SWIFT Promises Security Overhaul, Fraud DetectionBut Post-Bangladesh Bank Hack Plans Would Not Require Compliance, CEO Says
After blaming a recent spate of bank robberies on banks' poor information security practices, SWIFT has somewhat changed its tune, saying that it wants to help financial firms spot related fraud and better share information about unfolding threats.
See Also: Autonomous Response: Threat Report
Gottfried Leibbrandt, SWIFT's CEO, announced the moves on May 24, together with a promise to better secure the SWIFT interbank messaging system.
"Cyber concerns are not new to us at SWIFT. Indeed, ever since I took on this job, cyber risk has been the main thing to keep me awake at night," Leibbrandt said in a keynote speech at the European Financial Services Conference in Brussels. "We work very hard at improving the cybersecurity of our network; every day we wake up and go to sleep thinking about, and protecting against that threat. It is hard work and never done."
SWIFT - short for the Society for Worldwide Interbank Financial Telecommunication - is a cooperative owned by 3,000 banks, founded in 1973, that bills itself as "the world's leading provider of secure financial messaging services." It's now used by 11,000 banks globally to process 25 million communications daily that collectively account for billions of dollars' worth of transfers.
Naturally, the SWIFT messaging system has long been a target of attackers, since a successful attack - utilizing real-looking but fraudulent messages - would allow thieves to transfer money out of victims' accounts, directly into attacker-controlled accounts. Investigators say that's just how attackers managed to transfer millions of dollars out of Bangladesh Bank's account at the Federal Reserve Bank of New York (see Bangladesh Bank Heist: Lessons Learned).
Leibbrandt predicted that the theft of $81 million from Bangladesh Bank "will prove to be a watershed event for the banking industry; there will be a before and an after Bangladesh." He also warned that more such attacks have been launched, and would surely be launched in the future.
Since that February attack, which came to light in March, more attacks - and attack attempts - have already been revealed, including the theft of $12.2 million from Banco del Austro, or BDA, in Ecuador, in early 2015, via fraudulent SWIFT messages. Earlier this month, Vietnam-based Tien Phong Bank said that it had successfully blocked a similar plot to transfer $1.36 million out of its accounts via fraudulent SWIFT messages, at the end of 2015.
Investigators say recent strikes have involved attackers successfully infecting banks' systems with malware and injecting fake money transfer requests into the SWIFT network. Attackers have been hiding those transfers by substituting a Trojanized version of a PDF reader used by the banks to review related statements generated by their SWIFT software.
SWIFT has continued to maintain that its network, software and core messaging services have not been hacked. Leibbrandt repeated that assertion, and said that some banks must dramatically improve their information security practices (see SWIFT to Banks: Get Your Security Act Together).
Increasing Scrutiny of SWIFT
But in recent weeks, some security experts have been asking if SWIFT shouldn't be doing more to help users stay secure, for example by creating security regulations - modeled on the Payment Card Industry's Data Security Standard - with which users would have to comply.
Officials in some countries have also been asking SWIFT how it plans to help customers better secure themselves. Notably, the Bank of England in April asked all British banks to detail how they'd responded to the Bangladesh Bank hack (see Banks, Regulators React to SWIFT Hack).
On May 23, Rep. Carolyn B. Maloney (D-NY) wrote to Fed Chair Janet Yellen, Comptroller of the Currency Thomas Curry and Federal Deposit Insurance Corp. Chairman Martin Gruenberg, asking them if they planned to follow the Bank of England's lead and order all U.S. banks to conduct a full cybersecurity review.
Maloney, who represents part of Manhattan - where many U.S. banks are headquartered - also asked officials what steps their agencies have taken or plan to take "to ensure that all U.S. banks have adequate security measures in place to protect against cyber attacks that involve stolen SWIFT credentials."
Her move followed Sen. Tom Carper (D-Del.), the ranking Democrat on the Senate Homeland Security and Governmental Affairs Committee, on May 19 writing to the New York Fed and SWIFT to request details about how they're responding to hack attacks.
SWIFT: "Not a Policeman"
While saying that SWIFT will do more to help, Leibbrandt said in his Brussels speech that the cooperative will not require banks to comply with its recommendations or any related audits. "SWIFT is not all-powerful, we are not a regulator, and we are not a policeman; success here depends on all the stakeholders in and around the industry," he said. "The security of our network remains our key priority; the security of their own environments has to remain - and, for some, become - banks' priority."
Later this week, meanwhile, Leibbrandt promised that later SWIFT will debut a "five-part customer security program" that features:
- International information sharing "in a confidential way that uses the data while protecting the identity of the institution and customers."
- Requiring customers to use strong security tools and practices "to better protect their local environments."
- Better security guidance for customers, including related frameworks for auditing SWIFT-related security.
- A promise to try and help banks better analyze "payment pattern controls to identify suspicious behavior."
- Certification requirements for third-party providers.
Call for Cooperation
Leibbrandt says more details on the plan will be forthcoming. But he also urged banks to help each other to better help themselves, starting with sharing information about related attacks. For example, SWIFT says it only learned of the $12 million heist from BDA this month, after it was revealed in media reports.
"Information sharing needs to get better, much better," he said. "It is critical that the global financial community works together to bolster our mutual security. ... We must work even harder at our collective defensive efforts."