How thieves exploit a trusted global messaging system for banks
▶▶How crooks are using an international messaging system to rob banks ▶▶“If you don’t take this threat seriously, it will happen to you”
The central bank of Bangladesh was the victim of one of the biggest bank heists of all time in February, when thieves made off with $81 million. The perps are still at large—and may have the combinations to many more vaults.
Since the Bangladesh job came to light, other banks have come forward. In Ecuador, a commercial bank said it was held up for $12 million last year. A bank in Vietnam said criminals tried, and failed, to steal $1.1 million in what experts say may have been a practice run for Bangladesh. By late May as many as a dozen more banks, mostly in Southeast Asia, reported breakins. All of the attacks were committed by cybercriminals, and at least some made use of a messaging system run by the Society for Worldwide Interbank Financial Telecommunication, better known as Swift.
The crimes point to big trouble in the cross-border transfer of money, the basic plumbing of global finance. Swift connects 11,000 members, including central and commercial banks, brokers, money managers, and multinational corporations in more than 200 countries and territories.
Banks in the developed world weren’t targets of the crime wave, but the breaches have served as a wake-up call that any system is vulnerable. Security experts say the digital trail appears to lead to North Korea, which the U.S. government blamed for the Sony Pictures hack in December 2014.
The breaches undermine trust and may hurt business in developing countries, if foreign banks worry whether it’s a real bank or a crook on the other end of the line. “If banks lose confidence in Swift, they will either have to live with the discomfort or reduce their participation in cross-border payments,” says Erin McCune, a payments strategist at consulting group Glenbrook Partners.
Swift, a nonprofit cooperative based near Brussels, was founded more than 40 years ago to make it easier for banks in various countries to communicate with one another. It replaced messages sent by telex machines. The private network was designed to be more secure, and its messages followed a protocol so they could be quickly understood by banks anywhere in the world.
Swift doesn’t move money itself— transfers take place between banks. But its messages tell banks which accounts to debit and credit, and for how much, so a parent in New York City can send money to a child studying in London, or a clothing company in France can pay a shirt factory in Vietnam. As many as 27.5 million Swift messages are sent daily.
Swift has said the system itself hasn’t been breached. That means the hackers haven’t been able to read or change a message traveling over its network. If Bank A gets instructions from Bank B, the message originated from Bank B’s computer.
Hackers have made clear, however, that Swift can’t ensure the person sending the message from a bank’s computer works for that bank. In the case of Bangladesh, malicious software code, known as malware, was introduced into the central bank’s systems in January. That probably allowed hackers to record keystrokes and ultimately steal codes enabling them to send fraudulent messages over the Swift network.
The hackers struck on Feb. 4, asking for dozens of transfers equaling almost $1 billion. The messages requested that money be sent from the Bangladeshi account at the Federal Reserve Bank of New York to accounts in the Philippines and Sri Lanka. Most of the transactions were blocked after they were flagged for review to ensure they complied
with U.S. sanctions rules. Five went through. The malware disabled a printer in Bangladesh that would have spit out a list of completed transfers, slowing detection.
The money moved to the Philippines accounts, where it was then cashed out or passed on to several local casinos, where the trail goes cold. The Sri Lankan transfer was eventually negated because of a typo. Megabanks have taken heed. JPMorgan Chase has cut the number of its employees with access to Swift, and the Bank of England has instructed institutions it oversees to beef up security. “If you don’t take this threat seriously, it will happen to you,” says Avivah Litan, a cybersecurity analyst at Gartner.
Banks in the developing world need to do even more. Many have flimsier firewalls than major banks and don’t follow the highest security measures recommended by Swift, say experts. That includes using a second piece of external verification, such as an eye or fingerprint scan, to sign in to a bank’s computers. Swift also recommends that multiple people be involved in the messaging process, such as one person to create the message and another to approve and authenticate it.
Swift is considering making such security measures mandatory. It may also introduce pattern recognition software to identify suspicious behavior, similar to what credit card companies use to detect fraud. Yet changes will take time, and the poorer banks using Swift will probably always lag on improvements needed to keep up with scammers.
In the meantime, the hacked banks have tried to lay blame on bigger, richer institutions. The Bangladeshi bank said the New York Fed should have caught the fraudulent transfers. The Ecuadorean bank, Banco del Austro, sued Wells Fargo, where it has an account, saying the U.S. bank is partly to blame for the theft. The New York Fed and Wells Fargo both say they followed instructions authenticated by Swift; Wells Fargo refunded almost $1 million. A congressional committee has opened an inquiry into the Bangladesh incident and the New York Fed’s response to the attack.
The breaches will likely spark interest in finding other ways to make international payments. “But it’s going to take years,” McCune says. And when even the safest technology is used to link up vast numbers of fallible humans around the globe, hackers are likely to find an opening. “Whatever security barriers we have, they can eventually be penetrated,” says Hank Uberoi, head of Earthport, a Londonbased global payment firm that’s building an alternative network. “And if you can get inside, you can create havoc.”
Katherine Burton and Alan Katz