Nirav Modi Scam: How to game an age-old banking system for $1.6 billion

  • The Nirav Modi scam is technology vs human ingenuity.
  • It's not a cybercrime, but it's certainly a bank heist.
  • Bankers and Modi's staff misused the SWIFT system to build a $1.6 billion scam.
Technology is only as strong as the humans using it. That pretty much sums up the Nirav Modi scam that came to light last week. The parties involved misused the Society for Worldwide Interbank Financial Telecommunications (SWIFT) money transfer system, and their personal positions within Punjab National Bank to build a $1.6 billion (or more) scam.

At its core, the Nirav Modi scam is a hack, though it can't really be labeled as cybercrime. Gokulnath Shetty, deputy branch manager at a PNB branch in South Mumbai, had the passwords required to log into the SWIFT system. That allowed him to effectively game the system in favour of Modi's firms.

But what is SWIFT? And how is a password enough to send $ 1.6 billion down the drain?

The anatomy of a bank heist

When money is transferred overseas, banks inform the same to the country's treasury. The treasury then informs another country's treasury, which in turn tells the bank in that other country to transfer the funds. But, as powerful as the treasury is, it cannot do so without a branch manager's consent. The branch manager in question here is the bank branch that originally got the transfer request. This consent (from the bank's branch manager) is issued through SWIFT messages.

You could call it the world's most powerful messaging system. SWIFT is an inter-bank messaging system that doesn't transfer any money but informs banks around the world that loans or fund transfers have been authorised. SWIFT messages are sent in set formats and hold information relevant to a particular transfer.

In the Nirav Modi scam, the Letters of Understanding (LoU) in question were issued through SWIFT. Unlike the $81 million Bangladesh Bank hack of 2016, there was no malware involved in this case. The malware here were humans, armed with passwords.

A CBI source told The Wire that - "Modi's staff were logging into the SWIFT system using passwords of PNB officials, including Shetty, in the capacity of verifier/authoriser and enabling the fraudulent SWIFT messages."

What this means is that the accused were issuing and approving the consent of their own accord.

Core Banking System (CBS)

But there's a failsafe for that as well. Consent issued via SWIFT are eventually supposed to tie in with a bank's core system. This is the technology allowing various bank branches to inter-operate. The Core Banking System and the SWIFT system are separate systems, requiring manual input for SWIFT messages into the CBS.

This is where PNB's oversight comes into the picture. A LoU issued via the SWIFT system is supposed to be manually entered into the CBS at some point. Somehow, no one did that, and no one asked either. The result? $ 1.6 billion or more in the hands of diamond sellers.

(Image courtesy: PTI)
{{}}
Add Comment()
Comments ()
X
Sort By:
Be the first one to comment.
We have sent you a verification email. This comment will be published once verification is done.