Fraud in cross-border payments: an attack to the heart of the banking system
“SWIFT is aware of a number of recent cyber incidents in which malicious insiders or external attackers have managed to submit SWIFT messages from financial institutions' back-offices, PCs or workstations connected to their local interface to the SWIFT network". This statement was issued in April 2016 by SWIFT, the global financial network used by 11,000 institutions from 200 countries to transfer billions of dollars every day.
The announcement from the Society for Worldwide Interbank Financial Telecommunication stirred an understandable level of concern among the networks’ user institutions, as it entailed the official confirmation of a rumor that had been lingering for a while: There are cases of attacks targeting some institutions’ IT systems as a result of which cybercriminals have been able to issue fraudulent payments against accounts that they had opened previously.
There are cases of attacks targeting some institutions' IT systems as a result of which cybercriminals have been able to issue fraudulent payments against accounts that they had opened previously
In the most widely known case, which affected the Central Bank of Bangladesh this past February, a total of $81 million where stolen through the generation of false payments against a series of accounts linked to Philippine casinos. Although the financial industry remained unaware of the incident for a while, reports of other attacks - such as the one affecting Banco Austro in Ecuador, Tien Pohn Bank in Vitenam and several banks in Russia, Ukraine, Hong Kong…- followed shortly.
As soon of the news about this string of attacks broke, SWIFT was quick to underscore on repeated occasions that both its network and messaging services are safe and that all these security breaches had been possible due to local weaknesses in the systems and procedures of the targeted institutions. In fact, it is urging banks to adopt additional security and operations control measures to prevent other similar attacks.
So far, this is what we know about these hackers’ “modus operandi”:
- They breach into the systems of their victim banks by compromising credentials and
login passwords to SWIFT network access points.
- They change existing payments, diverting them to previously created accounts.
- They install “malware” to modify or inhibit the payment control messages so that the banks’ operations departments remain unaware at all times of the heist as it is taking place.
In other words, they have expert knowledge of the behavior of the SWIFT system and of the internal procedures of the banks they target. They are also patient: the accounts to which they directed the payments in the case of the Bangladeshi bank fraud where created at least one year in advance.
This type of cybercrime represents a tipping point in the field of bank fraud, which up until now remained more focused on “phishing" campaigns among retail customers, credit card fraud and executing high volumes of small scams. This type of fraud has a much more different profile: very few cases, huge amounts and a lack of concern about media impact.
What measures are we banks adopting?
The complexity of the field in which we move when speaking about cyber security requires firms to apply a number of measures at different levels. Zero-risk in cyber security matters does not exist, and therefore the measures implemented should be seen as deterrents stacking up to discourage potential attackers. Here are some of the most important ones:
- Assembling hacker teams capable of running controlled attacks that simulate the ones that actual hackers might launch (“ethical hacking”). Based on these attacks, new corrective or mitigation actions should be devised, in order to close any eventual safety breaches.
- Deploying next-generation antivirus programs and keeping them up to date at all times, and regularly installing the “patches” that software manufacturers release, as they usually include corrections to technical vulnerabilities that hackers exploit.
- Apply strict and rigorous internal security standards, especially in terms of function segregation and strict profiling policies for accessing the most critical IT systems.
- Redouble operating control measures to prevent, in as far as possible, potential actions that could result in monetary losses.
- Progress toward the use of analytic tools, capable of warning about payment patterns that differ from the expected ones, aimed at countries with which the bank rarely operates, suspicious amounts (very high or low) or scheduled at unusual hours, etc. Also, it is important to minimize the “false positives” refining warning on an ongoing basis with “machine learning" technologies.
- Deployment of advanced monitoring systems capable of displaying the aforementioned warnings in real time, and defining a solid action protocol for any type of alert.
“There will be a before and an after Bangladesh”, stated recently SWIFT’s executive chairman Gottfried Leibbrandt, who considers that they will become a decisive milestone for the banking industry. Banks have always been one of cybercrime’s prime targets, and the fact that these attacks have been carried out not through customers, but by directly pointing at the banks’ “core" systems, opens a new era of IT risks for banks - and the financial system at large – that will require a differential approach to prevention. Deployment of advanced monitoring systems capable of displaying the aforementioned warnings in real time and defining a solid action protocol for any type of alert.