Banks, Regulators React to SWIFT HackMillions Still Missing After Bangladesh Bank Heist
Banks and regulators have begun reviewing SWIFT-related information security practices following the online heist of $81 million from Bangladesh Bank. Authorities say much of that money is still missing.
See Also: Top 50 Security Threats
Bank of England, the U.K.'s central bank, ordered banks across the country to outline what steps they had taken to lock down their systems in the wake of the hack attack against Bangladesh Bank via the interbank SWIFT messaging system, Reuters reports, citing unnamed officials who weren't authorized to discuss the move.
Officials at the Bank of England didn't respond to a request for comment on that report.
SWIFT, which stands for the Society for Worldwide Interbank Financial Telecommunication, is a Brussels-based cooperative, maintains a messaging system used by 11,000 banks to help move money. Last week, SWIFT warned users that the February theft of $81 million from Bangladesh Bank's Federal Reserve of New York account - part of a plot to steal nearly $1 billion - was "part of a wider and highly adaptive campaign targeting banks."
Besides Bangladesh Bank, several other institutions have been targeted by the same group, SWIFT has warned. To date, only one of those banks has come forward: Vietnam's Tien Phong Commercial Joint Stock Bank, which says that it foiled a related attack attempt to steal more than $1 million in the fourth quarter of 2015.
Security researchers at U.K. defense contractor BAE Systems say it's not clear who's behind the attacks, although they have found that the malware used ties to some previous attacks, including the 2014 Sony Pictures Entertainment breach.
Authorities say most of the funds stolen in the Bangladesh Bank heist were laundered via casinos in the Philippines. In April, the Anti-Money Laundering Council in the Philippines filed a complaint with the country's Department of Justice against three senior executives at money-moving firm Philrem Service, based in Manila, which has been accused of converting and routing most of the $81 million stolen from the Bangladesh Bank's account at the New York Fed, the Philippines-based Inquirer reports.
SWIFT Urges Security Reviews
Security experts say all SWIFT-using banks must take breach prevention action as a result of the hack attacks.
"You're one of the biggest targets in the world right now," networking expert Doug Gourlay, corporate vice president at security startup Skyport Systems, tells Information Security Media Group. "This is the easiest bank robbery ever. It's the safest, and it pays out a heck of a lot better than walking in a regional branch with a gun."
In recent weeks, New York-based JPMorgan Chase has begun restricting many insiders' access to its SWIFT systems, The Wall Street Journal reports.
SWIFT has continued to defend the security of its software and network. It's also called on customers to "urgently review controls in their payments environments to all their messaging, payments and e-banking channels." (See SWIFT to Banks: Get Your Security Act Together)
Could SWIFT Do More?
But some security experts say that SWIFT could - and should - be doing more. "The system is widely perceived by banks as being secure, but these incidents have shaken their beliefs and are raising the same kinds of identification questions that have arisen with spoofed emails and other systems," Michael McGowan, anti-money-laundering and compliance technology leader at cybersecurity firm Stroz Friedberg, tells The Wall Street Journal.
Gourlay has called on SWIFT to update the "accurate but weak" security guidance that it currently offers to its users and spell out the detailed, prescriptive steps that it must take. And he's suggested that SWIFT could soon require its users to undergo periodic security audits to verify that they're using the messaging system in a secure manner (see Blocking Hack Attacks: SWIFT Must Do More).
In fact, some U.S. banks have been pushing SWIFT to discuss its response to the hack attacks - and if it responded quickly enough - as well as to help banks lock down their systems, Bloomberg News reports, citing unnamed officials inside a U.S. bank. They suggest that in the United States, BITS - the technology and policy division of the Financial Services Roundtable - could be tapped to organize related discussions.
Hackers Struck on a Friday
More details about the malware-enabled hack of Bangladesh Bank continue to come to light, including the fact that it was carried out on a Friday, which is a Muslim day of prayer.
"One of our bank official's computers, who actually is in the group who make the payment, who passes the payment instruction, his computer was hacked, and it was a Friday ... and the Bangladesh Bank is totally shut down on a Friday, because it's a Muslim day of prayer, and so it's all sealed, and so no one actually goes to the bank," Bangladesh Ambassador to the Philippines John Gomes told a Philippine Senate panel on May 19.
"So these payment instructions were made by the hacker; it was not anyone in the Philippines who was the hacker, nor was it anyone in Bangladesh who was the hacker," he added. "So this was hacked on a Friday, and then it went to the U.S. It was a Saturday, and then a Sunday, so they also had the weekend over there."
Gomes said Bangladesh Bank had neither found nor received any evidence suggesting that insiders were involved in the hack, as the FBI has reportedly suggested. Likewise, he says the bank hasn't seen any evidence to substantiate the possibility that hackers with ties to North Korea might have been involved.
$21 Million Still Unaccounted For
So far, $60 million of the money stolen in the Bangladesh Bank heist has been accounted for, though not necessarily recovered, Julia Bacay-Abad, executive director of the country's Anti-Money Laundering Council, told the Philippine Senate at the May 19 hearing, according to the Inquirer. But due to related legal challenges, it may take another six months before any of the recovered funds get restored to the bank, she added.
Bangladesh Ambassador Gomes told the committee that having to wait months more to see the money get returned "would be like a slap on my face."