Like anyone perfecting their craft, cyber-criminals are honing their skills and aiming upward, using malware to steal money not only from retail payments systems but from the global commercial payments systems used to transfer billions among banks every day.
In the months since the headline-grabbing story of a malware attack through the Bangladesh central bank in February, which reportedly netted crooks USD$81 million, at least two other major cyber heists at central banks in Vietnam and Ecuador have prompted questions and concerns about the security inherent in the payments systems of these international banks, and the over-arching banking messaging network that connects them.
That network, Brussels-based Society for Worldwide Interbank Financial Telecommunication (SWIFT), a cooperative owned by about 3000 global financial institutions, is at the heart of these concerns – even though the network was likely not the point of entry for the cyber-thieves in most cases.
“As far as I can tell, the SWIFT core system itself was not compromised, mainly the access to it by its member banks,” says Neira Jones, a former head of payment security at Barclaycard, and currently a consultant and partner in the Global Cyber Alliance. “Essentially, transfer messages were taken at face value and enabled criminals to syphon large sums of money.”
Indeed, in the case of the Bangladesh central bank, digital forensic experts investigating the incident found that the online crooks had used fraudulent SWIFT messages and installed malware inside the Dhaka headquarters of that bank, which hid and delayed discovery of their theft of USD$81 million from a central bank account held at the Federal Reserve Bank of New York. Similar cyber-attacks were discovered and reported later this spring at Vietnam’s Tien Phong Bank and Ecuador’s Banco del Austro, from which thieves stole at least USD$12million.
Mark Weatherford, former undersecretary for cybersecurity at the U.S. Department of Homeland Security and currently chief cybersecurity strategist for data center security vendor vArmour, points out that these attacks are not really using any new techniques or even targeting new victims, just new vectors. “While SWIFT was the attack vector, the primary security weakness is at the local bank level,” Weatherford continues. “Many organizations are still missing the mark when it comes to developing a culture of security that is ingrained across that organization.”
After the attacks, SWIFT issued a letter that seemed to convey this sense of increasing threat, while making it clear that it is the duty of their bank-partners to shore up their security.
“SWIFT has recently shared information regarding a number of fraudulent payment cases where affected customers suffered a breach in their local payment infrastructure,” the letter to bank-customers read. “We would like to reassure you again that SWIFT’s network, services and software were not compromised. While customers are responsible for the security of their own environment, security is our top priority and as an industry-owned cooperative we are committed to helping our customers fight against cyber-attacks.”
Steve Durbin, managing director for the Information Security Forum, says that “technical capabilities and reach of cyber-criminals now equals those of many governments and organizations. In the next few years, these capabilities will extend far beyond those of their victims.” As a result, he says the ability of current control mechanisms to protect organizations, even central banks, is likely to diminish, exposing them to greater impact.
Criminals will follow the money, and while attacking a major central bank or its payment network might not be the easiest target, it stands to be the most lucrative or the most damaging. Arbor Networks’ most recent Worldwide Infrastructure Security Report found that in the last year, the financial services sector moved from the fifth most attacked industry sector to second, according to Richard Brown, director EMEA channels and alliances at Arbor Networks. “There is no doubt that the banking sector is a lucrative target for cyber-criminals, so we can expect to see a continued rise in attacks against the sector…whether attackers go directly for the money held in the bank, the personal details of those using it, or simplify look to disrupt their operations, it is a very real threat,” Brown says.
With the plethora of high-profile cyber-attacks and ongoing hacktivism targeting banks, cybersecurity has “never been more of a priority for financial services organizations,” according to Paul McEvatt, senior cyber threat intelligence manager in the United Kingdom and Ireland for Fujitsu. “With reports of customized malware used in the SWIFT attacks aligning to the environment it executed in, it’s difficult to imagine a traditional anti-virus system detecting these attacks, and it is also safe to assume there was an element of insider knowledge or an actor being inside of the network for a significant amount of time.”
The organized crime rings operating around the globe that perpetrate these crimes are not just your run-of-the-mill hobbyist hackers, experts say. Instead, they are employing a host of various exploits in concert – social engineering, phishing, malware, ransomware, brute force attacks – to achieve their desired goals.
