Sunday Observer Online


Sunday, 20 March 2016





Marriage Proposals
Government Gazette

Undone by ‘Fandation’

The US $ 81 million bank heist in New York has raised serious concerns about cyber security in Sri Lanka:

A concerted effort by at least six countries including Sri Lanka is currently under way to unravel the Bangladeshi bank heist, as international hackers succeeded in penetrating online banking systems and got away with US $ 81 million from the most secured New York Federal Reserve Bank recently.

The Financial Intelligence Unit (FIU) of Sri Lanka’s Central Bank, is one of the many agencies looking into the case, while different entities in Bangladesh, the US, Philippines, Belgium and China have joined in the effort to unravel the mystery behind one of the world’s biggest bank heists. According to the Wall Street Journal the US probe is led by the Federal Bureau of Investigation (FBI).

Rushed statements

The incident has sent shockwaves in the banking sector, as cyber criminals stole Bangladeshi Bank’s credentials to penetrate highly secured SWIFT messaging codes. They succeeded in stealing millions of dollars in an account held by the Bangladeshi government in the Fed Reserve, leaving the banking sector Goliaths to make rushed statements to save face.

So far it has not been established as to where exactly the system had been compromised, for hackers to enter the system. But the Federal Reserve of New York denied any weakness in their system claiming that they received fully authenticated transfer requests from the Bangladeshi Central Bank. The Belgium based SWIFT also in a release said, they were trying to fix an ‘internal operational matter’ at the Bangladeshi Central Bank.

The Bangladeshi Finance Minister Abul Maal Muhith had threatened to sue the Federal Reserve over the transactions.

A Sri Lankan Central Bank official said they were deeply concerned about the possibility of cyber attacks, adding, however, that they were constantly taking precautions to secure the system.

Central Bank’s Director Communications, Ms.S.H.Gunawardena said the FIU was conducting an investigation into the case, therefore, she was unable to divulge further information at this point.Sri Lanka’s name transpired in the major scam, when the hackers apparently used a bank account of a Sri Lankan registered NGO, Shalika Foundation to transfer US $20 million of their intended US $ 1 billion. A typographical error that mis-spelt the word ‘Foundation’ as ‘Fandation’, alerted a Sri Lankan teller to withhold the unusual transaction and consult his bosses.

The UK’s Independent said Pan Asia Bank which received the transaction initially, consulted a routing bank, Deutsche Bank for verification and learnt that it was a suspicious transaction.

Faulty printer

The Bangladeshi media reported that the heist could also have been avoided if not for a faulty printer in their Central Bank. The printer which is programmed to print all SWIFT wire transactions was out of order on the day the cyber attack took place. The hackers sent over 30 transaction requests to the Federal Reserve and these questionable transactions could have been spotted if they were picked up by the printer earlier on.

Reputed Sri Lankan Banker, Rienzie Wijetilleke said the whole world has become more dishonest and the challenges facing the banking sector transforms at an alarming pace in a world full of technological marvels.

He said there is no question of Sri Lanka’s banking sector being geared to face the challenge of cyber attacks, but the problem is, we are not geared to face such a huge loss if things go awfully awry.

Wijetilleke said the financial sector today works on trust. Likewise, he said, the danger of young people using their ‘smartness’ to work outside territories of authority is much more than what it was a few years ago, in an obvious implication that he suspected inside collaboration in the cyber attack on the Bangladeshi bank.

“It is up to each banking organisation and monetary institution to cushion themselves against possible undue access to the system and information, beyond what each and every individual who is working for the organisation are permitted,” he stressed.


In the aftermath of the incident implicating a Sri Lankan non-profit, Registrar, NGO Secretariat Ranjith Wimalasuriya said they were currently identifying functioning and dormant non profit organisations in the country to streamline the NGO sector.

He said given that this particular NGO Shalika Foundation had only registered itself with the Registrar of Companies and was allowed to open bank accounts and allegedly make dubious monetary transactions, the necessity to review the procedures have been felt even more.

“We actually began a survey at the end of last year, with a view to putting this sector in order.” He said the survey actually began before this particular case surfaced in February. The survey will strive to find active and inactive organisations, those which lack NGO Ssecretariat certification and the types of operations carried out.

Currently the NGO Secretariat does not hold any information as to who is doing what. Shockingly, non profit organisations can carry on without the knowledge of the NGO Secretariat. “We want to regulate this faulty system,” he said.

Currently a non profit organisation – a charity or a voluntary social service organisation- can be registered with the Registrar of Companies and begin operations of their choice without facing any scrutiny, financial or otherwise. In contrast, the laws vested with the NGO Secretariat, are tougher and applicants face scrutiny.

For instance, to open an NGO in Sri Lanka, it must have a local contact person, but a company can be registered by foreigners without many questions being asked.

The Secretariat is looking into the possibility of prohibiting the registration of non profit organisations with the Registrar of Companies. It will also be mandatory to produce the certificate by the Secretariat to open a bank account and facilitate financial transactions.

However, the Shalika Foundation in its statement to the FIU denied any knowledge of the transaction or of an outside well-wisher who could have transferred the money. The organisation is registered under a woman’s name.

An expert said the hackers may have chosen the Sri Lankan charity as a scapegoat, with the intention of moving the money later to their own account. Chief Operating Officer of Cyber Security firm, TechCert, Dileepa Lathsara said the local banking sector today was relatively strong against such cyber attacks because they have been building defences due to past experience.

But, he said, mobile applications posed a threat and this is an area that banking institutions must pay more attention. “We have identified some threats but the competitiveness-driven sector is slow in their response.”

He said many Sri Lankan banks do not have digital forensic enabled systems to keep track of user IDs and this was a major concern.

Cyber thieves

Hacker News said the malware used by the attackers in the Fed Reserve heist could be a potential Remote Access Trojan (RAT) which gave them control to the Bangladeshi bank’s computer to spy how money was processed, sent and received. Then the stolen Central Bank’s credentials would have been used to make the transfer requests to the Fed Reserve.

The Bangladeshi officials claim that they have recovered most of the US $ 81 million transferred to casinos in the Philippines.

This particular story may have ended on a positive note for the cyber thieves, but thanks to a vigilant teller it was not so. Nevertheless, the threat is there and the question is, how long can our banks keep the hackers at bay and safe keep their customer’s hard-earned money.


Seylan Sure
eMobile Adz

| News | Editorial | Finance | Features | Political | Security | Sports | Spectrum | World | Obituaries | Junior |


Produced by Lake House Copyright © 2016 The Associated Newspapers of Ceylon Ltd.

Comments and suggestions to : Web Editor