Cyberthefts in Banks Highlight the Importance of Security in Money Transfer Systems

The Story of the Bangladeshi Money Transfer Heist

It took the Bangladesh central bank a couple of days to discover the money transfer fraud. By that time, it was too late to stop all the payments. Fortunately, the U.S. Federal Reserve Bank of New York (NY Fed) had blocked most of the transactions after discovering a spelling mistake in one of the money transfers’ payment instructions, and US$20 million was recovered. But the cyber thieves still got away with US$81 million, making this money transfer one of the most successful bank robberies in history.²

Initially, security lapses at the Bangladesh central bank and in the Philippines were blamed for the heist. In April 2016, Bangladeshi investigators described security procedures at the Bangladesh central bank as “seriously deficient”.³ But after SWIFT issued a software update in response to a malware attack, and warned its member banks to be vigilant about money transfer security, questions began to be asked about SWIFT’s own part in the theft. On 9 May 2016, Bangladeshi police alleged that SWIFT technicians had compromised the central bank’s security when connecting SWIFT to Bangladesh's new real-time gross settlement (RTGS) system.⁴

SWIFT was having none of it. “SWIFT rejects the false, inaccurate and misleading allegations made by Bangladesh Bank and Bangladesh Police's Criminal Investigation Department (CID) officials to Reuters,” it said in a strongly worded press release. “The accusations have no basis in fact.” And SWIFT went on to lay the responsibility for the security lapses that enabled the money-transfer heist firmly at the door of the Bangladesh central bank, even calling into question its password control.⁵

The following day, at a meeting in Basel, Switzerland, SWIFT, the NY Fed and the Bangladesh central bank agreed to work together to recover as much as possible of the transferred money, bring the perpetrators to justice and protect the global financial system from attacks.⁶ And there the matter might have rested.

But it soon emerged that the illicit Bangladesh money transfer was far from unique. A few days later, SWIFT warned its users about a “highly adaptive campaign targeting banks’ payment endpoints”, and gave specific advice about risk management in SWIFT money transfers.⁷ On 15 May a Vietnamese bank confirmed in a statement to Reuters that late last year it had “intercepted” an attempted theft of US$1.1 million involving SWIFT money transfers.⁸ On 20 May, Reuters reported that US$12 million had been stolen from a bank in Ecuador using fraudulent SWIFT money transfers.⁹ By the end of May, possible SWIFT hackings were being investigated at a dozen banks, mostly in South East Asia.¹⁰

The security firm Symantec stated in a blog post that it had evidence a bank in the Philippines had been attacked by the same group that hacked the Bangladesh central bank, and that the group was using tools similar to those used in cyberattacks against financial targets in the U.S. and Far East going back to 2009. On this basis, Symantec alleged that the cybercrime group Lazarus was behind the growing number of SWIFT money transfer frauds.¹¹

At this point, what had started as a one-off bank heist exploiting weaknesses in the interface between SWIFT and Bangladesh central bank procedures became a matter of global concern. Lazarus is believed to be responsible for the Sony Pictures cyberattack in 2014, which the U.S. has long said originated in North Korea.¹² However, The Guardian points out that it is not uncommon for criminal organisations to sell malware, so use of similar code does not necessarily mean the same criminals are at work.¹³

Increasing The Security Of Money Transfer Systems With Five Key Initiatives

Whether or not this is the work of Lazarus, the SWIFT frauds have raised awareness of the need for strict security around money transfers. SWIFT emphasises that its own software remains secure, but it has announced a five-point plan to improve security in the interface between SWIFT and banks’ own software and procedures. The five key points include:¹⁴

• Better information sharing amongst the SWIFT user community;
• Improved security procedures including two-stage authentication;
• Enhanced security and operational baselines for SWIFT users, together with audit frameworks;
• Better user control of payment patterns, including the ability to stop or recall a payment suspected of being fraudulent;
• Improved support from third-party security services.

All of these are important improvements, though only time will tell whether they are enough to protect SWIFT money transfers from further attacks. In a recent speech, SWIFT’s CEO, Gottfried Leibbrandt, called for the SWIFT user community to do its part, emphasising the need for collaboration to ensure the security of payments systems: “We are calling for a collective effort in our global financial community to reinforce the security of our entire, shared system. Our security is our collective mission and can only be strengthened through a collaborative approach which includes SWIFT, third party suppliers, policymakers, regulators and our users, big and small.”¹⁵

The Takeaway:

As The Economist notes, these money-transfer frauds took place at the interface between software and human procedures.¹⁶ It is entirely possible that they were initiated not by hackers breaking in, but by corrupt insiders. SWIFT’s member banks will need to ensure not only that their software is secure, but their employees and partners are trustworthy. For in the end, money transfer systems are only as secure as the people who use them.

Sources

1. "SWIFT introduces mandatory customer security requirements and an associated assurance framework", SWIFT; https://www.swift.com/insights/press-releases/swift-introduces-mandatory-customer-security-requirements-and-an-associated-assurance-framework
2. "How cyber criminals targeted almost $1bn in Bangladesh Bank heist", Financial Times; http://www.ft.com/cms/s/0/39ec1e84-ec45-11e5-bb79-2303682345c8.html#axzz4AAkl9pYO
3. "Bangladesh Bank hackers compromised SWIFT software, warning issued", Reuters; http://www.reuters.com/article/us-usa-nyfed-bangladesh-malware-exclusiv-idUSKCN0XM0DR
4. "SWIFT rejects Bangladeshi claims in cyber heist, police stand firm", Reuters; http://www.reuters.com/article/us-usa-fed-bangladesh-swift-exclusive-idUSKCN0Y001H
5. "Statement on Recent Allegations", SWIFT; https://www.swift.com/insights/press-releases/swift-statement
6. "Joint statement: Federal Reserve Bank of New York, Bangladesh Bank and SWIFT", SWIFT; https://www.swift.com/insights/press-releases/joint-statement_federal-reserve-bank-of-new-york_bangladesh-bank-and-swift
7. "SWIFT customer communication: Customer security issues", SWIFT; https://www.swift.com/insights/press-releases/swift-customer-communication_customer-security-issues
8. "Vietnam bank says interrupted cyber heist using SWIFT messaging", Reuters; http://www.reuters.com/article/us-vietnam-cybercrime-idUSKCN0Y60EN
9. "Special Report: Cyber thieves exploit banks' faith in SWIFT transfer network", Reuters; http://www.reuters.com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD
10. "Swift Hack Probe Expands to Up to a Dozen Banks Beyond Bangladesh", Bloomberg; http://www.bloomberg.com/news/articles/2016-05-26/swift-hack-probe-expands-to-up-to-dozen-banks-beyond-bangladesh
11. "SWIFT attackers’ malware linked to more financial attacks", Symantec Connect Community; http://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks
12. "The Interview: A guide to the cyber attack on Hollywood", BBC News; http://www.bbc.co.uk/news/entertainment-arts-30512032
13. "Swift network bank thefts 'linked' to Sony Pictures hack", The Guardian; https://www.theguardian.com/technology/2016/may/27/swift-network-bank-theft-sony-pictures-hack-lazarus-symantec
    
14. "Customer Security Programme (CSP)", SWIFT; https://www.swift.com/customer-security-programme
    
15. "Gottfried Leibbrandt on cyber security and innovation", SWIFT; https://www.swift.com/insights/press-releases/gottfried-leibbrandt-on-cyber-security-and-innovation
16. "Heist finance", The Economist; http://www.economist.com/news/finance-and-economics/21699458-recent-hacks-highlight-vulnerability-cross-border-payments-system-heist