The theft of US$81 million by cyber criminals from the central bank of Bangladesh1 has prompted the Society for Worldwide Interbank Financial Telecommunication (SWIFT) to call for tighter anti-fraud controls and closer cooperation among its 11,000 members. This initiative is welcome, but the measures announced by SWIFT can’t guarantee the security of global payments. The Bangladesh Bank heist shows the ability of criminals to strike at the global payments system, in their attempt to get away with $1 billion. Unless improvements are made, it’s only a matter of time before we see them, or someone else, succeed.
To reduce the risk further would require a much wider and more coordinated effort among banks, payment networks, regulators and governments to strengthen security, especially among the weakest links in our financial infrastructure. The vulnerable links include any and all parts of the system where fraud controls are weak and data security is at risk. We may expect the largest global banks to implement comprehensive security controls, but this may not be the case for all members of our community. Smaller banks, banks in emerging markets, new entrants to the financial community, and some government institutions may face greater challenges. All are connected in some way to the global financial markets.
The Bangladesh case demonstrates that cyber criminals are continuously searching for parts of the financial system where there are gaps in defenses, where security controls can be bypassed, and where insiders may be prepared to collude in perpetrating fraud. If members of the SWIFT payments network follow through and significantly tighten their safeguards against cyber attack, criminals will focus their efforts elsewhere in the financial system. They have shown they are able to compromise not just commercial banks but a central bank.
As SWIFT CEO Gottfried Leibbrandt told the European Financial Services Conference in Brussels on May 24, the fraud at Bangladesh Bank “will prove to be a watershed event for the banking industry; there will be a before and an after Bangladesh.” The question, of course, is what happens after.
Leibbrandt told the conference in Brussels that in the event leading to the theft from Bangladesh Bank, SWIFT’s network, software and core messaging services were not compromised. This is reassuring, but small consolation for the 11,000 institutions that are members of SWIFT, because it is clear that thieves don’t have to attack SWIFT’s core systems to exploit weaknesses in the systems that feed in and out of SWIFT’s network. Instead, the penetration occurred at Bangladesh Bank, a member of the SWIFT network, and at other banks.
Investigators are continuing to examine what happened, and new details are likely to continue to emerge. What we do know is that the attackers opened a number of accounts at Rizal Bank Philippines in May 2015. They then conducted reconnaissance to identify targets to gain access and penetrate the banking system.
In early February, the attackers made 35 fraudulent payment requests to the New York Federal Reserve from Bangladesh Bank’s server, totaling $951 million. Fortunately for the bank, vigilance by recipient banks and a spelling error in a request stopped the bulk of the transactions and only five of the 35 were authorized and paid. The criminals had planted malware that modified the SWIFT Alliance Access Server software to bypass authentication checks and cover its tracks to avoid detection.
At Bangladesh Bank, there was no indication of trouble and no alerts of an intrusion until February 5, when the bank realized there were no SWIFT printouts that day. A full day went by and then the transactions were printed out, revealing the suspicious activity. Stop-payment orders were issued on February 8. Nevertheless, on the following day, the branch manager of Rizal Bank allegedly approved the withdrawal of $81mllion.
In the ensuing investigation, it came to light that at least two, and possibly more, other cases had recently occurred where fraudsters used similar methods to penetrate financial institutions through the SWIFT network, but got away with lesser amounts. One of the cases involved a commercial bank in Vietnam.
As Leibbrandt explained in his speech, “The banks were compromised, credentials to payment generation systems were obtained to send fraudulent payments and the statements/confirmations from their counterparties were obfuscated.” The problem is twofold: first, when banks lose control of access to their payments channels, the possible loss of assets could threaten their existence; second, the financial system is tightly interwoven and operates on the basis of trust, which could disappear in the event of a significant penetration by a criminal organization.
To understand what happened, a number of points are worth noting:
In his speech, Leibbrandt outlined five ways that SWIFT intended to safeguard financial transactions better in the future:
These measures will certainly go some way toward improving the security of bank transactions around the world. They are a welcome step in the right direction, but they need to go further. In the Bangladesh case, it was the central bank that was compromised. It also regulates the banking system, raising doubts about the ability of some country regulators to demonstrate the security precautions that they themselves expect of the banks they regulate. Who watches the watchmen?
Cyber criminals will continue to look for the weakest entities in the financial system. Will these entities be brought up to the standards of the stronger ones, as a result of the changes envisaged by SWIFT’s CEO? Other measures should be taken to identify the weakest links in the chain of financial transactions, by establishing improved regulatory baselines for payments security and undertaking a risk-focused assessment of the participants’ ability to manage security and prevent fraud.
A particular focus of the assessment should be the skills and resources available at each institution. Some members of the SWIFT network lack the know-how to safeguard their assets from the sophisticated cyber attacks we are now seeing. And many have limited, or no, staffing of their security and fraud teams at weekends or public holidays. Criminal gangs do not take the day off. Indeed, they are more likely to be active when banks’ guard is lowered.
SWIFT is probably not in a position to demand that the licenses of all its banking members should be contingent on their meeting certain rigorous standards of cyber security. But worldwide banking regulatory bodies such as the Bank for International Settlements (BIS) should promote a higher global baseline.
In addition to these measures, governments around the world must do more to eradicate havens of money laundering and potential gaps in the international anti-money laundering regime. Ultimately, the more difficult it is to cash-out the proceeds of crime, the lower the incentive to commit it. This is difficult to achieve, but we need to see the same level of political resolve to crack down on money laundering that we have seen developing on tax avoidance.
By focusing on the problems encountered by SWIFT, we risk losing sight of the wider issues faced by the global financial system that are highlighted by the Bangladesh Bank case. The key is to identify just how cyber criminals can cash-out and monetize the access they achieve to our global financial systems, including the payment and clearing systems at the heart of our financial world.
Then the financial community, both public sector and private, needs to work together to introduce a range of measures, consisting of fraud controls, data analytics and other security strategies for each of these key systems and the gateway systems that communicate with them. Each of these systems is a separate organization with its own rules, but to a criminal group, they all present opportunities to move money around. If this does not happen, we run the risk that a single weak link in one payments system could undermine confidence in the entire global financial framework.
1 Cyber Watch – Threat Intelligence, KPMG Canada (PDF 417 KB)