By now most people are aware of the reports of a second third SWIFT related hack. I was reading about the various reactions to the hacks and it is pretty alarming stuff. The Vietnam hack involves a SWIFT Service Bureau which for many corporates is a scary prospect, because many of them are also using SWIFT service bureaus to manage their connections to the SWIFT network. This is the world we’re in right now, and I’m pretty certain these types of attacks will increase. How SWIFT, corporates and financial institutions deal with the threat is the bigger question. For now, lets take a step back and take a look at the emerging news stories that reveal the key details:
SWIFT Security:
Firstly, a quick word on SWIFT and security. Clearly, security is a big deal for SWIFT, they pride and distinguish themselves from other connectivity solutions based on world class security and reliability – and there is a perception that the end to end SWIFT solution is 100% secure. Dare i say it there is complacency, and the recent events highlight the fact that the solution is only as strong as its weakest link:
- SWIFT‘s tag line is “The global provider of secure financial messaging services”
- SWIFT talk a lot about their “uncompromising approach to information security”
- When it comes to security, the SWIFT motto is “Failure is Not An Option” (FNAO)
- Many financial institutions have at some point or other been subjected to some kind of cyber attack, data breach and/or fraudulent payments
- The SWIFT network that connects banks and corporates is therefore a target and will be vulnerable, as are the institutions that use the SWIFT network
Known Hacks Involving the SWIFT Network:
In the order that they have been revealed:
- February 2016 – Bangladesh Bank (Bangladesh)
- Attempted heist value: $951 million
- Successfully transferred amount: $81 million
- December 2015 – TP Bank (Vietnam)
- Attempted heist value: $1.1 million
- Successfully transferred amount: 0
- January 2015 – Banco Del Austro / BDA (Ecuador)
- Attempted heist: $12 million
- Successfully transferred amount: $9 million
SWIFT Related Hacks – Breaking News Stories:
There are of course lots of articles covering the attacks. The following are the key stories that broke the news along with some what i found interesting insights:
June-2016:
- 25-Jun-2016: Kviv Post – Hackers steal $10 million from a Ukrainian bank through SWIFT loophole
- 3-Jun-2016: FT – Swift threat to suspend vulnerable members
- 3-Jun-2016: Reuters – SWIFT CEO fights to restore faith in bank messaging system
May-2016:
- 27-May-2016: Reuters – Cyber firms say Bangladesh hackers have attacked other Asian banks
- 26-May-2016 – Symantec – SWIFT attackers’ malware linked to more financial attacks
- 24-May-2016: Reuters – SWIFT to unveil new security plan after hackers’ heists
- 20-May-2016: Reuters – Special Report: Cyber thieves exploit banks’ faith in SWIFT transfer network
- 20-May-2016: Wall Street Journal – Alarmed Swift Urges Banks to Report Hacking Attempts
- 19-May-2016: Wall Street Journal – Now It’s Three: Ecuador Bank Hacked via Swift
- 19-May-2016: Reuters – Exclusive – UK banks ordered to review cyber security after SWIFT heist
- 19-May-2016: Reuters – Top Democratic senator probes SWIFT, NY Fed about Bangladesh heist
- 19-May-2016: Reuters – Bangladesh Bank official’s computer was hacked to carry out $81 million heist: diplomat
- 18-May-2016: Reuters – U.S. banks scrutinize SWIFT security after hacks: reports
- 17-May-2016: Reuters – Slovenian bank was recipient named in failed Vietnam cyber-heist
- 17-May-2016: The Wall Street Journal – J.P. Morgan Reduced Some Employees’ Access to Swift System in Recent Weeks
- 15-May-2016: Reuters – Vietnam bank says interrupted cyber heist using SWIFT messaging
- 14-May-2016: Seeking Alpha – Swift Is Hacked Again. The Bitcoin/Blockchain Fat Lady Sings.
- 14-May-2016: Reuters – Bangladesh Bank heist similar to Sony hack; second bank hit by malware
- 13-May-2016: BAE Systems – CYBER HEIST ATTRIBUTION
- 13-May-2016: SkyPort Systems – FIVE NECESSARY IMPROVEMENTS TO THE SWIFT (NOT TAYLOR SWIFT) SECURITY MODEL
- 9-May-2016: Reuters – Exclusive – Technicians from SWIFT left Bangladesh Bank exposed to hackers – police
- 12-May-2016: New York Times – Once again, thieves enter SWIFT financial network and steal
April-2016:
- 26-Apr-2016: Bloomberg – Swift Hack Is a Story of Globalization and Poverty
- 26-Apr-2016: Reuters – Exclusive: SWIFT warns customers of multiple cyber fraud cases
- 25-Apr-2016: BAE Systems – Two Bytes to $951
- 25-Apr-2016: Reuters – Bangladesh Bank hackers compromised SWIFT software, warning issued
SWIFT Press Releases:
Since the stories broke, SWIFT have issued a number of SWIFT security statements:
August-2016:
- 16-Aug-2016: Joint Statement: Federal Reserve Bank of New York, Bangladesh Bank and SWIFT
- 16-Aug-2016: SWIFT launches security tools campaign
July-2016:
- 25-Jul-2016: Cyber security in the financial industry – Managing the Rise in cyber crime
- 11-Jul-2016: SWIFT engages expert cyber security firms and establishes dedicated Customer Security Intelligence team
- 7-Jul-2016: Cyber security in the financial industry
June-2016:
- 10-Jun-2016: Board Announcement: SWIFT AGM and Customer Security Programme
May-2016:
- 27-May-2016: SWIFT launches dedicated customer security programme
- 24-May-2016: Gottfried Leibbrandt on cyber security and innovation
- 20 May 2016: SWIFT customer communication: Cooperating on cyber-security
- 13-May-2016: SWIFT Customer Communication: Customer Security Issues
- 10 May-2016: Joint Statement: Federal Reserve Bank of New York, Bangladesh Bank and SWIFT
- 9-May-2016: SWIFT statement on recent allegations
April-2016:
- 25-Apr-2016: SWIFT comments on malware reports