Officials in Several Nations Probe SWIFT SecurityInterbank Messaging System Scrutinized After Incidents
Officials in several nations are probing the security of the SWIFT interbank messaging system in the wake of recent hacker attacks.
The scrutiny was triggered by a February incident in which hackers stole $81 million from the central bank of Bangladesh's New York Federal Reserve account via the messaging service provided by Brussels-based SWIFT - the Society for Worldwide Interbank Financial Telecommunication (see Banks, Regulators React to SWIFT Hack).
Meanwhile, news of another SWIFT hack has come to light, via a lawsuit filed by Banco del Austro in Ecuador against San Francisco-based Wells Fargo (see Another SWIFT Hack Stole $12 Million). And a Vietnamese bank recently revealed it foiled a plot to transfer $1.36 million out of its accounts - via the interbank SWIFT messaging system - in the fourth quarter of 2015.
A SWIFT spokeswoman tells Information Security Media Group that it just learned of the hack attack against Banco del Austro, despite the attack having occurred in January 2015 and BDA filing its lawsuit in January 2016.
"We were not aware," spokeswoman Natasha de Teran tells ISMG. "We need to be informed by customers of such frauds if they relate to our products and services so that we can inform and support the wider community."
U.S. Senator Wants Answers
In the United States, Sen. Tom Carper, D-Del., has written to the New York Fed and SWIFT to request details about how they're responding to hack attacks.
That follows the Association of Banks in Singapore inviting SWIFT officials to brief them in June on the hack attacks and the organization's related security response, and the Bank of England in April having ordered all U.K. banks to detail how they were responding to the SWIFT hacks, Reuters reports.
On May 19, Sen. Carper, the ranking Democrat on the Senate Homeland Security and Governmental Affairs Committee, wrote to William Dudley, president of the Federal Reserve Bank of New York, and Patrick Antonacci, SWIFT's managing director, asking them how they've been responding to the hack-attack reports.
"Institutions that use SWIFT commit to certain actions to protect the security of the network. Please describe the technical, operational, managerial and procedural controls required of SWIFT members to access the network," Carper wrote to SWIFT's Antonacci. "Does SWIFT plan to revise its cybersecurity policies or its own internal control environment in response to these recent attacks? If so, please explain."
Carper also asked both the New York Federal Reserve and SWIFT how they've been coordinating with each other - as well as with the central bank of Bangladesh, the U.S. Department of Homeland Security, the U.S. Department of Treasury and any other institutions "to strengthen the security of the SWIFT system since the attacks."
Carper set a deadline of June 17 to receive answers to his questions as well as brief his staff. SWIFT declined to comment on the senator's requests, or how it planned to respond.
SWIFT Promises More Security Help
On May 20, SWIFT issued a letter to its 11,000 customers, informing them that their access to - and continued use of - the messaging system requires that they report all instances of fraud. "We specifically remind all users to respect their obligations to immediately inform SWIFT of any suspected fraudulent use of their institution's SWIFT connectivity or related to SWIFT products and services," the letter states. "In such cases, SWIFT may require certain diagnostic information from you as set out in our terms and conditions."
SWIFT says that it will also begin maintaining and offering a centralized repository of all security-related information "in the restricted customer section on SWIFT.com," which it will keep updated with the latest information on SWIFT-targeting malware, including indicators of compromise. "SWIFT will continue to notify you as soon as possible of any cases of malware known to us so that you can better target your preventative and detective efforts in your local environment," it says.
The cooperative has also promised to improve the security guidance that it offers to members. "We are currently working to further reinforce our support to customers in securing their access to the SWIFT network; we are receiving feedback from the relevant board committee and overseers in the coming days and will be sharing plans with the wider community," it says. "We will provide further information on a new program shortly."
The latest letter to customers follows earlier communications from SWIFT warning customers that they are being targeted and urging them to use strong security defenses. Those warnings came in the wake of reports that Bangladesh Bank was failing to use strong passwords and lacked such basic controls as firewalls on systems that it allowed to connect to the SWIFT network (see SWIFT to Banks: Get Your Security Act Together).
SWIFT's May 20 communication also appeals to all users to pitch in. "The security of our global financial community can only be ensured through a collaborative approach among SWIFT, its users, its central bank overseers and third-party suppliers. SWIFT is fully committed to leading the community effort. To this end, it is essential that you share critical security information related to SWIFT with us."
SWIFT promised that such information would be used to help troubleshoot any technical problems, track attack patterns as well as help all users better secure themselves. "Any information shared will be treated confidentially within the existing framework between SWIFT and its users," it said.
Some security experts say that SWIFT must begin offering much more detailed and actionable security guidance. "Their security guidance is accurate, but weak - it's broad brush stroke," networking expert Doug Gourlay, corporate vice president at security startup Skyport Systems, tells ISMG (see: Blocking Hack Attacks: SWIFT Must Do More).
Will Banks Police Banks?
One outstanding question relating to battling fraudulent SWIFT messages is the extent to which SWIFT will - or can - crack down on users. Gourlay of Skyport Systems says SWIFT might adopt a compliance model akin to the Payment Card Industry's Data Security Standard. Under such a system, for example, SWIFT could require all users to obtain third-party security audits.
But SWIFT's 25-member board of directors is mainly composed of representatives from larger banks, Reuters reports, and it's not clear that they would want to impose any such regulations on their own industry.
Furthermore, SWIFT has struggled to stay abreast of fraud committed using SWIFT's messaging network because banks have failed to share such details, John Doyle, who held a variety of senior roles at SWIFT between 1980 and 2005, tells Reuters.
"The banks are not going to tell us too much," Doyle said. "They wouldn't like to destabilize confidence in their institution."