An investigator into one of the world’s biggest cyber heists said that Bangladesh’s central bank was vulnerable to hackers because it used second-hand, $10 switches to network computers connected to the SWIFT global payment network and did not have a firewall.

Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police’s criminal investigation department said the shortcomings made it easier for hackers to break into the system earlier this year and attempt to siphon off nearly $1 billion using the bank’s SWIFT credentials.

“It could be difficult to hack if there was a firewall,” Alam said.

It is difficult for investigators to figure out what the hackers did and where they might have been based due to the lack of sophisticated switches, which can cost several hundred dollars or more, he added. The institute Alam heads includes a cyber crime division.

Alam said in an interview that the police believe both the bank and SWIFT should take the blame for the oversight.

“It was their responsibility to point it out but we haven’t found any evidence that they advised before the heist,” he said, referring to SWIFT.

A spokeswoman for Brussels-based SWIFT declined comment.

SWIFT has previously said it’s core messaging services were not compromised and that the attack was related to an internal operational issue at Bangladesh Bank.

It was only after the SWIFT system engineers from Malaysia visited after the heist that its officials advised the bank to upgrade the switches, a spokesman for Bangladesh Bank.

“There might have been a deficiency in the system in the SWIFT room. Two (SWIFT) engineers came and visited the bank after the heist and suggested to upgrade the system,” said the spokesman, Subhankar Saha, confirming that the switch was old and needed to be upgraded.

In early February, Cyber criminals tried to make fraudulent transfers totalling $951 million from its account at the Federal Reserve Bank of New York in early February after having broken into the bank’s systems.

While most of the payments were blocked but $81 million was routed to accounts in the Philippines and diverted to casinos there. Most of those funds remain missing.

The hackers misspelled the name of the firm, raising a red flag at the routing bank which resulted in a reversal of another $20 million which was sent to a company in Sri Lanka.

The heist has turned into a global whodunit and has sent alarm bells ringing across the global financial system about cyber security.

Bangladesh police said earlier this week that the hackers appear to be people who received some of the payments rather than those who initially stole the money and said that it had identified 20 foreigners involved in the heist. There is no clue to the identity of the hackers or who was behind the plot.

(Adapted from Reuters)