Increased Spending Follows Bangladesh Bank Heist, Ongoing Attacks SWIFT Chairman Yawar Shah, pictured at a SWIFT conference in Geneva on Sept. 26, 2016, has tied management incentives to security targets. (Photo: SWIFT)
Banks that collectively own SWIFT saw their profits vanish last year as the organization increased its investments in information security, even as the interbank messaging service handled record volumes of money-moving messages.
The investment followed the $81 million heist from the central bank of Bangladesh in February last year, accomplished by attackers who issued fraudulent SWIFT money-moving messages from a compromised Bangladesh Bank system. News of the attack sparked a public relations disaster for the Brussels-based cooperative, formally known as the Society for Worldwide Interbank Financial Telecommunication, calling into question the integrity of its messaging service and whether the organization was doing enough to police members’ information security practices.
A newly released annual report shows that SWIFT’s 2016 profit – before tax and rebates to its owner-customers – fell by 31 percent, to €47 million ($53 million). SWIFT operates as a cooperative, and at the organization’s discretion, profits can be distributed to members in the form of rebates or lower service prices, which totaled €33 million ($37 million) in 2015. In 2016, however, SWIFT issued no such rebates, reflecting the organization’s increased spending on information security.
Meanwhile, the overall volume of messages sent using the service increased by 7 percent from 2015 to 2016, hitting a record-setting peak in June 2016 of more than 30 million messages sent in one day.
SWIFT declined to comment on its financial results.
In its 2016 annual report, SWIFT reports that it has tripled the size of its security team over the past three years, and plans to add additional staff. In addition, it now maintains a 24/7 Security Operations Center designed to monitor for and respond to any logical or physical attacks against SWIFT or its messaging system.
“In line with the increased threat, and reflecting our uncompromised focus on security, we have continued to invest in security and grow our dedicated staff; by the end of 2016 we had tripled the size of our security teams over the previous three years,” says SWIFT CEO Gottfried Leibbrandt. “We have bolstered our information security function by hiring a new chief information security officer (CISO) and creating new positions in the CISO office, enhancing the existing talent in this important part of our organization. To ensure our own readiness to respond to unexpected threats, we also continued to test ourselves, carrying out more than 500 business continuity exercises during the year.”
SWIFT’s management team members now have incentives linked to specific security targets set by Chairman Yawar Shah, Reuters reports.
Those moves followed the February 2016 central bank of Bangladesh heist, which saw attackers use fraudulent SWIFT messages to attempt to steal $951 million from the bank’s Federal Reserve of New York account. Ultimately, they made off with $81 million, and other banks revealed similar attacks, some of which had been successful.
SWIFT says more than 11,000 financial institutions across 200 countries and territories now use its interbank messaging system.
U.S. government sources have told media outlets that federal investigators traced the Bangladesh Bank heist to attackers associated with North Korea. But security experts say multiple groups have been launching such attacks.
Bangladesh Bank Heist Fallout
SWIFT has continued to emphasize that its messaging network has not been hacked. “There is no indication that SWIFT’s network or core messaging services were compromised in any of these attacks,” it annual report reads.
In the wake of the Bangladesh Bank heist, however, critics alleged that SWIFT was failing to do enough to ensure that the institutions that use its system are themselves secure. The apparent ease with which attackers had commandeered Bangladesh Bank’s systems and used it to issue fraudulent money-moving messages called into question the integrity of SWIFT’s messaging environment. The bank’s response – blaming SWIFT and the Federal Reserve Bank of New York – also triggered unwanted scrutiny of banks’ information security practices by regulators in multiple countries as well as public relations fallout for SWIFT.
In response, SWIFT issued updated security guidance to customers, warned them that it would soon require them to comply with a number of mandatory security controls, and announced the launch of a new Customer Security Program in July of last year.
SWIFT also launched a hearts-and-minds campaign, asking banks to tell it when they saw attacks that touched – or attempted to subvert – SWIFT’s messaging system. The organization also created an internal digital forensics and customer security intelligence team, promised of better attack-related intelligence, as well as contracting with cybersecurity specialists BAE Systems and Fox-IT to provide incident response services for hacked banks, as part of its new Customer Security Intelligence team, which shares attack-related intelligence with customers.
“Information sharing is being spearheaded by SWIFT’s new Information Sharing and Analysis Centre (ISAC), a secure portal that shares intelligence bulletins and other cybersecurity-related information,” according to Stephen Gilderdale, head of the U.K., Ireland and Nordics region for SWIFT.
“This initiative is led by SWIFT’s Customer Security Intelligence (CSI) team, which analyzes reported incidents to help customers to protect themselves against similar attacks,” he adds. “The CSI team studies the modus operandi of the attackers, develops indicators of compromise, and provides the information back to the financial community through a security notification service in anonymized form.”
In July 2016, SWIFT released updated client software – Alliance Access Release 7.1.20 and 7.0.70 – that it says added “stronger default password management,” integrity-checking features as well as built-in two-factor authentication.
In December 2016, SWIFT launched Daily Validation Reports, which it bills as a “secondary fraud control” designed to allow “to help smaller banks identify potential fraud by verifying the previous day’s transactions, as well as seeing flags for any large, unusual or new types of payments.
Multiple Attack Groups
Attackers have continued to target banks via fraudulent money-moving messages sent from hacked institutions that connect to the SWIFT network. Security firms have blamed some other recent attacks of this type – targeting banks in Europe – on hackers that may be tied to North Korea.
But experts say multiple groups of criminal hackers have been targeting SWIFT-using banks (see Hackers Target SWIFT-Using Banks With Odinaff Malware).
In addition, earlier this year, a dump by the Shadow Brokers revealed an apparent National Security Agency program designed to hack into – and monitor – some SWIFT-using institutions, via a third-party SWIFT service bureau. The impetus for the monitoring, experts say, is likely to track terrorism-related financing or monitor for violations of U.S. sanctions (see Hackers Reveal Apparent NSA Targeting of SWIFT Bureaus).