The SWIFT secure messaging service that underpins international banking says it plans to launch a new security program as it fights to rebuild its reputation in the wake of the Bangladesh Bank heist.
The Society for Worldwide Interbank Financial Telecommunication’s (SWIFT) chief executive, Gottfried Leibbrandt, is expected to tell a financial services conference in Brussels that SWIFT will launch a five-point plan later this week. SWIFT is a Belgium-based co-operative which is owned by its users, with banks around the world sending payment instructions to one another via SWIFT messages.
In February, the SWIFT system of the Bangladesh central bank was hacked into, with thieves sending messages to the Federal Reserve Bank of New York that allowed them to steal $81 million. After learning how the organisation worked, the group of cyberattackers stole the Bangladeshi bank’s SWIFT code and made a series of transaction requests for cash to be sent from the country’s New York-based account to entities across Asia, mainly the Philippines and Sri Lanka. The group had installed malware in systems at the banks’ Dharka headquarters, which allowed them to spend several weeks spying upon the bank’s systems and processes.
The breach was uncovered by accident, with an alert only raised as a result of a small spelling error on one of the transactions which blocked other queries that had not yet been processed.
It emerged last week that those behind the heist actually targeted the computer of a Bangladeshi official to conduct the theft. The attack follows a similar but little noticed theft from Banco del Austro in Ecuador last year that netted thieves more than $12 million, as well as a previously undisclosed attack on Vietnam’s Tien Phong Bank that was not successful. The Wall Street Journal reported earlier this month that SWIFT was never told of the Ecuador attack. “We need to be informed by customers of such frauds if they relate to our products and services, so that we can inform and support the wider community,” spokeswoman for Swift, Natasha de Teran said. “We have been in touch with the bank concerned to get more information and are reminding customers of their obligations to share such information with us.” The crimes have dented the banking industry’s faith in SWIFT, with Leibbrandt expected to say in his address that the Bangladesh Bank hack was a “watershed event for the banking industry”. “There will be a before and an after Bangladesh. The Bangladesh fraud is not an isolated incident … this is a big deal. And it gets to the heart of banking.” SWIFT wants banks to “drastically” improve information sharing, to toughen up security procedures around SWIFT, and to increase their use of software that could spot fraudulent payments. “SWIFT will continue to notify you as soon as possible of any cases of malware known to us so that you can better target your preventative and detective efforts in your local environment,” the society said in a statement Friday.
“We will also continue to share best practices to help all our users improve their security as we have been doing very proactively over recent months. We are currently working to further reinforce our support to customers in securing their access to the SWIFT network; we are receiving feedback from the relevant board committee and overseers in the coming days and will be sharing plans with the wider community.” SWIFT is also expected to provide tighter guidelines that auditors and regulators can use to assess whether banks’ SWIFT security procedures are good enough. Some finance industry executives say SWIFT has not been as active as it should be in improving security, with some saying SWIFT should also be more active in auditing clients and be ready to cut off members whose security is not up to scratch. Users frequently do not inform SWIFT of breaches of their SWIFT systems and even now, the co-operative has not proposed any sanctions for clients who fail to pass on information, which SWIFT itself says is key to stopping future attacks. But the messaging service says other authorities also have a role, with Leibbrandt expected to support the service, saying SWIFT is not all-powerful, that it is not a regulator, and that it is also not a policeman. To improve information sharing, as a first step, SWIFT said it will be centralising all new and existing security information through KB tip 5020928 in the restricted customer section on its SWIFT.com site. “Going forward, all new and relevant information related to cyber incidents at customers’ institutions known to us will be posted on that KB tip, allowing your security team to have the most up to date information, which should enhance their ability to react and respond,” SWIFT said.
Former SWIFT chief executive Leonard Schrank said it appeared that SWIFT’s security efforts had not kept pace with the criminals’ increased sophistication and the co-operative needed to work hard to restore its reputation. A small portion of the stolen funds have been recovered, but Bangladesh officials are still considering the prospect of taking the US financial system to court to recover the remainder.
According to local media, Bangladesh’s Finance Minister AMA Muhith said previously that his government would launch a lawsuit against the US bank, which denied responsibility over the lost funds.
“We’ve heard that Federal Reserve Bank of New York has completely denied their responsibility. They don’t have any right,” Muhith told reporters in Dhaka. “Of course, we’ll file a case against them. We have kept the money with them. They are responsible,” he said, when asked what action his government would take against the bank.