The February 2016 attack on Bangladesh Bank which involved the sending of fraudulent SWIFT messages from the bank’s environment, was followed by a number of other attacks on banks using the SWIFT network. The criminal hackers’ intention is to compromise the banks’ environments in order to gain their SWIFT credentials, send fraudulent messages and route payments to themselves. Since that time, the SWIFT cooperative has instituted measures ultimately designed to help their customers prevent, detect, stop or retrieve the fraudulent messages.
The SWIFT cooperative’s security approach includes a new security controls framework; the reinforcement of interface software and the introduction of transaction pattern detection measures such as its new daily validation reports. In addition it has launched a community-wide information sharing initiative, involving a forensics team, a customer security notification process, and other measures.
SWIFT’s Head of Customer and 3rd Party Engagement for the CSP dissects the attacks and details the actions that the cooperative has taken.
The SWIFT network enables participating financial institutions to send and receive messages containing fund transfer instructions, confirmations of successful transfers, and related statements. These messages, which SWIFT validates at both ends of the communication process move between banks, or a bank and its market infrastructure, internal institutions, or corporate entities. In 2016 SWIFT recorded a FIN traffic peak day of over 30 million messages, according to Pat Antonacci, Head of Customer and 3rd Party Engagement for the CSP, SWIFT.
Attacks on banks involve a three- to four-stage approach. In the first stage, hackers compromise connected financial institutions’ local network environments. “There is no evidence to date that hackers have in any way, shape, or form compromised our network or messaging. The compromises have always occurred in our customers’ local environments,” says Antonacci.
The fraudsters then obtain local user credentials. “They steal or create credentials of users with access to transaction applications or users with administrative control who can create users and manage logs in the local environment,” says Antonacci. With their new found access and control, the hackers send fraudulent messages from the bank over the SWIFT network.
Some attackers have also tried to hide their activities. They do so by obfuscating the executions of the transactions at customer firms, usually by removing local transaction logs and hiding the customers’ local records of the transactions’ confirmation and statement data, says Antonacci.
How is SWIFT working to help the industry to address the challenge?
The SWIFT cooperative has introduced a Customer Security Programme to support participating institutions in their efforts to secure the infrastructure they use to access SWIFT. The program consists of three components.
With the first component, SWIFT is helping customers to secure their own local environments against security threats. SWIFT has published a set of security controls to aid banks in safeguarding their infrastructure. The 27 controls are the culmination of SWIFT’s review of industry best practices; the documentation includes guidance for using the controls on the SWIFT network. According to Antonacci, SWIFT is working bilaterally with various stakeholders including the participating banks and through its community User Groups to obtain feedback on the clarity of the controls which will be introduced in 2017.
In the next phase, SWIFT will require self-attestation from connected institutions to demonstrate that they have implemented those security controls and best practices. According to Antonacci, the attestation process will enable participating customers or “counterparties” to decide whether they want to continue doing business with one another over the SWIFT network.
The SWIFT cooperative is taking other steps to help secure the wider community. To support the community in sharing cyber-threat information, SWIFT has put a forensics team in place that works with clients to retrieve information about any SWIFT-related security incidents to support their security efforts. Whether a transaction has been blocked, or processed, without the movement of funds, or if hackers compromise a bank successfully, the forensics team helps customers with their investigations, and shares that information in an anonymized form with the wider community through SWIFT’s security notification process, explains Antonacci.
“When we become aware of a new modus operandi or indicator of compromise, whether through local ISACs, CERTs, local agencies, or our customers, we anonymize the data so that customers are comfortable sharing it and we, in turn, share it with the entire community,” says Antonacci.
SWIFT has also launched post-transaction Daily Validation Reports, enabling customers to quickly recognize on a daily basis any fraudulent transactions that may have occurred. “They can then stop or recall the transaction,” says Antonacci. These daily validation reports come with a variety of transaction data to fully equip customers to reconcile their messages.
For example, if the report shows a certain number of messages and the customer usually sends fewer than that, the discrepancy may suggest some messages are fraudulent. “We offer this information to customers out-of-band; instead of bringing it into an environment that hackers may have compromised, we make it available so that customers can access it through a different channel,” explains Antonacci.
The SWIFT cooperative will also maintain other security measures such as the copy service. SWIFT continues to offer a copy service, so customers can receive same day real-time copies of messages and transactions as they pass through the SWIFT network. Some large, sophisticated customers use those to reconcile transactions and a secondary party in their organization gets those for validation purposes, says Antonacci.
SWIFT is also further investigating fraud prevention and detection measures. For instance, the cooperative is looking at the application of operational reports to isolate patterns that can help determine abnormal SWIFT usage. If the SWIFT cooperative could determine, for example, that a user’s credentials were active on the system during “off hours”, they could peg that activity as anomalous, according to Antonacci.
SWIFT’s efforts are bearing fruit. “In 80 percent of the cases since the Bangladesh attack that we’ve finished investigating, we have prevented the attacks using the measures we have introduced through the customer security program,” says Antonacci.