A recent attack against the SWIFT (Society for Worldwide Interbank Telecommunication) international financial transaction system has focused attention on the potential cascading threat of an interconnected yet not fully integrated system. Cyber professionals categorise the most crucial component of cyber security into three broad categories: Confidentiality, Integrity and Availability (CIA). Most financial service attacks have focused on Confidentiality and Availability. The SWIFT attack signals a hack on cyber security Integrity, which represents a dangerous escalation of menace.
It has come to light and been reported widely in the media that in February, unknown hackers broke into the Bangladesh central bank’s systems and stole credentials for payment transfers. The hackers then bombarded the Federal Reserve Bank of New York with nearly three dozen requests to move money from the Bangladesh bank’s account there to entities in the Philippines and Sri Lanka Bank, successfully transferring US$ 81 million of an intended US$ 1 billion.
It has subsequently been reported in the media that the cyber security credentials of the Bangladesh central bank were below par, with a named British defence contractor having shown that the SWIFT software used to make payments was compromised, enabling the hackers to send money around the world without leaving any trace in Bangladesh.
DarkMatter conclusion and recommendations
This attack is already having global repercussions. On 20 May, SWIFT itself circulated an open letter to its users providing an update on the steps it is taking in light of a number of fraudulent payment cases, and on specific measures needed to be taken by members to ensure that the community is using its collective force to reduce the risk of cyber intrusions.
SWIFT put forward the following measures:
Information sharing approach
SWIFT has said it will continue to notify members as soon as possible of any cases of malware known to it so that users can better target their preventative and detective efforts in their local environment. SWIFT has also pledged to continue to share best practices to help all users improve their security as it has been doing proactively over recent months.
SWIFT stated that given it is a global community, it needs to share relevant cyber information amongst its community of users. To improve information sharing, as a first step, the society will be centralising all new and existing security information through KB tip 5020928 in the restricted customer section on SWIFT.com.
Collaboration against cyber threats
In its letter SWIFT commented that the security of its global financial community can only be ensured through a collaborative approach among SWIFT, its users, its central bank overseers and third party suppliers.
From a DarkMatter perspective, we support SWIFT’s recommended measures as transparency, information exchange and collaboration is critical to the sustainable success of any trust-based network. However, we do not believe these measures go far enough, nor do we consider their reactive nature as the most effective long-term cyber security strategy.
DarkMatter believes all parties – the sending bank, the receiving banks, and SWIFT – could have done more to prevent the unauthorised transactions. The receiving banks should really be doing more to flag suspect transaction requests, though the main culprit here is the sending bank.
This way unauthorised transactions cannot occur without the complicity of an insider (i.e. the account administrator). Unless of course they were using multi-factor, and the token was also stolen, which would also point to a failure in the Bangladesh bank’s asset management process. Unaccounted for tokens should be reported and deactivated immediately, which again would have foiled the attack.
DarkMatter recommends that institutions adopt a pro-active approach to cyber security in which they assume a state of breach in order for them to have the defences and mitigation mechanisms in place to minimise possible disruption caused by any cyber security incident.
SWIFT as a society needs to develop a network-wide monitoring and mitigation protocol in the face of cyber threats.
