Since the heist became public knowledge through media reports in the Philippines, nearly a month after it happened, two theories have been suggested to explain how the thieves managed to send the New York Fed 35 properly authenticated SWIFT transfer orders. (The Fed executed five, leading to a transfer out of Bangladesh Bank accounts of $101m to the Philippines and Sri Lanka; officials have been able to claw back $20m from the latter.)The first holds that it was possible to hack into the SWIFT systems at Bangladesh Bank and issue transfer orders without the physical presence of a person inside the central bank. Few find this credible. If it turns out to be possible, it would be worrying for the global payments system: SWIFT covers half of all big cross-border transfers. To issue transfer orders via SWIFT, tight security protocols must be followed, including possession of a physical key (a so-called dongle) to authorise transfer orders, long

The first holds that it was possible to hack into the SWIFT systems at Bangladesh Bank and issue transfer orders without the physical presence of a person inside the central bank. Few find this credible. If it turns out to be possible, it would be worrying for the global payments system: SWIFT covers half of all big cross-border transfers. To issue transfer orders via SWIFT, tight security protocols must be followed, including possession of a physical key (a so-called dongle) to authorise transfer orders, long passwords and biometric access control.

The other view—not favoured by the finance ministry or Bangladesh Bank—holds that physical presence at the SWIFT terminals within Bangladesh Bank was required to issue the transfer orders and that the heist must therefore have been at least partly an inside job: a collaboration of hackers and central-bank employees or other individuals who had access to the central bank’s terminals.

Source: Failure to publish a report stokes a bank-heist scandal | The Economist