More SWIFT-Related Fraud Revealed: How Banks Must Respond
Banks in Russia and India Lose Millions in Latest IncidentsIn the wake of the news of fraudulent transactions in India and Russia that leveraged the SWIFT interbank messaging platform, security experts are advising banks to be more vigilant and to take certain security steps, transforming end-to-end transaction of remittances via blockchain and multiple authenticators.
See Also: Mitigating Identity Risks, Lateral Movement and Privilege Escalation
Some $6 million was stolen in a SWIFT-related attack against a Russian bank last year, authorities announced Friday.
Meanwhile, India's City Union Bank announced on Saturday that it had blocked two of three fraudulent SWIFT transactions that potentially could have totaled nearly $2 million.
The small Indian bank, with just $460 million in assets as of 2016, blocked one of the fraudulent SWIFT transactions on its end, while the second was blocked at the receiving bank's end, says N. Kamakodi, the bank's managing director and CEO, in a statement. The third fraudulent transaction for $1 million, however, went through.
The bank says its incident is unrelated to the recent fraud reported at Punjab National Bank. "The incident in our bank is because of a cyberattack initiated by international cybercriminals, and there is no evidence of internal staff involvement," Kamakodi says.
"Our reconciliation system is very robust; we could identify those transactions and immediately contacted the respective bankers," he says. "Wherever the money was with the bank, we could trace it, and wherever the money had gotten credited to the customers' accounts, we had to take the legal steps and that is how we could almost retrieve or block two of the three transactions. And one payment which went to China is under litigation."
Earlier SWIFT-Related Attacks
Back in February 2016, attackers stole $81 million from Bangladesh Bank via fraudulent SWIFT transactions that targeted its account at the Federal Reserve Bank of New York. Four months later, Union Bank of India was attacked in a similar manner, losing $171 million (see: Interbank Payments: Attackers' New Target).
"It has been identified more than once that the vulnerability is due to the SWIFT customer network and not directly due to the gaps in the SWIFT network," says Rajanikath B, executive director, IARM Information Security, an information solutions provider.
SWIFT maintains that its network was never hacked. But the company responded to the Bangladesh Bank heist by increasing its security investments, including hiring a CISO and numerous additional information security staff, refining its information security guidance, maintaining a 24/7 operations center to respond to incidents and regularly testing its processes and procedures (see: Security Investments Consume SWIFT's Profits).
What Happened?
It's not yet clear what led to the City Union Bank incidents. But some security practitioners say attackers might have taken advantage of security gaps.
"This is especially true if unpatched or end-of-life switches or routers are used through which SWIFT messages' network traffic gets transmitted to other end of SWIFT network," says Rohan Vibhandik, a Pune-based cybersecurity researcher working for a global company.
Hackers may have compromised the infrastructure used by the targeted banks with the aim to obtain credentials of operators that are authorized to initiate and approve monetary transactions in the SWIFT network, Vibhandik says. "Then the attackers might have used the fake identities with associated bank account numbers spread globally to receive the fraudulent remittance on behalf of people whose credentials have been unlawfully obtained," he says.
After the Bangladesh Bank heist, SWIFT directed banks to upgrade their security systems. While many banks in the region have done this, some smaller banks may have not completed the task, says K.K. Mookhey, founder of Network Intelligence, a global cybersecurity organization. "What we are seeing here is possibly a smaller bank becoming a soft target for sophisticated cybercriminals, who mostly using social engineering techniques have gotten access to end-user systems and from there they have worked their way to the SWIFT network of the bank," Mookhey says.
Inadequate Audit Controls
Many banks in the region carry out their audits of systems in silos, some security practitioners say. "Banks don't check the processes that span across multiple stakeholders. There are absolutely no checks done on system and cycle of audits," says Rajesh Dangi, chief technical officer at NxtGen Infinite Datacenter, a cloud service provider.
"This kind of fraud is not possible unless an insider is involved," contends one Indian forensic expert, who asked not to be named. "In my experience, 90 per cent of cyberattacks are successful because the weakest link in security is exploited, which happens to be humans. Attackers are easily able to social engineer and get access to a system and then leave behind a backdoor which can be accessed as per their convenience. As far as securing back-end processes is concerned, there should be a separation of duties and a maker-checker policy in place."
Role of Blockchain
Blockchain technology could help mitigate the risks of fraudulent transactions, some security experts say.
"Since blockchain uses private keys to authenticate and safeguard the information of the users, this could act as a mutual authentication between two or more parties involved in the transaction to prove their identity to others," Vibhandik says. "Blockchain can then store and transmit the digital data for a SWIFT code or bank codes securely once all parties have authenticated themselves by their private keys."
Also, the risk of operational errors and fraud could be dramatically reduced via blockchain, he contends. NASDAQ and the Australian Securities Exchange are already exploring blockchain solutions to reduce costs and improve efficiencies, he notes.
Detecting Threats
Vibhandik also advises that banks hit with SWIFT-related fraud need to change all credentials associated with the employees or the SWIFT accounts that were used to initiate the fake transactions.
"Pinpoint the entry point used by the attackers and use a reverse threat hunting approach to zero down on the attack vector. Then patch it up to harden the security," he says.
Managing Editor Geetha Nandikotkur contributed to this story