Start of menu
Close Menu
Bank cyberthefts can be reduced by five key initiatives to secure wire transfer systems.

Cyberthefts in Banks Highlight the Importance of Security in Money Transfer SystemsArticle

By Frances Coppola

Cyberthefts in Banks Highlight the Importance of Security in Money Transfer Systems On 4 February 2016, there was a bank heist. Or, more correctly, a central bank heist. A series of illicit money transfers through the Society for Worldwide Interbank Financial Telecommunication’s (SWIFT’s) international payments messaging system attempted to move nearly US$1 billion from Bangladesh’s central bank to commercial bank accounts in the Philippines and Sri Lanka. Consequently, SWIFT has made a series of announcements and recommendations that aim to increase the security of money transfer operations, including mandatory procedures for member banks.1 The story of the Bangladesh heist illuminates the importance of the human element in securing money transfer systems.

The Story of the Bangladeshi Money Transfer Heist

Before diving into the story of the Bangladeshi heist, it’s important to establish a clear understanding of SWIFT, which is sometimes mistaken for a money transfer service. In fact, SWIFT is a financial messaging service. SWIFT is a global, member-owned cooperative used by more than 11,000 financial institutions in more than 200 countries and territories around the world. It’s messaging service enables those banks and other institutions to send each other secure instructions pertaining to money transfers and other financial transactions, which are settled using separate facilities. While new approaches to cross-border payments are emerging, including credit card networks, peer-to-peer networks and blockchain-based distributed ledgers, SWIFT-based messaging and related money transfers remain the financial industry standard. And despite cyber attacks that used SWIFT to send fraudulent messages, SWIFT’s core service has apparently never been breached; rather, criminals have attacked member banks’ connections to the SWIFT network.2

In the case of the Bangladeshi heist, it took the Bangladesh central bank a couple of days to discover the money transfer fraud. By that time, it was too late to stop all the payments. Fortunately, the U.S. Federal Reserve Bank of New York (NY Fed) had blocked most of the transactions after discovering a spelling mistake in one of the money transfers’ payment instructions, and US$20 million was recovered. But the cyber thieves still got away with US$81 million, making this money transfer one of the most successful bank robberies in history.3

Initially, security lapses at the Bangladesh central bank and in the Philippines were blamed for the heist. In April 2016, Bangladeshi investigators described security procedures at the Bangladesh central bank as “seriously deficient”.4 But after SWIFT issued a software update in response to a malware attack, and warned its member banks to be vigilant about money transfer security, questions began to be asked about SWIFT’s own part in the theft. On 9 May 2016, Bangladeshi police alleged that SWIFT technicians had compromised the central bank’s security when connecting SWIFT to Bangladesh's new real-time gross settlement (RTGS) system.5

SWIFT was having none of it. “SWIFT rejects the false, inaccurate and misleading allegations made by Bangladesh Bank and Bangladesh Police's Criminal Investigation Department (CID) officials to Reuters,” it said in a strongly worded press release. “The accusations have no basis in fact.” And SWIFT went on to lay the responsibility for the security lapses that enabled the money-transfer heist firmly at the door of the Bangladesh central bank, even calling into question its password control.6

The following day, at a meeting in Basel, Switzerland, SWIFT, the NY Fed and the Bangladesh central bank agreed to work together to recover as much as possible of the transferred money, bring the perpetrators to justice and protect the global financial system from attacks.7 And there the matter might have rested.

But it soon emerged that the illicit Bangladesh money transfer was far from unique. A few days later, SWIFT warned its users about a “highly adaptive campaign targeting banks’ payment endpoints”, and gave specific advice about risk management in SWIFT money transfers.8 On 15 May a Vietnamese bank confirmed in a statement to Reuters that late last year it had “intercepted” an attempted theft of US$1.1 million involving SWIFT money transfers.9 On 20 May, Reuters reported that US$12 million had been stolen from a bank in Ecuador using fraudulent SWIFT money transfers.10 By the end of May, possible SWIFT hackings were being investigated at a dozen banks, mostly in South East Asia.11 The security firm Symantec stated in a blog post that it had evidence a bank in the Philippines had been attacked by the same group that hacked the Bangladesh central bank, and that the group was using tools similar to those used in cyberattacks against financial targets in the U.S. and Far East going back to 2009. On this basis, Symantec alleged that the cybercrime group Lazarus was behind the growing number of SWIFT money transfer frauds.12

At this point, what had started as a one-off bank heist exploiting weaknesses in the interface between SWIFT and Bangladesh central bank procedures became a matter of global concern. Lazarus is believed to be responsible for the Sony Pictures cyberattack in 2014, which the U.S. has long said originated in North Korea.13 However, The Guardian points out that it is not uncommon for criminal organisations to sell malware, so use of similar code does not necessarily mean the same criminals are at work.14

Increasing The Security Of Money Transfer Systems With Five Key Initiatives

Whether or not this is the work of Lazarus, the SWIFT frauds have raised awareness of the need for strict security around money transfers. SWIFT emphasises that its own software remains secure, but it has announced a five-point plan to improve security in the interface between SWIFT and banks’ own software and procedures. The five key points include:15

  • Better information sharing amongst the SWIFT user community;
  • Improved security procedures including two-stage authentication;
  • Enhanced security and operational baselines for SWIFT users, together with audit frameworks;
  • Better user control of payment patterns, including the ability to stop or recall a payment suspected of being fraudulent;
  • Improved support from third-party security services.

