As the Central Bank of Bangladesh threatens to sue the Federal Reserve Bank of New York over at least $80 million stolen from its account there, the Fed says its systems were not compromised.
On Feb. 4 and 5, hackers broke into the Central Bank of Bangladesh's servers and stole its credentials for Swift payment transfers, two Bangladesh bank officials told the New York Post.
On Feb. 5, the hackers used those credentials to wire money from the bank's account at the New York Fed to accounts in the Philippines and Sri Lanka, Agence France-Press reported.
The New York Fed did not deny that the theft happened, but said its systems weren't breached.
"To date, there is no evidence of any attempt to penetrate Federal Reserve systems in connection with the payments in question, and there is no evidence that any Fed systems were compromised," a spokesperson said. "The payment instructions in question were fully authenticated by the Swift messaging system in accordance with standard authentication protocols. The Fed has been working with the central bank since the incident occurred, and will continue to provide assistance as appropriate."
Swift and the Central Bank of Bangladesh did not respond to requests for an interview. (It was midnight in Bangladesh at deadline.)
"Swift does not comment on individual users or messages, but can confirm it is in contact with the parties concerned," the organization said in a statement cited by Reuters and Fortune.
"Messages sent over Swift are authenticated between sending and receiving institutions. There is no indication that our network has been compromised," it said.
Access to the Swift messaging system requires credentials stored on dedicated hardware provided by the international organization. Additionally, individual operators working at Swift's member banks must access applications managed by their employers, which determine their own security settings.
The New York Fed did see signs of unusual activity after the fact — Bangladeshi officials told Reuters that the unusually high number of payment instructions and the transfer requests to private entities, rather than other banks, made the Fed suspicious and that it alerted the Bangladesh bank. But its fraud detection systems did not catch the transactions before they went through.
In an interesting wrinkle in this case, Reuters reported that one of the hackers' attempts to steal from the Bangladesh Bank was foiled due to a misspelling.
While four requests to transfer a total of $81 million to the Philippines went through, a fifth, for $20 million, to a Sri Lankan nonprofit organization, got held up because the hackers misspelled the name of the organization, Reuters reported. Instead of "foundation," the hackers typed "fandation." This prompted a routing bank, Deutsche Bank, to seek clarification from the Bangladesh central bank, which stopped the transaction.
Corrected March 15, 2016 at 5:18PM: An earlier version of this article misinterpreted a statement by the New York Fed. It was not blaming Swift for the theft, it was simply stating that the payment instructions passed the normal authentication process. Earlier versions of the article also included an incomplete description of Swift's authentication measures.