SWIFT Sees New Hack Attacks Against BanksCiting Fresh Fraud Attempts, SWIFT Urges Banks to Improve Defenses
See Also: Top 50 Security Threats
That alert comes via a private letter sent from SWIFT to its customers on Aug. 30, warning that since June, it's cataloged multiple attempts by attackers to hack into banks' systems and issue fraudulent SWIFT transfers, reports Reuters, which obtained a copy of the letter. Some banks have lost money as a result, the letter reportedly notes.
Formally known as the Society for Worldwide Interbank Financial Telecommunication, SWIFT is a member-owned, Brussels-based collective. About 11,000 institutions in more than 200 countries use SWIFT's interbank messaging software and network.
A SWIFT spokesman declined to share a copy of the letter, but confirmed that "the cooperative has uncovered new cases of input fraud" that have been reported by clients since the February theft of $81 million from the central bank of Bangladesh's account at the Federal Reserve Bank of New York via fraudulent SWIFT messages.
"Whilst preserving the anonymity of the affected firms, the letter sets out how the attackers have followed a broadly similar modus operandi in these attacks, specifically tailoring every attack to each individual target," the spokesman tells Information Security Media Group.
The letter to customers does not specify which institutions were targeted, which attacks were successful or how much was stolen, he says.
"The letter explains that the targeted customers varied in size and geography; have used diverse connectivity methods and a range of interfaces from different vendors, but have all had particular weaknesses in their local security," he says. "These weaknesses have been identified and exploited by the attackers, enabling them to compromise the customers' local environments and input the fraudulent messages."
In the letter, SWIFT reiterates that there are no indications that its network or messaging services have been hacked, he says. SWIFT also indicates that its new customer security program, launched this past summer, has produced results. The spokesman, however, did not detail those results.
The letter also "warns customers that the cyber threat is persistent, adaptive and sophisticated, cautions customers that they are potentially at risk if they fail to ensure the physical and logical security of their environment, and sets out a number of measures they should take to protect themselves," the spokesman says.
According to Reuters, the letter also threatens to report banks to their regulators and banking partners if they don't meet a Nov. 19 deadline for installing updated SWIFT software that includes better user authentication, stronger password management rules, as well as better tools for detecting hacker attacks.
Who's at Fault?
Shortly after the Bangladesh Bank hack, similar SWIFT-related attacks came to light, including the theft of $12 million from Ecuador's Banco del Austro in January 2015 and the attempted theft of $1.4 million from Vietnam's Tien Phong Bank in late 2015.
Who's responsible for fraud via SWIFT? After it lost $81 million, Bangladesh Bank blamed SWIFT and the New York Fed. But both organizations have strongly rejected that assertion. Backed by Bangladesh police reports noting that the country's central bank lacked firewalls and used $10 second-hand switches to network its computers, SWIFT has called on all client banks to ensure that they're using strong security practices.
Bank Hacks: No Surprise
It's not surprising that some banks with poor security are getting hacked by attackers and potentially seeing millions of dollars get stolen via fraudulent SWIFT messages, asserts Alan Woodward, a computer science professor at the University of Surrey who's also a cybersecurity adviser to Europol, the EU's law enforcement intelligence agency.
"People don't seem to realize that - as that program says on the TV - you are the weakest link," he says. "It's down to the person who makes the most stupid mistake or the cheapest most insecure bit of equipment in your network - those are the sorts of things that people have really got to start thinking about seriously."
How Much Power Does SWIFT Wield?
Some security experts contend that SWIFT has little power to hold banks accountable and that it's up to countries' banking regulators to ensure that their financial institutions have robust information security practices. In fact, regulators in some regions have already called on banks to outline how they're responding to these threats. For example, in April, the Bank of England reportedly ordered U.K. banks to detail their response plans.
In June, the Federal Reserve began auditing its effectiveness when it comes to ensuring that U.S. banks have robust information security policies, procedures and practices in place, including the ability to quickly detect and respond to data breaches. Multiple members of Congress have also been asking questions about banking security.
This month, the Federal Reserve, Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. instructed their examiners to pay closer attention to the security of banks' links to the SWIFT network, The Wall Street Journal reported.
Customer Security Program
Still, former members of SWIFT's management team and board have said the organization failed to do enough to secure communications sent via its network, according to a Reuters report (see Report: SWIFT Screwed Up). "It's a huge wake-up call," Leonard Schrank, who served as SWIFT's chief executive for 15 years until he left in 2007, told The Wall Street Journal in May, following the Bangladesh Bank heist. "They should play a higher role."
Since then, however, SWIFT appears to have begun moving in that direction. In late May, SWIFT launched a new customer security program designed to articulate best practices for using its software and urged banks to share more information about how they're being targeted, with SWIFT promising to share that information in anonymized form with other institutions.
Then in July, SWIFT announced the launch of an incident response team in collaboration with cybersecurity specialists BAE Systems and Fox-IT. The team will help hacked banks investigate intrusions and trace fraudulent SWIFT transfers and attempts (see SWIFT to Banks: Who You Gonna Call?).