Current and former board directors and senior managers for SWIFT banking admitted security was not a priority for...
the financial messaging system, and experts are not surprised to hear it.
A report from Reuters noted, while there was only one reference to security in the past 17 annual reports and strategy plans for SWIFT, more than a dozen executives admitted they suspected for years that there were security flaws, especially in how smaller banks used the system.
It was only after hackers attempted to steal $1 billion -- succeeding in stealing $81 million -- in February and investigations uncovered more incidents of fraud that a plan was created to improve SWIFT security.
Some of the former directors and senior managers took responsibility for the fact that security was not a priority, while others justified it by claiming the SWIFT banking organization expected bank regulators to ensure proper security.
Experts were not surprised by these SWIFT banking execs' admissions.
"SWIFT seems to have expanded its network to banks in less developed countries without due consideration for the security weaknesses that would introduce," Avivah Litan, vice president and distinguished analyst at Gartner, told SearchSecurity. "But SWIFT always justifiably considered itself the messenger, and probably thought the security of its member banks was not its problem. SWIFT's attitude is 'don't shoot the messenger' -- and that position worked in the past, when account takeover and sophisticated hackers weren't so prevalent."
Yong-Gon Chon, CEO for Cyber Risk Management LLC, a risk management firm based in Tampa, Fla., said executives claiming to see warning signs is common.
"The reaction of suspecting vulnerabilities existing within client terminals is expected and not surprising. Every time a major incident happens -- from 9/11 or to Target circa 2013 -- experts come out and say they knew there were warning signs," Chon said. "It's a natural human reaction, because hindsight is almost always 20/20. The reality is that the current landscape of digital criminal activity means that threats are faceless and invisible. An invisible threat takes away the advantage of human instinct to suspect unusual activity. Consequently, it has never been more convenient for criminals to exploit the weakest links in a complex internetworked chain that is our financial messaging system."
Bob Hansmann, director of security technologies at Forcepoint LLC, a security firm based in Austin, Texas, suggested many failures were necessary to enable the fraud committed with the SWIFT banking system.
"Time, money and people are all limited resources, particularly in IT security. And many vulnerabilities can only be exploited under unique and highly unlikely circumstances. So, priorities have to be set, and such vulnerabilities may go unaddressed," Hansmann said. "It is important to point out that we should not limit our thinking to technology. People, procedures and processes can also be exploited, or be a key element causing an otherwise unlikely vulnerability [to be] a reality."
Andrei Barysevich, director of Eastern European research and analysis at Flashpoint, based in New York, agreed with this assessment.
"Any system is only as strong as its weakest link. And although the largest financial institutions have sufficient resources to respond adequately to emerging threats, smaller organizations always fall behind," Barysevich said. "SWIFT became a victim of its own success -- too comfortable in its dominance to recognize the new reality; in the meantime, criminals quickly discovered SWIFT's weaknesses."
Experts agreed acknowledging problems is always a good first step toward remediating any issues. Following the fraud attempts, SWIFT announced a five-point customer security program to improve security.
"It includes tighter guidelines for auditors and regulators to check each bank's security, improves information sharing, tightens existing procedures and promotes the use of fraud-spotting solutions. In addition to short-term security improvements, these will also provide more visibility and understanding, which should result in additional recommendations later," Hansmann said. "Security requires visibility. The overall SWIFT system is only as secure as the weakest bank connected to it. A burglar doesn't have to break in through all of your windows ... just one."
Ruchika Mishra, senior product marketing manager for WhiteHat Security, based in Santa Clara, Calif., said the program and the establishment of the SWIFT Customer Security Intelligence team should help.
"The customer security program that endeavors to define an operational and security baseline for its customers with strategic initiatives to improve information sharing, make security tools more robust, and develop audit standards and certification processes is a step in the right direction," Mishra said. "SWIFT has also established a Customer Security Intelligence team in partnership with other experts in cybersecurity to gather intelligence related to attempted cyberattacks and share anonymized customer security information with the larger community. These are all steps in the right direction."
Litan noted these changes are good for SWIFT's image, but don't answer more fundamental questions, such as whether SWIFT should "broaden its role and take more responsibility for the security of member banks who access its systems."
"SWIFT needs to figure out what its role is in the future. Is it going to still be a network for transmitting messages securely, even when those messages are fraudulent? Or, is it going to take responsibility for making sure those messages are not fraudulent and not tampered with?" Litan asked. "My belief is that SWIFT won't take on the latter role, unless its large member banks insist on it. And, for now, the large member banks are more concerned with maintaining the speed of digital business than they are with stopping fraudulent transactions and slowing digital business down."
Litan also suggested the new guidelines introduced by SWIFT won't be useful because they lack the necessary "enforcement teeth to be effective."
"I don't think those steps are enough to stop hacks into member banks' access of the SWIFT network," Litan said. "Not all planned attacks can be discovered by threat intelligence firms, no matter how good those firms are. Some attackers may not leave any digital footprints in places those firms have access to -- e.g., various forums on the dark web. And, certainly, security won't necessarily improve amongst member banks with the introduction of SWIFT security guidelines."
"If the SWIFT attacks continue, and my prediction is that they will, eventually, SWIFT will have to enforce security measures at its member banks -- i.e., on the originator side -- since SWIFT has the authority to do that. SWIFT should enforce security measures on the bank recipient side -- by the way, many large banks are both originators and recipients -- to ensure they analyze transactions and look for suspect payments, but they don't have the power to do that. That's the regulators' jobs; and, one day, the regulators may eventually wake up to the need for them to do just that."
Learn more about biometric security for mobile banking.
Find out why risk management is key to bank cybersecurity.
Get info on why fears over the IT security of new banks might be overblown.