Philippine banks must strengthen their cyber security to avoid the recurrence of illegal fund transfer or money laundering, a global security strategist said Wednesday.
“These sort of things have been happening for a long time now. Transferring money to offshore account is one thing. But [banks] need to secure from the inside out. Traditionally, security has been focused on the outside, keeping hackers out of the systems,” Derek Manky, a global security strategist at Fortinet Inc. told reporters at Makati Shangri-La Hotel.
“What about the insider threat? If you have proper protection, you can quarantine threats...so that the attacker cannot even communicate,” he said.
Manky said the alleged attempt to transfer nearly $1 billion from Bangladesh’s central bank to banks in the Philippines and Sri Lanka would have not have happened without a middleman or an inside person.
“I would not be quick to conclude that these are hackers. It could be an inside job,” he said. “People were quick to attribute that to Russia or China. We don’t know. The case of malicious code planted in cyber network, that could be used to transfer money out. That is case No. 1. The other case is insider job.”
Jeff Castillo, country manager of Fortinet Philippines, said technology alone was not enough to execute a multi-million-dollar theft. “It always involved a person... a middleman,” he said.
Bangladesh’s central bank discovered questionable transactions that sent the bank racing to stop cash from leaving its account with the Federal Reserve Bank of New York to the Philippines, Sri Lanka and beyond.
The case has prompted central banks around the globe to examine cyber security measures. It has also led to the resignation of Bangladesh’s central bank governor and put money laundering in the Philippines under scrutiny.
Bangladesh Bank then frantically sent stop payment orders via the SWIFT system to the Federal Reserve Bank of New York, Rizal Commercial Banking Corp., Bank of New York Mellon, Citigroup Inc., Wells Fargo & Co. and Pan Asian Banking Corp. in Sri Lanka.
Zubair Bin Huda, a joint director at Bangladesh’s central bank said in the complaint that $81 million was sent to Rizal Bank via four messages and $20 million to Pan Asia Banking via one message—all from the Federal Reserve Bank of New York. Another $850 million in transactions were halted.
On request from Bangladesh Bank, Pan Asia Banking canceled the payment of $20 million to its beneficiary and routed the funds back to Bangladesh’s account with the Fed in New York. But the $81 million that entered the Philippine banking system was credited to beneficiary accounts with Rizal Bank and eventually withdrawn.
The $20-million transfer to Pan Asia Banking raised alarms because of its size and a typo in the beneficiary’s name, according to Nalaka Wijayawardana, deputy general manager of marketing at the bank. Pan Asia Banking then remitted the funds back to Bangladesh Bank’s account in New York via Deutsche Bank around Feb. 17, he said.
“We cannot divulge the beneficiary due to confidentiality policy, but we will support any investigation,” Wijayawardana said.
Most of the $81 million in the Philippines is missing. Maia Santos Deguito, the manager at Rizal Bank’s branch in the Philippine financial district accused of allowing the withdrawal of the funds, invoked her right against self-incrimination in a hearing on Tuesday. With Bloomberg