Bank robbers tend to go where the money is to be found, whether in traditional vaults or, increasingly, in cyber space. And among the digital targets available, few are more alluring than SWIFT(Society for Worldwide Interbank Financial Telecommunications), the cross-border payment messaging system owned and used by 9,000 member institutions around the globe that handles transfers worth more than $6tn every day.
In recent weeks, the financial world has been rocked by news of breaches in this inconspicuous but critical network. Hackers have forced their way into member banks’ systems and covertly gathered their SWIFT passwords and other authenticating protocols.
They have used these to transfer large sums from the victim banks’ foreign accounts via the network to institutions in third countries. There the money has been either withdrawn, or attempts made to make it disappear.
The most startling case involves the Bangladesh Bank, where in February hackers made off with more than $80m from its account at the New York Federal Reserve. SWIFT has logged a number of other incidents — believed to be up to 10 — all involving similar breaches. Intruders used access codes and malware that tampered with the victim bank’s own systems to sweep over their digital traces.
What is particularly concerning is the ease with which hackers were able to get their hands on what is effectively a bank’s own cheque book. They did not after all need to break into SWIFT’s own systems to purloin money. All they did was to take control of one of the terminals giving access to SWIFT’s network. To penetrate the system then, it is just a case of finding its weakest cyber link.
As banking networks ultimately rely upon trust between participants, breaches like this could have a big knock-on effect on financial flows across borders. If confidence in the system is weakened, the network itself may shrink as institutions become warier of dealing with one another online. In the end that spells less choice and more frictional costs for those wanting to move money abroad.
Of course, intrusions into SWIFT are not the only threats facing bank cyber security. The developed world’s largest financial institutions now face “tens of thousands” of attacks every minute, according to one bank chief executive. But given the multiple jurisdictions involved, cross-border transactions can risk slipping through the cracks. For instance, it avails little if only US regulators tell their banks to tighten procedures. It needs all their counterparties round the world to follow suit.
SWIFT has now come up with suggestions for tightening processes. It wants banks to share information about breaches more openly with one another. Timely notification would certainly be sensible: for instance, it could allow some fraudulent transfers to be revoked without loss. It would also allow banks to share technical fixes, thus avoiding successive institutions falling prey to the same scams.
SWIFT also wants to make the network more self-policing, for instance establishing an audit “kite-mark” for anti-hack processes and systems. Those members that failed to measure up could face being “de-friended” by other system users, or charged more to make transfers. That could get around the co-ordination problem of corralling thousands of banks round the globe.
Systems that trade on the security of their systems have no future if they do not deliver. Swift has at least woken up to the challenge facing its business. But this is not just a problem involving cross-border deals. Cyber-crime is increasingly a threat to the whole financial industry. This is one digital challenge that banks cannot duck and it is growing.
Source: Cyber Security Intelligence