Following four known attacks on banks around the world, the SWIFT banking system is getting new security rules...
and mandating a baseline level of security for banks to use the financial transaction network.
The largest hit was in Feb. 2016 when $81 million was stolen from the account of the central bank of Bangladesh at the Federal Reserve Bank of New York. During an investigation into that attack, investigators found that a separate theft had moved money from the Federal Reserve Bank of New York to accounts in the Philippines. Banco del Austro S.A. in Ecuador alleged in a lawsuit filed against Wells Fargo & Co. that hackers used the SWIFT banking system to steal $12 million. SWIFT reported a theft at an unnamed commercial bank and said there was evidence "of a wider and highly adaptive campaign targeting banks." Vietnam's Tien Phong Commercial Joint Stock Bank said it stopped an attempted theft of 1 million euros late 2015.
McAfee Labs dug into the malware used in the Bangladesh and Vietnam attacks and found that it was "tuned to the environment and how the banking system operates, including the supported software, databases, and printer." Research showed that the malware was compiled just before the attacks and likely used insider details.
Sluggish SWIFT reaction
According to a statement by SWIFT (Society for Worldwide Interbank Financial Telecommunication), attackers exhibited "a deep and sophisticated knowledge of specific operational controls within the targeted banks."
"Forensic experts believe this new discovery evidences that the malware used in the earlier reported customer incident was not a single occurrence, but part of a wider and highly adaptive campaign targeting banks," SWIFT wrote. "In both instances, the attackers have exploited vulnerabilities in banks funds' transfer initiation environments, prior to messages being sent over SWIFT. The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process. In a second step, they have found ways to tamper with the statements and confirmations that banks would sometimes use as secondary controls, thereby delaying the victims' ability to recognize the fraud."
In this statement, published May 13, 2016, SWIFT asked customers to "please remember that as a SWIFT user you are responsible for the security of your own systems interfacing with the SWIFT network and your related environment."
Avivah Litanvice president and distinguished analyst at Gartner
One week later, SWIFT shifted its message to say that security "can only be ensured through a collaborative approach among SWIFT, its users, its central bank overseers and third party suppliers" and urged customers to share details of attacks. This statement came after the news of the Ecuadorean bank attack, which SWIFT learned about 15 months after it happened.
The news of the attacks spurred banks around the world to privately encourage security improvements for the SWIFT banking system. Ultimately, SWIFT complied, when SWIFT CEO Gottfried Leibbrandt announced a five-part Customer Security Program during the 14th annual European Financial Services Conference in Brussels.
In the speech Leibbrandt reiterated that the SWIFT network, software and core messaging services were never compromised, but admitted that SWIFT couldn't just stand by.
"We cannot secure our customers' environments and cannot assume responsibility for that," Leibbrandt said. "At the same time, we play a crucial role in the global payments system, and the events form a direct threat for that system. We therefore very much want to be part of the solution. We think we can be and we have to be."
The new security approach from SWIFT was said to focus on five mutually reinforcing strategic initiatives: improving information sharing among overseers, banks, law enforcement and cybersecurity firms; hardening the security of SWIFT-provided products with features like two-factor authentication; developing related audit standards and certification processes for the secure management of SWIFT messages at customer sites; sharing best practices and developing tools for better fraud detection; and, enhancing security of third-party providers.
"This customer security program will clearly define an operational and security baseline that customers must meet to protect the processing and handling of their SWIFT transactions," SWIFT wrote. "SWIFT will also continue to enhance its own products and services to provide customers with additional protection and detection mechanisms, and in turn help customers to meet these baselines."
Promises without specifics
However, Avivah Litan, vice president and distinguished analyst at Gartner, told SearchSecurity this announcement was "long on spirit and short on substance."
"So far SWIFT has failed to specify what strong security constitutes and what specific security measures must be implemented by both their member banks and SWIFT. They have only publicly stated that they may 'cut off' member banks with weak security environments, so there are no clear rules to abide by," Litan said. "SWIFT needs to clearly define the security and fraud detection standards and systems it expects its member banks to implement, and also what SWIFT will be providing here. At this point, SWIFT has only committed to the 'development' of audit standards, certification processes and compliance procedures."
SWIFT said it would "provide a detailed update on the five initiatives at Sibos in September ." Sibos is the annual conference, exhibition and networking event organised by SWIFT for the financial industry.
Possibly because of a lack of specifics in the SWIFT banking announcement, the Federal Financial Institutions Examination Council, a council which includes the Federal Reserve System, Federal Deposit Insurance Corporation and the Consumer Financial Protection Bureau, released a warning to financial institutions about the risks associated with the SWIFT banking system, along with suggestions on reviewing risk management practices and controls.
Some experts compared the SWIFT efforts to the PCI Council's PCI DSS certification, but said the success will depend on how seriously SWIFT takes security.
Vitali Kremez, cybercrime intelligence analyst at Flashpoint, said enforcing the rules could be very difficult.
"Given the current large customer base of thousands of SWIFT users, it would require a significant amount of resources to police the fulfillment and certifications of new implementations across its customer base spread out throughout the world," Kremez said. "Such policing will be extremely burdensome at this moment due to the vast geographical distribution of participating members. However, SWIFT will have [the] power to disconnect members from SWIFT for noncompliance if they violate any of its terms of service."
Litan echoed this sentiment and said there is a lot of work left to do before the SWIFT banking system reaches any security goals.
"It will be extremely difficult to police this, especially since there are no specific rules and guidelines, and there is no confirmed audit body," Litan said. "SWIFT has indicated they want to line up counterparties and regulators to help them with the audit process but that hasn't happened yet. There needs to be an established certified ecosystem of players that conduct the audits against well-defined guidelines and frameworks. This takes time to implement, especially in a diverse global environment with many thousands of member banks."
Noah Gray, senior manager for enterprise architecture at (ISC)2, said it's clear that many SWIFT participants are not following security best practices and SWIFT may need to look at more changes than just new security rules.
"The idea that an endpoint can be trusted to submit payment verification by a security layer responsible for questioning whether the banker's PC was compromised, is very much behind the times," Gray said. "Before looking at the rules individually, it's also important to note that there's an imperative to decrease payment latency as well. Banks previously had time to manually review a payment before releasing it, but that luxury is going away as banks and payers move to modes that are more effective. Otherwise, banks could be looking at a world where payers move to Visa, PayPal or even block-chain-based networks to meet the need."
Find out how the flawed Yellow Path process led to Apple Pay fraud