SWIFT Responds to Cyber Attacks on the World’s International Business Payments Infrastructure
By – Bill Camarda
When businesses make cross-border payments, settle a trade or perform many other common financial tasks, standardized messages are sent to make it happen. Six billion of those messages traveled over the Society for Worldwide Interbank Financial Telecommunication’s (SWIFT’s) secure messaging platform last year: it is used by over 11,000 financial firms, markets and corporations in some 200 countries to make international business payments. So it’s no surprise that SWIFT has been under attack by global cybercriminals – or that it is now responding aggressively. Its response affects every SWIFT member and, indirectly, the businesses that trade across borders and that therefore make use of SWIFT’s network.
Background: Successful International Business Payments Fraud
One weekend this past February, hackers fed SWIFTNet an authentic-looking set of instructions to move nearly $1 billion from the Bangladesh Central Bank’s New York Federal Reserve Bank account to multiple banks throughout Asia. , Most of those requests were declined (though, in one case, a simple typo may have been all that saved the money from being lost). However, $81 million was transferred to a bank in the Philippines. After that, the money was evidently forwarded to a forex service, redeposited in the Philippines bank, withdrawn again and laundered into cash at local casinos. From there, it disappeared.
The public still doesn’t know many of the details of this crime – not least, who did it and whether “state actors” were involved, as has been suggested by some informed observers. But several aspects of the attack have been widely reported, and they raise significant concerns.
Cross-Border B2B Payments Fraud Was Carefully Planned and Exploited Widespread Vulnerabilities
Attacks against bank customers have unfortunately become familiar, but these attacks are different: they aim to victimize the banks themselves, through the global infrastructure they use to move money around the world to make international business payments.
It appears that the criminals spent at least a year planning their attack on the Bangladesh Central Bank. The accounts which received the stolen funds had lain dormant for quite some time, and investigators found evidence of smaller forays against other institutions in the months leading up to the attack. The criminals seem to have infected Bangladesh Central Bank’s computers with malware designed to prevent SWIFT’s software from printing the transaction copies that financial institutions expect and check. Since the heist took place on a weekend, nobody seems to have realized until Monday morning. SWIFT has also said that the criminals somehow used valid credentials to initiate the money transfers, though it isn’t known how these were acquired.
These reports show that the crime involved extremely careful planning, and the exploitation of vulnerabilities not dissimilar from those used in many other cyberattacks. While the malware involved was well-targeted and relatively sophisticated, it probably found its way into a network through familiar means: perhaps physically, through a USB stick, or electronically, via an email attachment.
Legitimate SWIFT credentials were stolen: perhaps by an insider, perhaps by “tricking” someone into sharing them, or perhaps by a garden-variety network security compromise caused by a vulnerability that could have been fixed in time. What’s more, cyberattacks on the infrastructure banks use for international business payments are ongoing. In October 2016, a cybersecurity firm announced that it detected malware that can be used to hide fraudulent SWIFT transactions within the networks of 10 to 20 financial institutions, mostly in the United States, Hong Kong, Australia, the United Kingdom and Ukraine.”
Based on what’s known, existing technical safeguards and greater human vigilance can help, and such measures may now be more crucial than ever. That’s where SWIFT’s latest response comes in.
SWIFT’s Response: Mandatory Controls and Greater Transparency In International Business Payments
To help understand why SWIFT responded as it has, it’s worth noting that SWIFT’s own network was not compromised. Member companies link to Swift in three ways: a few install a direct interface; some use a SWIFT-provided cloud solution and others use a service bureau, which typically assists with some aspects of SWIFT-related security.
So in September 2016 at its annual global conference, SWIFT announced that it will require members to significantly harden their own information infrastructures against attack – and, ultimately, to demonstrate that they’ve done so. Starting Spring 2017, “customers will be required to provide self-attestation against 16 mandatory controls on an annual basis … the standards will be made applicable to all customers connected to SWIFT, including those connected through service bureaus.”
Beginning in January 2018, a random selection of SWIFT customers will be required to show proof from internal or external auditors that they’ve actually met these requirements. If a customer proves non-compliant, SWIFT will inform both its regulators and its counterparts. At the same time, SWIFT will also add 11 more “advisory” (i.e., voluntary) controls.
SWIFT hasn’t formally announced which controls it will require or recommend: the preliminary list is promised by the end of October 2016, with community feedback to follow. However, The Wall Street Journal has reported that the standards will require the physical lockdown of equipment used to connect with SWIFT; better control over tokens containing SWIFT credentials; more security training and cyber incident response plans. Some of these measures are technical, but others – such as security training – involve all participants in the international business payments process and may indirectly involve outside business partners who aren’t SWIFT members.
Meanwhile, SWIFT is more actively encouraging financial institutions to share information about indications of compromise and modus operandi when they discover they are being attacked, whether successfully or not. This has been described as a step towards a gradual change in culture, as large institutions increasingly recognize that it is extremely difficult to fend off sophisticated cyberattacks alone.
To support SWIFT’s request for cooperation, SWIFT CEO Gottfried Leibbrandt revealed that at least three more attacks were foiled this summer. He also made it clear that he expects such attacks to continue, and to grow in sophistication. For SWIFT member organizations, scrupulously following SWIFT’s forthcoming rules will likely be an important part of the solution, but only part. As SWIFT Chairman Yawar Shah put it, “this will be a long haul, and will require industry-wide effort and investment, as well as active engagement with regulators … a concerted, community-wide response.”
Companies that make cross-border B2B payments via wire transfer are, of course, aware of the growing prevalence of hackers attempting to perpetrate fraud in their midst. Businesses may wish to familiarize themselves with SWIFT’s mandatory security requirements as they are announced, and as they evolve over time. Even though the requirements may not apply to a company just because it makes international business payments via wire, following the recommendations are likely to enable better security than not following them.
Bill Camarda is a professional writer with more than 30 years’ experience focusing on business and technology. He is author or co-author of 19 books on information technology and has written for clients including American Express Private Bank, Ernst & Young, Financial Times Knowledge and IBM.