On February 4th, 2016, there was a bank heist. Or, more correctly, a central bank heist. A series of illicit wire transfers through the international payments system SWIFT attempted to move nearly US$1bn from Bangladesh’s central bank to commercial bank accounts in the Philippines and Sri Lanka.
It took the Bangladesh central bank a couple of days to discover the fraud. By that time, it was too late to stop the payments being made. Fortunately, the Federal Reserve Bank of New York (NY Fed) had blocked most of the transactions, and US$20m was recovered after a spelling mistake was discovered in the payment instructions of one of the transfers. But the cyber thieves still got away with US$81m, making this one of the most successful bank robberies in history.1
Initially, security lapses at the Bangladesh central banks and in the Philippines were blamed for the heist. In April 2016, Bangladeshi investigators described security procedures at the Bangladesh central bank as “seriously deficient”.2 But after SWIFT issued a software update in response to a malware attack, and warned its member banks to be vigilant about security, questions began to be asked about SWIFT’s own part in the theft. On 9th May 2016, Bangladeshi police alleged that SWIFT technicians had compromised the central bank’s security when connecting SWIFT to Bangladesh's new real-time gross settlement (RTGS) system.3
SWIFT was having none of it. “SWIFT rejects the false, inaccurate and misleading allegations made by Bangladesh Bank and Bangladesh Police's Criminal Investigation Department (CID) officials to Reuters,” it said in a strongly-worded press release. “The accusations have no basis in fact.” And SWIFT went on to lay the responsibility for the security lapses that enabled the heist firmly at the door of the Bangladesh central bank, even calling into question its password control.4
The following day, at a meeting in Basel, Switzerland, SWIFT, the NY Fed and the Bangladesh central bank agreed to work together to recover as much as possible of the missing money and bring the perpetrators to justice, and to protect the global financial system from attacks.5 And there the matter might have rested.
But it soon emerged that the Bangladesh Bank heist was far from unique. A few days later, SWIFT warned its users about a “highly adaptive campaign targeting banks’ payment endpoints”, and gave specific advice about risk management in SWIFT wire transfers.6 And on May 15th, 2016, a Vietnamese bank confirmed in a statement to Reuters that late last year it had “intercepted” an attempted theft of $1.1m involving SWIFT wire transfers.7 On May 20th, Reuters reported that US$12m had been stolen from a bank in Ecuador using fraudulent SWIFT wire transfers.8 By the end of May, possible SWIFT hackings were being investigated at a dozen banks, mostly in South East Asia.9
The security firm Symantec claimed in a blogpost that it had evidence that a bank in the Philippines had been attacked by the same group that hacked the Bangladesh central bank, and that the group was using tools similar to those used in cyberattacks against financial targets in the US and Far East going back to 2009. On this basis, Symantec alleged that the cybercrime group Lazarus was behind the growing number of SWIFT wire transfer frauds.10
At this point, what had started as a one-off bank heist exploiting weaknesses in the interface between SWIFT and Bangladesh central bank procedures became a matter of global concern. Lazarus is believed to be responsible for the Sony Pics cyberattack in 2014, which the US has long claimed originated in North Korea.11 However, the Guardian points out that it is not uncommon for criminal organisations to sell malware, so use of similar code does not necessarily mean the same criminals are at work.12
Increasing The Security Of Wire Transfer Systems With Five Key Initiatives
Whether or not this is the work of Lazarus, the SWIFT frauds have raised awareness of the need for strict security around wire transfers. SWIFT emphasises that its own software remains secure, but it has announced a five-point plan to improve security in the interface between SWIFT and banks’ own software and procedures. The five key points include:13
- better information sharing amongst the SWIFT user community
- improved security procedures including two-stage authentication
- enhanced security and operational baselines for SWIFT users, together with audit frameworks
- better user control of payment patterns, including the ability to stop or recall a payment suspected of being fraudulent
- improved support from third party security services
All of these are important improvements, though whether they go far enough to protect the SWIFT wire transfer system from further attacks remains to be seen. But the user community too must do its part. In a recent speech, SWIFT’s CEO, Gottfried Leibbrandt, emphasised the need for collaboration to ensure the security of payments systems:
“We are calling for a collective effort in our global financial community to reinforce the security of our entire, shared system. Our security is our collective mission and can only be strengthened through a collaborative approach which includes SWIFT, third party suppliers, policymakers, regulators and our users, big and small.”14
As The Economist notes, the frauds took place at the interface between software and human procedures.15 It is entirely possible that they were initiated not by hackers breaking in, but by corrupt insiders. SWIFT’s member banks will need to ensure not only that their software is secure, but their employees and partners are trustworthy. For in the end, systems are only as secure as the people who use them.