Bangladeshi police and a bank official alleged that technicians from SWIFT, the global financial network, connected a new bank transaction system to SWIFT messaging three months before a $81 million cyber heist which left the Bangladesh’s central bank more vulnerable, reports the Reuters.

Mohammad Shah Alam, the head of the criminal investigation department of the Bangladesh police who is leading the probe into one of the biggest cyber-heists in the world said that the technicians introduced the vulnerabilities when they connected SWIFT to Bangladesh’s first real-time gross settlement (RTGS) system.

“We found a lot of loopholes. The changes caused much more risk for Bangladesh Bank,” Alam said in an interview in Dhaka. The SWIFT employees made missteps in connecting the RTGS to the central bank’s messaging platform, said Alam and a senior central bank official.

According to the Bangladesh Bank official who did not want to be named alleged that the SWIFT technicians did not appear to have followed their own procedures to ensure the system was secure.

Police said that remote access with only a simple password to the Bangladesh’s central bank was possible after the lapse by the SWIFT technicians making SWIFT messaging at the central bank widely accessible. There was only a rudimentary switch and it had no firewalls.

“It was the responsibility of SWIFT to check for weaknesses once they had set up the system. But it does not appear to have been done,” said the bank official.

There were no comments made to the allegations by authorities in Bangladesh by SWIFT’s chief spokeswoman Natasha de Teran, Reuters reported.

Bangladesh Bank officials have said their governor and a lawyer appointed by the bank will discuss recovery of about $81 million stolen by the hackers with the head of the Federal Reserve Bank of New York and a senior executive from SWIFT at a meeting this week in Basel, Switzerland.

Some responsibility for the February cyber heist needs to be borne by SWIFT, and the New York Fed believes the Bangladesh Bank officials.

In October last year, Bangladesh Bank had installed the RTGS, which enables domestic banks and the central bank to settle large transfers between themselves, and then it was connected to SWIFT. Fraudulent messages, seeking to transfer nearly $1 billion from Bangladesh Bank’s account at the New York Fed, were sent by the hackers in February ostensibly from the central bank in Dhaka, on the SWIFT system to the New York Fed. About $81 million was sent to a bank in the Philippines and much of that money remains missing even as most of the transfers were blocked.

Noting that a large number of countries use SWIFT messaging for similar systems, a spokesman for Bangladesh Bank said that RTGS continued to work well.

“There is no inherent risk in this,” he said.

The same network where there is about 5,000 central bank computers that are accessible from the open Internet was the place where the technicians linked the RTGS to SWIFT computers, according to the Bangladeshi police. Police said that the connection should have been made to LAN that could not connect to the rest of the bank or the Internet.

(Adapted from Reuters)