“Malware attacks such as those used in the Bangladesh Bank heist illustrate some sophisticated choreography by criminals who exploited bank employees that didn’t instill a cyber-aware culture,” says Yong-Gon Chon, CEO of Cyber Risk Management. “It also illustrates a predictable messaging system process that was cleverly timed and exploited. Malware was only part of the recipe, which cloaked the discovery of the bogus transactions.”
As Paula Musich, research director for NSS Labs, puts it: “Cyber thieves are pragmatic, and when something works, they continue to use it until it’s not so effective.”
Effective Response?
In the interest of trying to mitigate the risk and impact of such attacks, SWIFT and its bank-members are making an effort to mount a better defense. In May 2016, SWIFT CEO Gottfried Leibbrandt outlined a plan to improve information-sharing in the global financial community, harden security requirements and enhance security audit frameworks for customers, support payment pattern controls to locate suspicious activity, and introduce certification requirements for third parties (which are increasingly being used as a way in to bank and payments networks).
Specifically, the international financial network has announced it will broaden its use of two-factor authentication when banks move funds, and require more information from, and communicate information about incidents to, its customers. SWIFT also established a centralized hub, accessible only to its banks, to share information about malware and security issues. While SWIFT caught flack for not instituting more vigorous security requirements sooner, industry insiders see their recent announcements as a positive first step.
Durbin believes these proposals are “absolutely spot on and long overdue.” The ISF had previously highlighted that third parties were becoming a key route for cyber-criminals and have long been proponents of better information sharing, he says.
Geoff White, business group leader at Lloyd’s Barbican Insurance Group underwriters, says that SWIFT’s recent decision to demand minimum standards of security shows the importance of “maintaining cybersecurity standards throughout your supply chain.” He believes this is a useful precursor to the upcoming General Data Protection Regulation which will mandate businesses to adhere to strict data protection compliance standards or face fines of up to 4% of global revenue.
Weatherford also believes SWIFT laid out a good, if overdue plan, which he believes will be effective “because it will require companies to invest in security products and services and also, perhaps most importantly, it will require banks to raise their overall security IQ.” From a timing perspective, Weatherford says these security enhancements should get immediate traction but longer term, “they will probably require development of audit standards and certifications.”
In a speech in Beijing in late May Andrea Enria, chairman of the European Banking Authority, which coordinates banking rules across the European Union, called on regulators to stress-test local banks in their own countries to better understand potential risks. Around the same time, the Bank of England, as well as central banks in Singapore and the Philippines, announced that they would ask their banks to improve security systems and protocols. Similarly, Mary Jo White, chair of the U.S. Securities and Exchange Commission, is just one of the U.S. regulators who has publicly pointed to cybersecurity as the biggest risk facing the financial system. In May, the Hong Kong Monetary Authority launched a program, the Cybersecurity Fortification Initiative, to help its lenders protect critical technology systems.
Stephen Migliore, senior director of cybersecurity for the Global Financial Services unit at Unisys, believes that these cyber-attacks and the various global responses underscore the “fact that banks need to be responsible for their own security. In a system based on trust, the whole is only as strong as its weakest link.”
While McEvatt believes the Bank of England’s CBEST security framework “is a welcome measure and ensures strong guidance is complied with,” he also thinks that CIOs and chief information security officers in the banking industry are facing an unenviable challenge: securing multi-channel environments while ensuring customer experience does not suffer.
To this end, Durbin recommends banks conduct strong reviews of third party access, refocus more security emphasis on mission-critical information assets and systems, as well as conducting audits of their own security systems and procedures. White also believes SWIFT, for its part, needs to increase its communication with its bank-customers, and through groups like the Financial Services Information Sharing and Analysis Center.
However, experts also agree that it will likely take more than better technology and even better protocols and policies to reduce the risk of such attacks. “While there is certainly a technology component and things like two-factor authentication, encryption, increased monitoring etc. are critical, increased security awareness across the board will have the biggest impact,” says Weatherford.
“Human nature is very stubborn, so until something happens to you, it’s easy to think that it only happens to ‘the other guy.’ As cyber-related attacks have become mainstream and increasingly common, companies are beginning to realize that maybe they are ‘the other guy’ and that they should be investing more and paying more attention.”