The technicians introduced the vulnerabilities when they connected SWIFT to Bangladesh's first real-time gross settlement (RTGS) system, said Mohammad Shah Alam, the head of the criminal investigation department of the Bangladesh police who is leading the probe into one of the biggest cyber-heists in the world.
"We found a lot of loopholes," Alam said in an interview in Dhaka. "The changes caused much more risk for Bangladesh Bank."
He and a senior central bank official said the SWIFT employees made missteps in connecting the RTGS to the central bank's messaging platform.
The technicians did not appear to have followed their own procedures to ensure the system was secure, according to the Bangladesh Bank official, who said he was not authorised to publicly comment because of the ongoing investigation.
Because of this, SWIFT messaging at the central bank was widely accessible, including remote access with only a simple password, police said. It had no firewalls and only a rudimentary switch.
"It was the responsibility of SWIFT to check for weaknesses once they had set up the system. But it does not appear to have been done," said the bank official.
SWIFT's chief spokeswoman Natasha de Teran said she had no comment on the allegations by authorities in Bangladesh. She also declined comment on any aspect of the Bangladesh project, including whether the firm had deployed any employees or outside contractors to Bangladesh Bank.
Reuters was not able to independently verify the allegations by Bangladeshi officials about the SWIFT technicians. If they are validated, however, that could undermine confidence in the cooperative that is the backbone of global financial transactions.
The officials in Dhaka discussed their findings with Reuters ahead of a meeting this week in Basel, Switzerland where Bangladesh Bank officials have said their governor and a lawyer appointed by the bank will discuss recovery of about $81 million stolen by the hackers with the head of the Federal Reserve Bank of New York and a senior executive from SWIFT.
Bangladesh Bank officials have said they believed SWIFT, and the New York Fed, bear some responsibility for the February cyber heist. SWIFT has declined comment on that claim.
"NO INHERENT RISK"
The RTGS, which enables domestic banks and the central bank to settle large transfers between themselves, was installed at Bangladesh Bank in October last year and then connected to SWIFT. In February, hackers sent fraudulent messages, ostensibly from the central bank in Dhaka, on the SWIFT system to the New York Fed seeking to transfer nearly $1 billion from Bangladesh Bank's account there.
Most of the transfers were blocked but about $81 million was sent to a bank in the Philippines and much of that money remains missing.
A spokesman for Bangladesh Bank declined comment on the investigation into the heist.
He said, however, that RTGS continued to work well, noting that a large number of countries use SWIFT messaging for similar systems. "There is no inherent risk in this," he said.
According to the Bangladeshi police, the technicians linked the RTGS to SWIFT computers on the same network as about 5,000 central bank computers that are accessible from the open Internet.
Instead, they should have set up a separate local area network, or LAN, that could not connect to the rest of the bank or the Internet, police said.
The technicians also failed to install a firewall between the RTGS and the SWIFT room so that the bank could block malicious traffic from coming into the facility.
When they installed a networking switch to control access to SWIFT, they chose to use a rudimentary old one they had found unused in the bank, rather than a more sophisticated, managed switch that gave the bank the ability to control access to the network, police said.
REMOTE ACCESS
During the job, the technicians set up a wireless connection so they could access computers in the locked SWIFT room from other offices inside the bank. When they finished, they failed to disconnect the remote access, which was only secured with a simple password, police and the bank official said.
They also failed to disable a USB port on the computer attached to the SWIFT system, as is usual for critical networks to prevent malicious software from being installed through a tainted thumb drive, police said.
Police did not provide any evidence for any of the assertions.
But another central bank official familiar with the SWIFT room operations confirmed that the port was "active" until the heist came to light. He had no explanation.
The hackers used malicious software to modify the SWIFT messaging software to help hide their tracks.
Bangladeshi police said they have asked SWIFT to facilitate interviews with the SWIFT technicians. "Whether it is intentional or negligence, we are trying to find out," said Alam.
SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, is used by about 8,000 banks around the world to order funds transfers and other communications. It is connected to RTGS systems installed at scores of banks worldwide, and there have been no reports of problems elsewhere with connections between those two systems.
The U.S. FBI, which is leading investigations into the case, has made no comment so far.
New York Fed executive Richard Dzina said at a conference last week that bank workers "acted properly" in releasing the funds. The system was penetrated, he said, because the hackers had acquired valid credentials to order the transfers
Former central bank governor Mohammed Farashuddin, who is heading an internal probe by Bangladesh Bank into the heist, said SWIFT needed to review its technology in the wake of the heist.
"It seems to be a case of extreme carelessness," he told Reuters. He declined to provide more details saying a final report was due in the next few weeks.