• United States




When security isn’t so SWIFT

May 02, 20163 mins
CybercrimeData BreachSecurity

stack of money hundred dollar bills
Credit: Thinkstock

There are times where I sit quietly in dumbfounded amazement at the world. When you’ve been working in the information security space for a couple decades one would think that you’ve seen it all. This has proven itself time and again as not the case.

Last week news broke that thieves had managed to break into the Bangladesh central back and siphon away roughly $81 million USD. I had to shake my head the first read the news. It sound like an outlandish film plot. The only thing that was missing were the car chases and explosions and we might have something.

SWIFT, which stands for Society for Worldwide Interbank Financial Telecommunication is positioned as secure financial network that banks use for payment authorizations. For an example, if you’re making a wire transfer between the US and Canada you would need the SWIFT number of your financial organization for the transaction.


SWIFT’s messaging services are used and trusted by more than 11,000 financial institutions in more than 200 countries and territories around the world.

Together with our role in standardisation, SWIFT enables secure, seamless and automated financial communication between users.

This organization lists failure as not being an option regarding information security. In this case they didn’t fail per se but, one of the 11,000 financial institutions involved in their network flamed out in glorious fashion. The question comes to mind as to how many other financial organizations are similar to the one in Bangladesh?

According to various reports it seems that the central bank in Bangladesh did not even have the simple control of a firewall other network. An attacker will not work any harder than they absolutely have to but, at least make it interesting for them. If an attacker can gain a foothold they will make the most of it. In this case it was to the tune of $81 million.

I wonder how many firewalls they could have purchased for that amount? All kidding aside, wonders how did a bank with what appears to be by all accounts rife to be abject security failures gain access to the SWIFT network. I realize that this is a service but, I’d hope there was a “you must be this high to ride” sign somewhere in the documentation.

I can’t help but, to puzzle if there are more banks like this is equally poor security positions that have access to resources like SWIFT. But, how did this breach come to light?

From The New York Times:

Each bank on the Swift network is identified by a set of codes. And it was the codes assigned to the Bank of Bangladesh that were recognized — correctly — by the Federal Reserve Bank of New York when it transferred $81 million of the Bangladesh bank’s money to the Philippines, not knowing that someone, somewhere, had stolen the credentials of the Bangladesh bank and installed malware to cover his or her tracks.

Initially, the thieves requested the transfer of $951 million into a handful of bank accounts in Sri Lanka and the Philippines — a number that prompted the New York Fed to ask the Bangladesh bank to reconfirm that it indeed wanted to move the money.

So, the only reason that the attackers were unearthed was that they simply got greedy. I’m curious to see how far this thread will go once it is pulled to it’s natural conclusion.


Dave Lewis has over two decades of industry experience. He has extensive experience in IT security operations and management. Currently, Dave is a Global Security Advocate for Akamai Technologies. He is the founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix podcast.

The opinions expressed in this blog are those of Dave Lewis and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author