Nirav Modi Scam: How to game an age-old banking system for $1.6 billion
- The Nirav Modi
scamis technology vs human ingenuity.
- It's not a cybercrime, but it's certainly a bank heist.
- Bankers and Modi's staff misused the
SWIFTsystem to build a $1.6 billion scam.
At its core, the Nirav Modi scam is a hack, though it can't really be labeled as cybercrime.
But what is SWIFT? And how is a password enough to send $ 1.6 billion down the drain?
The anatomy of a bank heist
When money is transferred overseas, banks inform the same to the country's treasury. The treasury then informs another country's treasury, which in turn tells the bank in that other country to transfer the funds. But, as powerful as the treasury is, it cannot do so without a branch manager's consent. The branch manager in question here is the bank branch that originally got the transfer request. This consent (from the bank's branch manager) is issued through SWIFT messages.
You could call it the world's most powerful messaging system. SWIFT is an inter-bank messaging system that doesn't transfer any money but informs banks around the world that loans or fund transfers have been authorised. SWIFT messages are sent in set formats and hold information relevant to a particular transfer.
In the Nirav Modi scam, the Letters of Understanding (LoU) in question were issued through SWIFT. Unlike the $81 million Bangladesh Bank hack of 2016, there was no malware involved in this case. The malware here were humans, armed with passwords.
A CBI source told The Wire that - "Modi's staff were logging into the SWIFT system using passwords of PNB officials, including Shetty, in the capacity of verifier/authoriser and enabling the fraudulent SWIFT messages."
What this means is that the accused were issuing and approving the consent of their own accord.
Core Banking System (CBS)
But there's a failsafe for that as well. Consent issued via SWIFT are eventually supposed to tie in with a bank's core system. This is the technology allowing various bank branches to inter-operate. The Core Banking System and the SWIFT system are separate systems, requiring manual input for SWIFT messages into the CBS.
This is where PNB's oversight comes into the picture. A LoU issued via the SWIFT system is supposed to be manually entered into the CBS at some point. Somehow, no one did that, and no one asked either. The result? $ 1.6 billion or more in the hands of diamond sellers.
(Image courtesy: PTI)