How thieves ex­ploit a trusted global mes­sag­ing sys­tem for banks

How crooks are us­ing an in­ter­na­tional mes­sag­ing sys­tem to rob banks “If you don’t take this threat se­ri­ously, it will hap­pen to you”

Bloomberg Businessweek (Asia) - - NEWS - Kather­ine Bur­ton and Alan Katz

The cen­tral bank of Bangladesh was the vic­tim of one of the big­gest bank heists of all time in Fe­bru­ary, when thieves made off with $81 mil­lion. The perps are still at large—and may have the com­bi­na­tions to many more vaults.

Since the Bangladesh job came to light, other banks have come forward. In Ecuador, a com­mer­cial bank said it was held up for $12 mil­lion last year. A bank in Viet­nam said crim­i­nals tried, and failed, to steal $1.1 mil­lion in what ex­perts say may have been a prac­tice run for Bangladesh. By late May as many as a dozen more banks, mostly in South­east Asia, re­ported breakins. All of the at­tacks were com­mit­ted by cy­ber­crim­i­nals, and at least some made use of a mes­sag­ing sys­tem run by the So­ci­ety for World­wide In­ter­bank Fi­nan­cial Telecom­mu­ni­ca­tion, bet­ter known as Swift.

The crimes point to big trou­ble in the cross-bor­der trans­fer of money, the ba­sic plumb­ing of global fi­nance. Swift con­nects 11,000 mem­bers, in­clud­ing cen­tral and com­mer­cial banks, bro­kers, money man­agers, and multi­na­tional cor­po­ra­tions in more than 200 coun­tries and ter­ri­to­ries.

Banks in the de­vel­oped world weren’t tar­gets of the crime wave, but the breaches have served as a wake-up call that any sys­tem is vul­ner­a­ble. Se­cu­rity ex­perts say the dig­i­tal trail ap­pears to lead to North Korea, which the U.S. gov­ern­ment blamed for the Sony Pic­tures hack in De­cem­ber 2014.

The breaches un­der­mine trust and may hurt busi­ness in de­vel­op­ing coun­tries, if for­eign banks worry whether it’s a real bank or a crook on the other end of the line. “If banks lose con­fi­dence in Swift, they will ei­ther have to live with the dis­com­fort or re­duce their par­tic­i­pa­tion in cross-bor­der payments,” says Erin McCune, a payments strate­gist at con­sult­ing group Glen­brook Part­ners.

Swift, a non­profit co­op­er­a­tive based near Brus­sels, was founded more than 40 years ago to make it eas­ier for banks in var­i­ous coun­tries to communicate with one an­other. It re­placed mes­sages sent by telex ma­chines. The pri­vate net­work was de­signed to be more secure, and its mes­sages fol­lowed a pro­to­col so they could be quickly un­der­stood by banks any­where in the world.

Swift doesn’t move money it­self— trans­fers take place be­tween banks. But its mes­sages tell banks which ac­counts to debit and credit, and for how much, so a par­ent in New York City can send money to a child study­ing in Lon­don, or a cloth­ing company in France can pay a shirt fac­tory in Viet­nam. As many as 27.5 mil­lion Swift mes­sages are sent daily.

Swift has said the sys­tem it­self hasn’t been breached. That means the hack­ers haven’t been able to read or change a mes­sage trav­el­ing over its net­work. If Bank A gets in­struc­tions from Bank B, the mes­sage orig­i­nated from Bank B’s computer.

Hack­ers have made clear, how­ever, that Swift can’t en­sure the per­son send­ing the mes­sage from a bank’s computer works for that bank. In the case of Bangladesh, ma­li­cious soft­ware code, known as mal­ware, was in­tro­duced into the cen­tral bank’s sys­tems in Jan­uary. That prob­a­bly al­lowed hack­ers to record key­strokes and ul­ti­mately steal codes en­abling them to send fraud­u­lent mes­sages over the Swift net­work.

The hack­ers struck on Feb. 4, ask­ing for dozens of trans­fers equal­ing al­most $1 bil­lion. The mes­sages re­quested that money be sent from the Bangladeshi ac­count at the Fed­eral Re­serve Bank of New York to ac­counts in the Philip­pines and Sri Lanka. Most of the trans­ac­tions were blocked af­ter they were flagged for re­view to en­sure they com­plied

with U.S. sanc­tions rules. Five went through. The mal­ware dis­abled a printer in Bangladesh that would have spit out a list of com­pleted trans­fers, slow­ing de­tec­tion.

The money moved to the Philip­pines ac­counts, where it was then cashed out or passed on to sev­eral lo­cal casi­nos, where the trail goes cold. The Sri Lankan trans­fer was even­tu­ally negated be­cause of a typo.

Me­ga­banks have taken heed. JPMor­gan Chase

has cut the num­ber of its em­ploy­ees with ac­cess to Swift, and the Bank of Eng­land has in­structed in­sti­tu­tions it over­sees to beef up se­cu­rity. “If you don’t take this threat se­ri­ously, it will hap­pen to you,” says Avi­vah Li­tan, a cy­ber­se­cu­rity an­a­lyst at Gart­ner.

Banks in the de­vel­op­ing world need to do even more. Many have flim­sier fire­walls than ma­jor banks and don’t fol­low the high­est se­cu­rity mea­sures rec­om­mended by Swift, say ex­perts. That in­cludes us­ing a sec­ond piece of ex­ter­nal ver­i­fi­ca­tion, such as an eye or fin­ger­print scan, to sign in to a bank’s computers. Swift also rec­om­mends that mul­ti­ple peo­ple be in­volved in the mes­sag­ing process, such as one per­son to cre­ate the mes­sage and an­other to ap­prove and au­then­ti­cate it.

Swift is con­sid­er­ing mak­ing such se­cu­rity mea­sures manda­tory. It may also in­tro­duce pat­tern recog­ni­tion soft­ware to iden­tify sus­pi­cious be­hav­ior, sim­i­lar to what credit card com­pa­nies use to de­tect fraud. Yet changes will take time, and the poorer banks us­ing Swift will prob­a­bly al­ways lag on im­prove­ments needed to keep up with scam­mers.

In the mean­time, the hacked banks have tried to lay blame on big­ger, richer in­sti­tu­tions. The Bangladeshi bank said the New York Fed should have caught the fraud­u­lent trans­fers. The Ecuadorean bank, Banco del

Aus­tro, sued Wells Fargo, where it has an ac­count, say­ing the U.S. bank is partly to blame for the theft. The New York Fed and Wells Fargo both say they fol­lowed in­struc­tions au­then­ti­cated by Swift; Wells Fargo re­funded al­most $1 mil­lion. A con­gres­sional com­mit­tee has opened an in­quiry into the Bangladesh in­ci­dent and the New York Fed’s re­sponse to the at­tack.

The breaches will likely spark in­ter­est in find­ing other ways to make in­ter­na­tional payments. “But it’s go­ing to take years,” McCune says. And when even the safest tech­nol­ogy is used to link up vast num­bers of fal­li­ble hu­mans around the globe, hack­ers are likely to find an open­ing. “What­ever se­cu­rity bar­ri­ers we have, they can even­tu­ally be pen­e­trated,” says Hank Uberoi, head of Earth­port, a Lon­don­based global pay­ment firm that’s build­ing an al­ter­na­tive net­work. “And if you can get in­side, you can cre­ate havoc.”

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.