In the wake of a spectacular $81 million heist involving Bangladesh's central bank, the top official for the messaging system used to move billions of dollars every day throughout the global banking system says he's going on the offensive against cybercriminals.
Gottfried Leibbrandt, chief executive of the Society for Worldwide Interbank Financial Telecommunication (SWIFT), announced the plan today in Brussels.
The SWIFT messaging network links banks all over the world via what's been thought to be a highly secure means of sending instructions for money transfers. But Leibbrandt acknowledged at least two security breaches in addition to the Bangladesh theft in February. In one case, hackers stole $12 million from a bank in Ecuador. In another, they tried to steal money from a bank in Vietnam but were unsuccessful.
"The Bangladesh fraud is not an isolated incident," Leibbrandt said. "This is a big deal." According to the written version of his speech, Leibbrandt said that "the same modus operandi" was used in all three.
In the Bangladesh case, hackers tried to make fraudulent transfers totaling nearly $1 billion from the central bank's account with the Federal Reserve Bank in New York. Most of the payments were blocked, but $81 million in transfers went through. Investigators believe the stolen money was transferred to accounts in the Philippines.
The Federal Reserve has said in a statement that there is no evidence the hackers attempted to penetrate its systems. But, the Fed said, "the payment instructions in question were fully authenticated by the SWIFT messaging system." According to security experts with the British defense contractor BAE Systems, it appears that hackers were likely able to penetrate software that SWIFT provides to banks.
A post on BEA's Threat Research Blog said that:
"The general tools, techniques and procedures used in the attack may allow the gang to strike again. All financial institutions who run SWIFT Alliance Access and similar systems should be seriously reviewing their security now to make sure they too are not exposed."
Leibbrandt said SWIFT is "calling for a collective effort in our global financial community to reinforce the security of our entire, shared system." He laid out initiatives to help banks detect fraudulent payments before it's too late. SWIFT's website states that the five-part plan includes efforts to:
- Improve information sharing among the global financial community;
- Harden security requirements for customer-managed software to better protect their local environments, enhance our guidelines and develop security audit frameworks for customers;
- Support banks' increased use of payment pattern controls to identify suspicious behavior; and
- Introduce certification requirements for third party providers.
Former SWIFT chief executive Leanard Schrank says it appears that SWIFT's security efforts have not kept up with hackers' increased sophistication and that SWIFT officials have a big job ahead of them to restore the messaging system's reputation.
"They really have to earn that credibility back," he told Reuters.