DHAKA (Reuters) - Bangladesh's central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT global payment network, an investigator into one of the world's biggest cyber heists said.

The shortcomings made it easier for hackers to break into the system earlier this year and attempt to siphon off nearly $1 billion using the bank's SWIFT credentials, said Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police's criminal investigation department.

"It could be difficult to hack if there was a firewall," Alam said.

The lack of sophisticated switches, which can cost several hundred dollars or more, also means it is difficult for investigators to figure out what the hackers did and where they might have been based, he added. The institute Alam heads includes a cyber crime division.

The police believe both the bank and SWIFT should take the blame for the oversight, Alam said in an interview.

"It was their responsibility to point it out but we haven't found any evidence that they advised before the heist," he said, referring to SWIFT.

A spokeswoman for Brussels-based SWIFT declined comment.

SWIFT has previously said the attack was related to an internal operational issue at Bangladesh Bank and that SWIFT's core messaging services were not compromised.

A spokesman for Bangladesh Bank said SWIFT officials advised the bank to upgrade the switches only when their system engineers from Malaysia visited after the heist.

"There might have been a deficiency in the system in the SWIFT room," said the spokesman, Subhankar Saha, confirming that the switch was old and needed to be upgraded.

"Two (SWIFT) engineers came and visited the bank after the heist and suggested to upgrade the system," Saha said.

Cyber criminals broke into the bank's systems and tried to make fraudulent transfers totalling $951 million from its account at the Federal Reserve Bank of New York in early February.

Most of the payments were blocked but $81 million was routed to accounts in the Philippines and diverted to casinos there. Most of those funds remain missing.

Another $20 million was sent to a company in Sri Lanka but the transfer was reversed because the hackers misspelled the name of the firm, raising a red flag at the routing bank.

The heist, which sent alarm bells ringing across the global financial system about cyber security, has turned into a global whodunit.

    Bangladesh police said earlier this week it has identified 20 foreigners involved in the heist but they appear to be people who received some of the payments rather than those who initially stole the money. There is no clue to the identity of the hackers or who was behind the plot.