|
Exclusive: SWIFT
discloses more cyber thefts, pressures banks on security
Send a link to a friend
 [August 31, 2016]
By Jim Finkle
(Reuters) - SWIFT, the global financial
messaging system, on Tuesday disclosed new hacking attacks on its member
banks as it pressured them to comply with security procedures instituted
after February's high-profile $81 million heist at Bangladesh Bank.
In a private letter to clients, SWIFT said that new cyber-theft attempts
- some of them successful - have surfaced since June, when it last
updated customers on a string of attacks discovered after the attack on
the Bangladesh central bank.
"Customers’ environments have been compromised, and subsequent attempts
(were) made to send fraudulent payment instructions," according to a
copy of the letter reviewed by Reuters. "The threat is persistent,
adaptive and sophisticated - and it is here to stay."
The disclosure suggests that cyber thieves may have ramped up their
efforts following the Bangladesh Bank heist, and that they specifically
targeted banks with lax security procedures for SWIFT-enabled transfers.
The Brussels-based firm, a member-owned cooperative, indicated in
Tuesday's letter that some victims in the new attacks lost money, but
did not say how much was taken or how many of the attempted hacks
succeeded. It did not identify specific victims, but said the banks
varied in size and geography and used different methods for accessing
SWIFT.
A SWIFT spokeswoman declined to elaborate on the recently uncovered
incidents or the security issues detailed in the letter, saying the firm
does not discuss affairs of specific customers.
All the victims shared one thing in common: Weaknesses in local security
that attackers exploited to compromise local networks and send
fraudulent messages requesting money transfers, according to the letter.
Accounts of the attack on Bangladesh Bank suggest that weak security
procedures there made it easier to hack into computers used to send
SWIFT messages requesting large money transfers. The bank lacked a
firewall and used second-hand, $10 electronic switches to network those
computers, according to the Bangladesh police.
SWIFT has repeatedly pushed banks to implement new security measures
rolled out after the Bangladesh heist, including stronger systems for
authenticating users and updates to its software for sending and
receiving messages. But it has been difficult for SWIFT to force banks
to comply because the nonprofit cooperative lacks regulatory authority
over its members.
SWIFT told banks Tuesday that it might report them to regulators and
banking partners if they failed to meet a November 19 deadline for
installing the latest version of its software, which includes new
security features designed to thwart the type of attacks described in
its letter.
The security features include technology for verifying credentials of
people accessing a bank's SWIFT system; stronger rules for password
management; and better tools for identifying attempts to hack the
software.
[to top of second column] |
The SWIFT logo is pictured in this photo illustration taken April
26, 2016. REUTERS/Carlo Allegri/Illustration/File Photo
(For a graphic on how hackers made off with millions, click http://tmsnrt.rs/29WrMai)
SWIFT is trying coerce members into prioritizing cyber-security by threatening
to share confidential information about security lapses that banks want to keep
private, said Shane Shook, an independent security consultant who advises
central banks.
"That type of information sharing is something that no bank likes to see happen
without their direct approval and involvement, because it can affect market
confidence," Shook said.
SWIFT disclosed the new hacks after reports of previous incidents prompted
regulators in Europe and the United States to urge banks to bolster
cyber-security.
Other cases involving fraudulent transfer requests include the theft of more
than $12 million from Ecuador's Banco del Austro and a failed attempt later in
2015 to steal money from Vietnam's Tien Phong Bank.
The attacks have prompted regulators globally to press banks to bolster
defenses.
The Bank of England in April ordered UK firms to detail actions to secure
computers connected to the SWIFT system, while the European Banking Authority in
May said domestic authorities should stress test banks for cyber risks.
The Federal Reserve and other U.S. agencies told banks in June to review
protections against fraudulent money transfers.
Six U.S. senators on Monday urged the G20 nations to agree when they meet at a
summit this weekend on a “coordinated strategy to combat cyber-crime at critical
financial institutions.”
(Reporting by Jim Finkle in Boston. Additional reporting by Jonathan Spicer in
New York.; Editing by Brian Thevenot.)
[© 2016 Thomson Reuters. All rights
reserved.] Copyright 2016 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |
-Lincoln-IL/2801474193)
