Security Experts:

Did New York Fed Miss Red Flags in $81 Million Bangladesh Bank Theft?

The blame game over who should be held responsible for the bank thefts via SWIFT continues. Ecuador's Banco del Austro (BDA) has already launched action against Wells Fargo for releasing $12 million to accounts largely in Hong Kong, claiming it failed to respond to red flags in the transactions. Bangladeshi officials have blamed both SWIFT (for not ensuring that a new SWIFT system at the bank was secure) and the New York Federal Reserve Bank (for ignoring red flags in the transactions) for its own loss of $81 million.

SWIFT has categorically denied any responsibility, and has launched a five-point plan to help its customers improve the security of their own systems. Wells Fargo has denied any responsibility and says it processed the instructions correctly. The New York Fed has said its clients, including Bangladesh Bank, and SWIFT have primary responsibility for preventing unauthorized transfers.

The problem is as old as computing itself. Wherever there is a problem involving two different systems, each has always tended to blame the other. This is a particular difficult problem for high value money transfers across the SWIFT network: not two, but three separate systems are involved. These are the requesting bank, the SWIFT network and the money holding bank.

Now a new report from Reuters suggests that the Bangladesh Central Bank may have a point. The New York Fed received a total of 35 fraudulent transfer requests. It blocked all of them. "On the day of the theft in February, the New York Fed initially rejected 35 requests to transfer funds to various overseas accounts, a New York Fed official and a senior Bangladesh Bank official told Reuters."

The requests were incorrectly formatted and omitted the names of the receiving banks. Later the same day the hackers at the Bangladesh bank resubmitted all 35 transfer requests. This time they were correctly formatted - but the New York Fed still blocked 30 of them. Five were approved for a total of $101 million dollars. One of these was subsequently reversed because of a spelling error; but the remaining four went through and resulted in the $81 million loss.

However, what Reuters describes as 'a source close to the bank' still has concerns. The four approved transfers contained anomalies that should have raised flags. "They were paid to individual recipients, a rarity for Bangladesh's central bank, and the false names on the four approved withdrawals also appeared on some of the 30 resubmitted requests rejected by the bank," reports Reuters.

None of the three parties would make an official statement to Reuters. "The New York Fed has said there were no problems with its procedures for approving SWIFT fund transfers, and declined to comment on whether it missed any warning signs." Questions must remain over why four transactions were allowed and 31 were refused, all on a second submission.

The fact remains, however, that Wells Fargo is already being sued for missing red flags. If the New York Fed, SWIFT and the Bangladesh Central Bank cannot come to a private agreement, that option now seems a possibility.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.