Undone by ‘Fandation’
The US $ 81 million bank heist in New York has raised
serious concerns about cyber security in Sri Lanka:
A concerted effort by at least six countries including Sri Lanka is
currently under way to unravel the Bangladeshi bank heist, as
international hackers succeeded in penetrating online banking systems
and got away with US $ 81 million from the most secured New York Federal
Reserve Bank recently.
The Financial Intelligence Unit (FIU) of Sri Lanka’s Central Bank, is
one of the many agencies looking into the case, while different entities
in Bangladesh, the US, Philippines, Belgium and China have joined in the
effort to unravel the mystery behind one of the world’s biggest bank
heists. According to the Wall Street Journal the US probe is led by the
Federal Bureau of Investigation (FBI).
The incident has sent shockwaves in the banking sector, as cyber
criminals stole Bangladeshi Bank’s credentials to penetrate highly
secured SWIFT messaging codes. They succeeded in stealing millions of
dollars in an account held by the Bangladeshi government in the Fed
Reserve, leaving the banking sector Goliaths to make rushed statements
to save face.
So far it has not been established as to where exactly the system had
been compromised, for hackers to enter the system. But the Federal
Reserve of New York denied any weakness in their system claiming that
they received fully authenticated transfer requests from the Bangladeshi
Central Bank. The Belgium based SWIFT also in a release said, they were
trying to fix an ‘internal operational matter’ at the Bangladeshi
The Bangladeshi Finance Minister Abul Maal Muhith had threatened to
sue the Federal Reserve over the transactions.
A Sri Lankan Central Bank official said they were deeply concerned
about the possibility of cyber attacks, adding, however, that they were
constantly taking precautions to secure the system.
Central Bank’s Director Communications, Ms.S.H.Gunawardena said the
FIU was conducting an investigation into the case, therefore, she was
unable to divulge further information at this point.Sri Lanka’s name
transpired in the major scam, when the hackers apparently used a bank
account of a Sri Lankan registered NGO, Shalika Foundation to transfer
US $20 million of their intended US $ 1 billion. A typographical error
that mis-spelt the word ‘Foundation’ as ‘Fandation’, alerted a Sri
Lankan teller to withhold the unusual transaction and consult his
The UK’s Independent said Pan Asia Bank which received the
transaction initially, consulted a routing bank, Deutsche Bank for
verification and learnt that it was a suspicious transaction.
The Bangladeshi media reported that the heist could also have been
avoided if not for a faulty printer in their Central Bank. The printer
which is programmed to print all SWIFT wire transactions was out of
order on the day the cyber attack took place. The hackers sent over 30
transaction requests to the Federal Reserve and these questionable
transactions could have been spotted if they were picked up by the
printer earlier on.
Reputed Sri Lankan Banker, Rienzie Wijetilleke said the whole world
has become more dishonest and the challenges facing the banking sector
transforms at an alarming pace in a world full of technological marvels.
He said there is no question of Sri Lanka’s banking sector being
geared to face the challenge of cyber attacks, but the problem is, we
are not geared to face such a huge loss if things go awfully awry.
Wijetilleke said the financial sector today works on trust. Likewise,
he said, the danger of young people using their ‘smartness’ to work
outside territories of authority is much more than what it was a few
years ago, in an obvious implication that he suspected inside
collaboration in the cyber attack on the Bangladeshi bank.
“It is up to each banking organisation and monetary institution to
cushion themselves against possible undue access to the system and
information, beyond what each and every individual who is working for
the organisation are permitted,” he stressed.
In the aftermath of the incident implicating a Sri Lankan non-profit,
Registrar, NGO Secretariat Ranjith Wimalasuriya said they were currently
identifying functioning and dormant non profit organisations in the
country to streamline the NGO sector.
He said given that this particular NGO Shalika Foundation had only
registered itself with the Registrar of Companies and was allowed to
open bank accounts and allegedly make dubious monetary transactions, the
necessity to review the procedures have been felt even more.
“We actually began a survey at the end of last year, with a view to
putting this sector in order.” He said the survey actually began before
this particular case surfaced in February. The survey will strive to
find active and inactive organisations, those which lack NGO
Ssecretariat certification and the types of operations carried out.
Currently the NGO Secretariat does not hold any information as to who
is doing what. Shockingly, non profit organisations can carry on without
the knowledge of the NGO Secretariat. “We want to regulate this faulty
system,” he said.
Currently a non profit organisation – a charity or a voluntary social
service organisation- can be registered with the Registrar of Companies
and begin operations of their choice without facing any scrutiny,
financial or otherwise. In contrast, the laws vested with the NGO
Secretariat, are tougher and applicants face scrutiny.
For instance, to open an NGO in Sri Lanka, it must have a local
contact person, but a company can be registered by foreigners without
many questions being asked.
The Secretariat is looking into the possibility of prohibiting the
registration of non profit organisations with the Registrar of
Companies. It will also be mandatory to produce the certificate by the
Secretariat to open a bank account and facilitate financial
However, the Shalika Foundation in its statement to the FIU denied
any knowledge of the transaction or of an outside well-wisher who could
have transferred the money. The organisation is registered under a
An expert said the hackers may have chosen the Sri Lankan charity as
a scapegoat, with the intention of moving the money later to their own
account. Chief Operating Officer of Cyber Security firm, TechCert,
Dileepa Lathsara said the local banking sector today was relatively
strong against such cyber attacks because they have been building
defences due to past experience.
But, he said, mobile applications posed a threat and this is an area
that banking institutions must pay more attention. “We have identified
some threats but the competitiveness-driven sector is slow in their
He said many Sri Lankan banks do not have digital forensic enabled
systems to keep track of user IDs and this was a major concern.
Hacker News said the malware used by the attackers in the Fed Reserve
heist could be a potential Remote Access Trojan (RAT) which gave them
control to the Bangladeshi bank’s computer to spy how money was
processed, sent and received. Then the stolen Central Bank’s credentials
would have been used to make the transfer requests to the Fed Reserve.
The Bangladeshi officials claim that they have recovered most of the
US $ 81 million transferred to casinos in the Philippines.
This particular story may have ended on a positive note for the cyber
thieves, but thanks to a vigilant teller it was not so. Nevertheless,
the threat is there and the question is, how long can our banks keep the
hackers at bay and safe keep their customer’s hard-earned money.