Updated Inter-banking messaging systems SWIFT’s security guidelines are “outdated and incomplete”.
The criticism comes days after SWIFT revealed that a second bank had fallen victim to credential theft fraud, creating yet further concern already fueled by February’s $81m Bangladesh reserve bank cyber-heist.
Vietnam’s Tien Phong Bank has come forward to identify itself as the victim of the second attempted attack, which involved a thwarted attempt to fraudulently transfer more than $1m, according to reports last weekend.
In both cases, the working theory is that hackers managed to get their hands on access credentials needed to send messages on the SWIFT secure financial messaging system after either successfully infecting terminals on the network of the targeted bank or by using a corrupt bank insider. SWIFT has repeatedly stated that in both cases the fraud arose because of a carefully planned attack against the targeted banks and shortcomings in their security controls rather than any weakness in the SWIFT financial messaging system as a whole.
Independent security experts are split on this point with some at least arguing that a major revamp of SWIFT’s systems is needed. For example, analysis of the SWIFT Alliance’s security guidelines for its users concluded that while they address the “types of attacks that were prevalent a decade ago”, they fail to safeguard against today’s more sophisticated hacks. Had they been updated and modernized – and presumably adhered to by SWIFT’s users – the recent hack might have been avoided.
A five-point prescription covers issues such as improved network segmentation, greater use of two-factor authentication and browser security improvements as part of a five-part plan. SWIFT supports two-factor authentication but, crucially, use of the technology is far from universal among banks connecting to the SWIFT network – even though hardware tokens and the like have been a staple of corporate remote access for 20 years or so.
An independent SWIFT terminal installer said: “I think that everything in the five-point plan is very sensible. However, my big fear with fraud at this scale is how easily a low level clerk or sysadmin could be bribed. When you’re planning on stealing hundreds of millions of dollars, it’s not unreasonable to reserve a couple million for bribing insiders. And a couple million dollars would go a long way in Bangladesh or Vietnam. In this scenario, IT security wouldn’t really help.”