In this day and age, if you want to rob a bank, you can dispense with the overcoat, the wig, the cheap sunglasses, and the note slid across the counter to a blanching teller. According to numbers from the FBI, the yield from robbing bank branches is relatively low—$7,500 on average, even if that number is up from $4,300 several years earlier. The risks of getting caught are also high—60% of robbers are caught, often on the same day as the robbery.
By contrast, your yield would be 10,000 times higher if you targeted the communication system that banks rely on to conduct transactions internationally. And the risk of getting caught, so far, appears low. (Don’t do this, of course. We don’t condone theft of any kind; we’re just making conversation.)
In February of this year, hackers, possibly acting on behalf of a nation state, infiltrated the SWIFT network and attempted to execute a series of transactions that would have robbed the Bangladesh Central Bank of nearly $1 billion. A typo in their transactions alerted a security officer, and the Federal Reserve Bank of New York was able to block 30 of their transactions, totaling $850 million. Still, the thieves made off with $101 million, of which only $38 million has been recovered. The thieves remain at large.
SWIFT in Name But Not in (Security) Practice
Founded in 1973, the Society for Worldwide Interbank Financial Telecommunication, more commonly known as SWIFT, is a secure international messaging network for conducting financial transactions. Over the past few decades, the network has grown from 239 customer banks to over 11,000 financial institutions across 200 countries. Banks rely on SWIFT to conduct financial transactions, including multi-million dollar exchanges. In 2015, the network transmitted over 6.1 billion messages.
But security is uneven, and in some cases, hopelessly substandard. In the Bangladesh Central Bank heist, the bank was operating without a firewall and using $10 second-hand network switches. Until a few months ago, the network did not require two-factor authentication (2FA) or additional authentication checks for high-value or anomalous transactions. Not surprisingly, SWIFT credentials were easily compromised without detection. Considering the vast wealth that the network ultimately controls, its security standards have been shockingly low.
SWIFT argues that’s not its job. Although the network advertises itself as “the world’s leading provider of secure financial messaging services,” some SWIFT board members such as Arthur Cousins have maintained that SWIFT is simply a network; SWIFT customers therefore, are responsible for ensuring that security practices and tools are implemented correctly. If institutions fall short, regulators should penalize the institutions, not SWIFT.
Other board members agreed that the organization did not necessarily consider security their responsibility. And the organization’s security guidelines, limited as they were, were sometimes undermined by the limited budgets and resources of the smaller institutions they served. "The difficulty is always to keep the security system very effective when you deal with little banks and emerging countries," according to former SWIFT board member Alessandro Lanteri. "There, it is very difficult to be sure that all the procedures of security are managed in the correct way."
Leonard Schrank, CEO of SWIFT from 1992 to 2007, has a different opinion. Schrank believed security was part of SWIFT’s job. He told Reuters: “The board took their eye off the ball. They were focusing on other things, and not [on] the fundamental, sacred role of SWIFT, which is the security and reliability of the system.”
The attack on the Bangladesh Central Bank was not an isolated incident. There have been other successful attacks on the SWIFT system in recent years. In January 2015, thieves siphoned $12 million from Ecuador's Banco del Austro. In December, thieves almost managed to steal $1.4 million from Vietnam's Tien Phong Bank.
Clearly, something must change.
In May 2016, 14 months after the attack on the Ecuadoran bank, SWIFT management took action. The organization announced a new Customer Security Program comprising five initiatives that will be rolled out over time:
As part of this initiative, SWIFT is raising the security requirements for software interfaces to the SWIFT network. It will now require customers to implement two-factor authentication (2FA) solutions
These attacks on SWIFT should be a wake-up call—not only to the SWIFT management team and the financial institutions that make up SWIFT’s customer base. It should remind providers of critical services in all industries, from financial services to energy to healthcare, that hackers will attack if they perceive value in attacking. Multi-layered security is essential to protect any IT system or resource of value.
The biggest threats today don’t come skulking through the front door demanding a teller to empty the cash drawer. Instead, the threat is working around the clock in unknown locations, and will quietly take advantage of any IT oversight to abscond millions, even hundreds of millions of dollars. Be ready.
Money isn’t the only valuable commodity moving in and out of banks. Content like loan applications and account statements with personally identifiable information (PII) are frequently transmitted between banks and their customers, as well as between banks with little attention paid to security.
Accellion provides financial institutions such as Needham Bank, Middlesex Savings Bank, National Credit Services, Finance Factors, and others a solution to share sensitive information securely. With kiteworks, Accellion’s private cloud content collaboration platform, financial service professionals can seamlessly process loan applications with customers and third parties, collaborate on documents with colleagues in real-time, and improve productivity across all devices, while mitigating data breaches.
To learn more, please visit our solutions page.