When security isn’t so SWIFT

There are times where I sit quietly in dumbfounded amazement at the world. When you’ve been working in the information security space for a couple decades one would think that you’ve seen it all. This has proven itself time and again as not the case.

Last week news broke that thieves had managed to break into the Bangladesh central back and siphon away roughly $81 million USD. I had to shake my head the first read the news. It sound like an outlandish film plot. The only thing that was missing were the car chases and explosions and we might have something.

SWIFT, which stands for Society for Worldwide Interbank Financial Telecommunication is positioned as secure financial network that banks use for payment authorizations. For an example, if you’re making a wire transfer between the US and Canada you would need the SWIFT number of your financial organization for the transaction.

From SWIFT:

SWIFT’s messaging services are used and trusted by more than 11,000 financial institutions in more than 200 countries and territories around the world.

Together with our role in standardisation, SWIFT enables secure, seamless and automated financial communication between users.

This organization lists failure as not being an option regarding information security. In this case they didn’t fail per se but, one of the 11,000 financial institutions involved in their network flamed out in glorious fashion. The question comes to mind as to how many other financial organizations are similar to the one in Bangladesh?

According to various reports it seems that the central bank in Bangladesh did not even have the simple control of a firewall other network. An attacker will not work any harder than they absolutely have to but, at least make it interesting for them. If an attacker can gain a foothold they will make the most of it. In this case it was to the tune of $81 million.

I wonder how many firewalls they could have purchased for that amount? All kidding aside, wonders how did a bank with what appears to be by all accounts rife to be abject security failures gain access to the SWIFT network. I realize that this is a service but, I’d hope there was a “you must be this high to ride” sign somewhere in the documentation.

I can’t help but, to puzzle if there are more banks like this is equally poor security positions that have access to resources like SWIFT. But, how did this breach come to light?

From The New York Times:

Each bank on the Swift network is identified by a set of codes. And it was the codes assigned to the Bank of Bangladesh that were recognized — correctly — by the Federal Reserve Bank of New York when it transferred $81 million of the Bangladesh bank’s money to the Philippines, not knowing that someone, somewhere, had stolen the credentials of the Bangladesh bank and installed malware to cover his or her tracks.

Initially, the thieves requested the transfer of $951 million into a handful of bank accounts in Sri Lanka and the Philippines — a number that prompted the New York Fed to ask the Bangladesh bank to reconfirm that it indeed wanted to move the money.

So, the only reason that the attackers were unearthed was that they simply got greedy. I’m curious to see how far this thread will go once it is pulled to it’s natural conclusion.