SWIFT has not seen its last 'bank robbery'

A former CSO of the World Bank Treasury calls the SWIFT system outdated and open to malware attacks. Those vulnerabilities could lead to manipulation of financial transactions.

SWIFT is the interbank financial messaging system for sending international money transfer instructions. The Society for Worldwide Interbank Financial Telecommunications, which the industry refers to as the SWIFT co-op maintains this system.

CSO looks at the SWIFT co-op’s denial of the real issue, the cost of attacks, informed expert insights into these security flaws, how hackers are using and abusing these to their profit, and what the co-op should do to seal its messaging system to mitigate further falsifications.

“The SWIFT co-op is trying to maintain plausible deniability that these fraudulent transfers point to a systemic problem,” says Tom Kellermann, CEO, Strategic Cyber Ventures and former CSO of the World Bank Treasury. While the co-op claims that it is “already helping prevent cyber frauds by working with affected customers and their counterparties to identify, stop and retrieve fraudulent messages,” true prevention should really come before the illicit transactions.

“The SWIFT board of directors needs to arrive at the consensus that they must make changes to the messaging system and its security,” says Kellermann. The financial institutions that use and support the SWIFT system will have to spend more money to add the needed security.

The amount of additional spending should not be crippling for the participating banks. In the finance sector, the typical security budget is 8 percent of the overall budget, confirms Kellermann. “They need to spend more like 10 percent,” he says.

[ ALSO ON CSO: SWIFT warns of malware attack on another of its customers  ]

Part of the challenge in acquiring the added budget is that CISOs are still reporting to the CIOs and don’t have a separate budget; that’s a governance issue across the financial sector, explains Kellermann.

But if the SWIFT co-op continues to view this only as a security issue, they may not see the justification for insisting that the banks retool their security anyway. “It’s not a security issue anymore. It’s a sustainability issue for eFinance and a brand protection issue,” says Kellermann.

SWIFT attack costs

Notable attacks on SWIFT transfers early this year included one on the central bank of Bangladesh, costing the financial institution $81 million. With this, word spread that hackers continue to target the vulnerabilities of this financial messaging system at great expense to affected banks.

Though the heist at the central bank of Bangladesh earned a lot of attention, this was hardly the first security event involving SWIFT messaging as there were successful attacks in 2013 affecting both the SWIFT messaging system and ATMs in countries including the U.S., Russia, Switzerland, Japan, and the Netherlands.

Tom Kellermann, CEO, Strategic Cyber Ventures and former CSO of the World Bank Treasury

We haven’t seen the last such bank robbery either. “Having spoken to numerous heads of financial institutions, security professionals, and regulators from India to the U.S., I will tell you that attacks on SWIFT payments including significant wire transfer fraud and virtual bank heists are occurring around the world on a weekly basis and people are just not providing full disclosure,” says Kellermann. “Hackers have breached SWIFT more than a dozen times this year with the average wire transfer fraud in the tens of millions of dollars per intrusion."

SWIFT vulnerabilities

SWIFT messaging was designed using dated perimeter security approaches and public-key infrastructure (PKI). To steal the PKI credentials, says Kellermann, these attackers first use spear phishing or island hopping approaches. Island hopping occurs where hackers attack weaknesses in information supply chains, gain entry into systems, find the next weakness, and repeat the process to get to the prize, in this case the PKI keys.

Once hackers gain authenticated access using stolen PKI keys, they plant malware such as Carbanak and Odinaff. A Russian dark web financial crime entity produced Carbanak and Odinaff; these are the kinds of elegant malware that allow for screen scraping (capturing data on a monitor screen) and clandestine lateral movement inside the network, which enable hackers to manipulate wire transfers, explains Kellermann.

Attackers are getting really good at gaining that all important initial foothold inside networks by using attacks such as spear phishing, says Lavi Lazarovitz, cyber research team leader at CyberArk. With that foothold, they can gain local administrator privileges using, for example, an exploited Acrobat Reader vulnerability; when a user simply opens a malicious PDF file, the file runs malicious code that in turn acquires those elevated privileges, explains Lazarovitz.

Mitigating SWIFT financial fraud

According to Kellermann, technical solutions to attacks on SWIFT include anomalous behavior detection and deception techniques. Anomalous behavior detection would alert the financial enterprise to lateral movement in the network and attempts to manipulate systems. Deception would use multiple fake SWIFT systems to confuse the hacker and alert IT security before he gets to the real SWIFT system. Banks should also use two-factor authentication or multifactor authentication and endpoint security such as breach detection to shield SWIFT.

Safeguarding SWIFT transactions can’t stop there. According to Lazarovitz, financial services companies should segment the systems that run SWIFTNet Link, which provides access to SWIFT, away from the rest of the network. “All accounts on systems running SWIFTNet Link should use secure credentials, limited permissions, and account monitoring; IT security should change credentials often,” says Lazarovitz.

Finally, the SWIFT co-op and participating financial institutions should enforce best practices such as controlling endpoint applications to make it harder for attackers to use malware in phishing emails to access endpoints, says Lazarovitz, and allowing remote access to critical systems only via hardened jump servers in order to prevent exposure to risks from endpoints.

Making changes to SWIFT security

SWIFT security needs to change but someone has to initiate the change. The question is who should do it. According to Kellermann, the financial institutions using SWIFT could do it because each institution has its own endpoints, but the reality is that no institution is going to do that on their own and incur those costs without a mandate from SWIFT. “SWIFT needs to accept the fact that they have significant nodes around the world that have been compromised and modernize their security architecture,” says Kellermann.

Other organizations can help move this change along. “I would call on the FFIEC, the Federal Financial Institutions Examination Council, which is the umbrella group for all the U.S. financial regulators, to challenge SWIFT to adopt new security controls that would modernize the security posture of the ecosystem,” says Kellermann. The EBG, which is the Electronic Banking Group in Basel has a U.S. representative; they should crack the whip on the SWIFT co-op since they exist to essentially look at the future of systemic risk in electronic banking, says Kellermann. “I can’t believe they’ve been sitting on their hands frankly."

If these fraud cases are anyone’s fault, it’s the criminal hackers who are attacking SWIFT messaging. Rather than lay blame anywhere, the industry should encourage the SWIFT co-op to take the lead by increasing security requirements, and the banks should gracefully follow by meeting the new security standards.