Global banks tighten SWIFT system security
GENEVA (Reuters) — Banks are tightening the security of their SWIFT messaging networks – used by the industry to shift trillions of dollars each day – following revelations that hackers are increasingly able to get into this system to steal money.
Bankers at SWIFT’s annual SIBOS conference in Geneva said they were adopting new security tools, reviewing procedures and pressing their counterparties to do the same. Some banks are also looking at alternative technologies for transferring money, such as blockchain-type systems.
They are stepping up their efforts after the theft of $ 81 million from the Bangladesh central bank in February and revelations of other infiltration of banks’ SWIFT terminals. These hacks have undermined confidence in SWIFT messages, which were previously accepted at face value.
“The attacks will continue and get more sophisticated,” SWIFT chief executive Gottfried Leibbrandt warned delegates at the conference organized by SWIFT, which is a global member-owned cooperative.
Benoit Desserre, global head of Global Transaction Banking at France’s Societe Generale, said his bank had already undertaken all of SWIFT’s recommended security measures but that the hacks had encouraged it to go one step further.
The bank is introducing a new layer of security whereby the staff who are approved to send SWIFT payment instructions must now sign on with a fingerprint scanner. This is in addition to passwords and a physical computer key.
“It was easier for us to make that investment knowing what has happened,” he told Reuters in an interview. “It suddenly became more important to get something like that.”
In time, SocGen may press its counterparties to use a similar system, only agreeing to fulfill payment instructions which carry a digital fingerprint, Desserre said. But he said cost could slow a broader roll-out of the technology.
In the wake of the hacks, the French bank also went through its SWIFT system to weed out redundant communications channels. SWIFT operates like Facebook in that members can only send messages to confirmed counterparties. But sometimes these links remain open even after business relationships end.
SWIFT’s chairman Yawar Shah told delegates at the conference that such open channels were a security risk and that all banks should weed out unused channels.
Desserre said Societe Generale had removed thousands.
Cheri McGuire, chief information security officer at Standard Chartered said her bank was also conducting an internal review around its SWIFT systems.
But banks are not just looking at their own systems.
The Bangladesh Bank heist involved diverting money held at accounts at the Federal Reserve Bank of New York into accounts in the Philippines.
Bankers said to avoid this happening in the future bigger banks needed to ensure the smaller banks they work with have appropriate security procedures.
Sergio Dalla Riva, head of Product Development, Global Transaction Banking at Intesa Sanpaolo S.p.A. said understanding the security capabilities of your clients was becoming part of customer due diligence.
Lev Khasis, chief operating officer at Sberbank, Russia’s biggest bank by assets, said he expected regulators to tighten oversight of security practices but that peer pressure would also play a role.
“Some big banks will be pushing their smaller counterparties to move in that direction,” he said. Sberbank was already pushing its clients in this way, he said.
The SWIFT hacks are also spurring interest in new technologies.
Lars Sjogren, global head of Transaction Banking at Danske Bank said his bank was working with technology companies to develop tools that would spot unusual and potentially fraudulent payment instructions sent via SWIFT.