As the Central Bank of Bangladesh threatens to sue the Federal Reserve Bank of New York over at least $80 million stolen from its account there, the Fed says the Society for Worldwide Interbank Financial Telecommunication (Swift) is to blame.
On Feb. 4 and 5, hackers broke into the Central Bank of Bangladesh's servers and stole its credentials for Swift payment transfers, two Bangladesh bank officials told the New York Post.
On Feb. 5, the hackers used those credentials to wire money from the bank's account at the New York Fed to accounts in the Philippines and Sri Lanka, Agence France-Press reported.
The New York Fed did not deny that the theft happened, but said its systems weren't breached.
"To date, there is no evidence of any attempt to penetrate Federal Reserve systems in connection with the payments in question, and there is no evidence that any Fed systems were compromised," a spokesperson said. "The payment instructions in question were fully authenticated by the Swift messaging system in accordance with standard authentication protocols. The Fed has been working with the central bank since the incident occurred, and will continue to provide assistance as appropriate."
Swift and the Central Bank of Bangladesh did not respond to requests for an interview. (It was midnight in Bangladesh at deadline.)
"Swift does not comment on individual users or messages, but can confirm it is in contact with the parties concerned," the organization said in a statement cited by Reuters and Fortune.
"Messages sent over Swift are authenticated between sending and receiving institutions. There is no indication that our network has been compromised," it said.
Sending a message through the Swift system generally requires an identification number, an account number, and a password. Swift reviews and verifies the message for completeness. If no second factor of authentication was required for the Central Bank of Bangladesh's transactions, then the hackers could meet Swift's requirements by using the information they stole from the Bangladesh bank.
The New York Fed did see signs of unusual activity after the fact -- Bangladeshi officials told Reuters that the unusually high number of payment instructions and the transfer requests to private entities, rather than other banks, made the Fed suspicious and that it alerted the Bangladesh bank. But its fraud detection systems did not catch the transactions before they went through.
In an interesting wrinkle in this case, Reuters reported that one of the hackers' attempts to steal from the Bangladesh Bank was foiled due to a misspelling.
While four requests to transfer a total of $81 million to the Philippines went through, a fifth, for $20 million, to a Sri Lankan non-profit organization, got held up because the hackers misspelled the name of the organization, Reuters reported. Instead of "foundation," the hackers typed "fandation." This prompted a routing bank, Deutsche Bank, to seek clarification from the Bangladesh central bank, which stopped the transaction.