SWIFT screwed up.
That's the takeaway from a new report into the information security practices of SWIFT, which alleges that the organization overlooked serious concerns relating to smaller banks' security and the risks they posed to the health of its entire network.
"Sometimes it takes a crisis to change things."
More than 11,000 institutions in over 200 countries move money using the messaging system maintained by Brussels-based, bank-owned cooperative SWIFT, formally known as the Society for Worldwide Interbank Financial Telecommunication.
The report by the news service Reuters follows hackers' attempt in February to steal $1 billion from the central bank of Bangladesh's account at the Federal Reserve Bank of New York by hacking into the bank's Alliance Access software, which was supplied by SWIFT for accessing its central network. With the aid of malware, attackers began issuing fraudulent SWIFT messages and ultimately stole $81 million from the bank.
The theft triggered vigorous finger-pointing between Bangladesh Bank and both SWIFT and the New York Fed over who was responsible for the heist. Bangladesh Bank blamed SWIFT in particular for a botched system upgrade that it claimed had left its systems vulnerable to attackers - a claim that SWIFT denied.
According to the Reuters report, all three were at least partially to blame (see Report: New York Fed Fumbled Cyber-Heist Response). Regardless of who was at fault, the heist created a public relations nightmare for SWIFT, prompting questions over its ability to ensure not just the security but also the authenticity of the money-moving messages it handles, as well as the security-related guidance it issued to customers (see Officials in Several Nations Probe SWIFT Security).
SWIFT didn't immediately respond to a request for comment on the report.
Security Was Overlooked
The new report, based on interviews with more than a dozen senior-level SWIFT managers and board members, details how SWIFT apparently failed to proactively eliminate known vulnerabilities relating to how its smaller banking customers use its messaging terminals. Furthermore, according to the report, in 17 years of annual reports and strategic plans, SWIFT never mentioned security once, except for its 2015 annual report that was issued after the Bangladesh Bank heist, in which it said that it would be helping "our community to strengthen their own infrastructure."
SWIFT's management didn't appear to immediately grasp the severity of the security problem facing the organization in the wake of the Bangladesh Bank hack. In particular, SWIFT first focused on urging banks to review their security policies and procedures. "SWIFT is not, and cannot, be responsible for your decision to select, implement (and maintain) firewalls, nor the proper segregation of your internal networks," read a copy of a letter SWIFT sent to customers, dated May 3 (see SWIFT to Banks: Get Your Security Act Together).
The new report provides substantial evidence that since the 1990s, when many smaller banks in emerging markets began using SWIFT, the organization failed to take into account that their security practices would not be the same as the larger institutions that helped found SWIFT. SWIFT's board continues to be dominated by executives from Western banks such as BNP Paribas, Deutsche Bank, Citigroup, J.P. Morgan and UBS.
"The board took their eye off the ball," Leonard Schrank, who was CEO of SWIFT from 1992 to 2007, told Reuters. He also suggested that SWIFT's board often lacked a big-picture perspective. "Generally the SWIFT board, with very few exceptions, are back-office payments people, middle to senior management," he said.
Bank Security: Regulators' Responsibility
Former SWIFT board member Arthur Cousins tells Reuters that the organization believed that bank regulators were responsible for ensuring the security of small banks' systems.
SWIFT apparently also failed to track fraud related to its messaging network. Prior to the Bangladesh Bank incident, security experts say that there may have been more than a dozen similar attacks. That included the theft of $12.2 million from Ecuador's Banco del Austro in January 2015, as well as an attempt to steal $1.4 million from Vietnam's TPBank in the fourth quarter of 2015.
SWIFT told me earlier this year that it only learned of the attacks following the Bangladesh Bank heist.
In Progress: Security Overhaul
Since then, however, SWIFT appears to have begun moving quickly to tackle security-related weaknesses in its systems and processes. In the wake of the heists, Gottfried Leibbrandt, SWIFT's CEO since 2012, launched a new customer security program (see SWIFT Promises Security Overhaul, Fraud Detection). He predicted that the Bangladesh Bank heist "will prove to be a watershed event for the banking industry; there will be a before and an after Bangladesh."
In July, together with cybersecurity firms BAE Systems and Fox-IT, SWIFT launched a new digital forensics and customer security intelligence team (see SWIFT to Banks: Who You Gonna Call?).
SWIFT's latest customer security communication, released this week, says that it's highlighting how its Relationship Management Application can be used to filter messages "to ensure that message traffic is only permitted with trusted parties" as well as to revoke communications with any organization, for example, in cases of suspected fraud. SWIFT says it's also made two-factor authentication easier to use in its Alliance Access and Alliance Web Platform products, issuing mandatory updates that better "suit smaller and medium-sized customers and also introduce stronger default password management and enhanced integrity-checking features."
Leibbrandt says funding for the projects, as well as ongoing security improvements, have been earmarked by SWIFT's board. "Hindsight is always a wonderful thing," he tells Reuters. "Sometimes it takes a crisis to change things."