - even if the thieves got away with "only" $81m and not the $951m they had been trying to steal.

Security is a key element in the Internet of Things. Find out how it fits in at Computing's Internet of Things Business Summit 2016 in May. Attendance is FREE to qualifying end users. Register now.