All of these are important improvements, though only time will tell whether they are enough to protect SWIFT money transfers from further attacks. In a recent speech, SWIFT’s CEO, Gottfried Leibbrandt, called for the SWIFT user community to do its part, emphasising the need for collaboration to ensure the security of payments systems: “We are calling for a collective effort in our global financial community to reinforce the security of our entire, shared system. Our security is our collective mission and can only be strengthened through a collaborative approach which includes SWIFT, third party suppliers, policymakers, regulators and our users, big and small.”16

The Takeaway

As The Economist notes, these money-transfer frauds took place at the interface between software and human procedures.17 It is entirely possible that they were initiated not by hackers breaking in, but by corrupt insiders. SWIFT’s member banks will need to ensure not only that their software is secure, but their employees and partners are trustworthy. For in the end, money transfer systems are only as secure as the people who use them.

Frances Coppola - The Author

The Author

Frances Coppola

With 17 years’ experience in the financial industry, Frances is a highly regarded writer and speaker on banking, finance and economics. She writes regularly for the Financial Times, Forbes and a range of financial industry publications. Her writing has featured in The Economist, the New York Times and the Wall Street Journal. She is a frequent commentator on TV, radio and online news media including the BBC and RT TV.

Sources

1. "SWIFT introduces mandatory customer security requirements and an associated assurance framework", SWIFT; https://www.swift.com/insights/press-releases/swift-introduces-mandatory-customer-security-requirements-and-an-associated-assurance-framework
2. "Once Again, Thieves Enter Swift Financial Network and Steal", The New York Times; http://www.nytimes.com/2016/05/13/business/dealbook/swift-global-bank-network-attack.html?_r=0
3. "How cyber criminals targeted almost $1bn in Bangladesh Bank heist", Financial Times; http://www.ft.com/cms/s/0/39ec1e84-ec45-11e5-bb79-2303682345c8.html#axzz4AAkl9pYO
4. "Bangladesh Bank hackers compromised SWIFT software, warning issued", Reuters; http://www.reuters.com/article/us-usa-nyfed-bangladesh-malware-exclusiv-idUSKCN0XM0DR
5. "SWIFT rejects Bangladeshi claims in cyber heist, police stand firm", Reuters; http://www.reuters.com/article/us-usa-fed-bangladesh-swift-exclusive-idUSKCN0Y001H
6. "Statement on Recent Allegations", SWIFT; https://www.swift.com/insights/press-releases/swift-statement
7. "Joint statement: Federal Reserve Bank of New York, Bangladesh Bank and SWIFT", SWIFT; https://www.swift.com/insights/press-releases/joint-statement_federal-reserve-bank-of-new-york_bangladesh-bank-and-swift
8. "SWIFT customer communication: Customer security issues", SWIFT; https://www.swift.com/insights/press-releases/swift-customer-communication_customer-security-issues
9. "Vietnam bank says interrupted cyber heist using SWIFT messaging", Reuters; http://www.reuters.com/article/us-vietnam-cybercrime-idUSKCN0Y60EN
10. "Special Report: Cyber thieves exploit banks' faith in SWIFT transfer network", Reuters; http://www.reuters.com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD
11. "Swift Hack Probe Expands to Up to a Dozen Banks Beyond Bangladesh", Bloomberg; http://www.bloomberg.com/news/articles/2016-05-26/swift-hack-probe-expands-to-up-to-dozen-banks-beyond-bangladesh
12. "SWIFT attackers’ malware linked to more financial attacks", Symantec Connect Community; http://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks
13. "The Interview: A guide to the cyber attack on Hollywood", BBC News; http://www.bbc.co.uk/news/entertainment-arts-30512032
14. "Swift network bank thefts 'linked' to Sony Pictures hack", The Guardian; https://www.theguardian.com/technology/2016/may/27/swift-network-bank-theft-sony-pictures-hack-lazarus-symantec
15. "Customer Security Programme (CSP)", SWIFT; https://www.swift.com/customer-security-programme
16. "Gottfried Leibbrandt on cyber security and innovation", SWIFT; https://www.swift.com/insights/press-releases/gottfried-leibbrandt-on-cyber-security-and-innovation
17. "Heist finance", The Economist; http://www.economist.com/news/finance-and-economics/21699458-recent-hacks-highlight-vulnerability-cross-border-payments-system-heist

Make International Payments

Back to top