You may have seen in the media over the last couple of weeks’ references to hacks and the SWIFT financial network. So for those of you not overly familiar with banking and finance, what is SWIFT and why should it concern you?
SWIFT, or to give it its full title, the Society for Worldwide Interbank Financial Telecommunication, is as the name suggests, the primary method by which banks and other financial institutions move money between each other around the globe (and has been for nearly 40 years). Casting my mind back to the very early years of my career, I remember keying in SWIFT transactions as part of my work in international settlements. Most people only ever come across SWIFT when making a very large payment, such as purchasing a house, where a SWIFT transfer is often used to complete the transaction.
In essence it is a private, encrypted messaging system with about 11,000 members worldwide. Don’t let the relatively small number of members fool you. In 2015, the network transmitted more than 6 billion messages. The nature of this private ‘club’ can sometimes mean that users are perhaps unaware of the security issues or underestimate the impact that wider, more well-known problems on such a system.
Again, from my early career, I remember SWIFT being run from a dedicated terminal, connected over X25 circuits (I am really showing my age now!), but times change and SWIFT systems can now be deployed on a number of Windows / Linux / UNIX platforms.
So given its position in the financial world it is perhaps not surprising that it has become a target for hackers. Whilst the security of the SWIFT system itself has generally been regarded as pretty good, where the weaknesses have appeared are in the systems and networks that it connects to. In other words, the compromises that have taken place have been targeted against back office devices and users. Once compromised the attackers have gained elevated privileges relating to SWIFT usage and conducted fraudulent transactions.
Recent reports in the press suggest that the attackers may have altered some of the SWIFT software to cover the tracks of the fraudulent payments. To date the largest reported loss is $81 million, from a Bangladesh Bank account at the New York Federal Reserve. An earlier attack against Banco del Austro in Ecuador has also been disclosed (resulting in the loss of $12 million).
These attacks are concerning as it would suggest that the attackers have intimate knowledge of the workings of SWIFT software and systems. These were not random events and other financial institutions may well have been targeted. It is still not clear whether the attackers were internal or external to the organisations that were hit.
SWIFT transfers have generally required two sets of authentication – that of the operator and then a manager to make the payment. It would appear that the attackers have gained both sets of IDs and authentication. This would suggest, as SWIFT has noted, lax security practices at end user organisations. Clearly SWIFT needs to do more to help its member organisations, but there must also be action from the banks too.
The attacks yet again highlight the need to do the basics of network security properly: Know your network; train your staff; restrict the use of privileged accounts and properly log and monitor your network traffic. Treat all traffic as untrusted until you know otherwise. No matter how secure you think your network and applications are, think like a hacker. Look for the weak links, they always exist.