When SWIFT made headlines back in April of 2016, I could not help but wonder how bad things really were. Many people were blissfully unaware as to what SWIFT (Society for Worldwide Interbank Financial Telecommunication) even was or what it could be used for.
This is supposed to be a secure financial network that banks can use for payment authorizations. It seems that of the 11,000 reported banks that use the system not all were up to snuff on security.
For example in Bangladesh, criminals were able to leverage the SWIFT system to a nefarious end to make off with $81 million dollars. Not bad for a days work. But, why was this possible? Sure, SWIFT talk a good security game but, I can think of 81 million arguments against that.
Case in point, this passage appears on the SWIFT information security page,
SWIFT’s information security measures are comprehensive. They are designed to cater for extreme situations and aim to prevent any unauthorised physical and logical access which could lead to a loss of confidentiality, integrity or availability. Our measures include physical controls that safeguard our premises as well as logical controls that protect against unauthorised access to data and systems and encompass our detection, response and recovery capabilities.
I fear that this may leave a bad taste in their mouths as they revealed last week that even more financial institutions have run afoul of weaknesses in the SWIFT network. After the breach at the Bangladeshi bank I noticed that there was a customer security program (CSP) posted. Now, to be fair, this might have pre-dated the breach but, I’m not clear on that point.
On the CSP page the note the following,
The growing threat of cyberattacks has never been more pressing. Recent instances of payment fraud in our customers’ local environments demonstrate the necessity for industry-wide collaboration to fight against these threats.
While SWIFT’s network, software and services have not been compromised, each of these incidents took place after a customer suffered security breaches within its locally managed infrastructure.
An apparent attempt to blame the victim. But, the common thread is SWIFT. Now, we see that new breaches have been discovered. The organization sent a letter to clients but, did not post anything on their website security announcement page as of Friday September 2nd.
In a private letter to clients, SWIFT said that new cyber-theft attempts - some of them successful - have surfaced since June, when it last updated customers on a string of attacks discovered after the attack on the Bangladesh central bank.
"Customers’ environments have been compromised, and subsequent attempts (were) made to send fraudulent payment instructions," according to a copy of the letter reviewed by Reuters. "The threat is persistent, adaptive and sophisticated - and it is here to stay."
While SWIFT has been pushing companies to adopt more stringent security practices I have to wonder, why wasn’t there a more rigorous “you need to be this tall to ride” program in place? SWIFT are now moving to suspend financial institutions that don’t use the latest software or update their security practices. While the financial institutions and SWIFT attempt to stop the money from raining down, I think that the horse may have left the barn already.