18 February 2018
visit www.ebaday.com

Swift outlines new security protocols as crisis escalates

24 May 2016  |  10018 views  |  5 Gottfried Leibbrandt, CEO, Swift

Financial messaging network Swift is to launch a five-point security plan in a bid to restore faith in the integrity of the system in the wake of a series of exploits at connected bank sites.

Swift CEO Gottfried Leibbrandt will tell a conference in Brussels that the bank-owned co-operative will introduce certification requirements for interface device vendors and help banks use pattern recognition to identify suspicious behavior. The banking co-operative also plans to provide auditors and regulators with tighter guidelines to help in the assessment of bank security procedures.

Leibbrandt's remarks follow a torrid period for the company after the emergence of a series of attacks on at least three banks connected to the network, including a successful $81 million heist at the central bank of Bangladesh.

Describing the Bangladesh incident as a “watershed event for the banking industry”, Leibbrandt will say: “There will be a before and an after Bangladesh. The Bangladesh fraud is not an isolated incident ... this is a big deal. And it gets to the heart of banking.”

The interbank network, which connects over 10,000 institutions globally, was conceived with resilience and security at its core and designed to meet the highest standards of confidentiality, integrity and availability. While the core messaging network remains impervious to hackers, the latest revelations of inadequate security controls at bank sites has seriously dented Swift's reputation.

The news cycle has been particularly uncomfortable for Swift chairman Yawar Shah after it emerged that his own bank, Citi, was party to a lawsuit lodged by Ecuador's Banco del Austro (BDA) against Wells Fargo over the transmission of three bogus Swift transfers that led to $12 million in losses. BDA says that a similar issue saw Citi transfer $1.8 million after fraudulent requests through the Ecuadorian bank's Swift terminal, but Citi repaid the money.

None of the three banks informed Swift of the attacks, despite the co-operative's insistence that users should "immediately inform Swift of any suspected fraudulent use of their institution’s Swift connectivity or related to Swift products and services"

"Information sharing needs to get better, much better," Liebbrandt will say. "It is critical that the global financial community works together to bolster our mutual security."

The new security procedures have been drawn up by Swift following urgent consultations with board members and regulators over the escalating crisis.

More bad news may be on the horizon. "The Bangladesh fraud is not an isolated incident," Liebbrandt will tell the Brussels conference. "We are aware of at least two, but possibly more, other cases where fraudsters used the same modus operandi, albeit without the spectacular amounts."

In a speech to the same conference last year, Liebbrandt called on EU polcymakers to work towards the creation of a standardised global framework for international cyber-security and admitted to feelings of paranoia over the persistent threat.

"The cyber threat is very real and persistent. Cyber-attacks are getting ever more sophisticated, and the landscape is getting more complex," he said. "Every day we wake up and go to sleep thinking about, and protecting against that threat. It is hard work and never done. When we don't sleep, it is because of cyber risks."

Comments: (5)

Hitesh Thakkar
Hitesh Thakkar - FIS Payments Software and Services India - India | 24 May, 2016, 14:14

Actions welcomed from SWIFT. Look forward to further announcement of Five Point Security Plan by SWIFT.

Curious to know if SWIFT explores and includes -- Biometric Authentication of Transactions (for High value txns - Single or cumulative) needed before posting it to SWIFT - (may be pipe dream of mine ).

Certification and Audit are welcomed ( I assume it will be more serious now).

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 25 May, 2016, 12:47

What is "certification requirements for interface device vendors"? The device used to initiate a payment was a computer. In this case malware was installed and used to commit the fraud. Technically the malware injected malicious code into the Swift application - an application with no self-defending capabilities. Adding biometry on top of an insecure application is not going to help. 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 25 May, 2016, 16:55

"will tell a conference", "will say". 

Predictive journalism?:)

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Hitesh Thakkar
Hitesh Thakkar - FIS Payments Software and Services India - India | 25 May, 2016, 17:41

@Bjorn - Biometric templates are usually unique and secured while scanning ( Atleast Morpho devices) requires unique scan ID created with keys and difficult to break.

How can a transaction be posted with such unique ID with biometric authentication by Melware?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 27 May, 2016, 06:32 @Hitesh: An attacker don't need to break into the parts of the solution that handles the biometric data. The application logic in a vulnerable application is normally easier to manipulate. Malware typically inject malicious code that change a "no" to "yes". Same thing as with cryptography: It is usually bypassed, not broken. To fix this problem you need to add malware resistance into the application.
1 thumb up! 1 thumb up! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

As details of third attack emerge, Swift calls on banks to report hacks

As details of third attack emerge, Swift calls on banks to report hacks

20 May 2016  |  8210 views  |  0 comments | 17 tweets | 10 linkedin
SEC bills cyber threats as biggest risk to financial markets

SEC bills cyber threats as biggest risk to financial markets

18 May 2016  |  5815 views  |  0 comments | 6 tweets | 11 linkedin
Vietnam's TPBank thwarts Swift messaging heist

Vietnam's TPBank thwarts Swift messaging heist

16 May 2016  |  6166 views  |  1 comments | 3 tweets | 4 linkedin
Swift warns of second victim of bank hackers

Swift warns of second victim of bank hackers

13 May 2016  |  11844 views  |  5 comments | 11 tweets | 21 linkedin
Swift confirms multiple cases of fraudulent message traffic

Swift confirms multiple cases of fraudulent message traffic

26 April 2016  |  8027 views  |  2 comments | 5 tweets | 18 linkedin
Swift warns banks of malware threat

Swift warns banks of malware threat

25 April 2016  |  10181 views  |  0 comments | 16 tweets | 12 linkedin
No firewall and $10 routers blamed in Bangladesh Bank heist

No firewall and $10 routers blamed in Bangladesh Bank heist

22 April 2016  |  20377 views  |  2 comments | 20 tweets | 18 linkedin
Bangladesh Bank considers lawsuit against NY Fed over $81m hack

Bangladesh Bank considers lawsuit against NY Fed over $81m hack

23 March 2016  |  6531 views  |  0 comments | 2 tweets | 3 linkedin
Bangladesh bank governor quits as investigators follow money trail

Bangladesh bank governor quits as investigators follow money trail

15 March 2016  |  6811 views  |  0 comments | 6 tweets | 3 linkedin
Poor spelling thwarts Bangladesh Bank hackers

Poor spelling thwarts Bangladesh Bank hackers

10 March 2016  |  9686 views  |  1 comments | 17 tweets | 12 linkedin
Was Bangladesh Bank's account with the New York Fed hacked?

Was Bangladesh Bank's account with the New York Fed hacked?

08 March 2016  |  5552 views  |  0 comments | 3 tweets | 3 linkedin
Swift chief: "When we don't sleep, it is because of cyber risks"

Swift chief: "When we don't sleep, it is because of cyber risks"

11 March 2014  |  8650 views  |  0 comments | 11 tweets | 8 linkedin

Related company news

 

Related blogs

Create a blog about this story (membership required)
visit www.nextgenbanking.co.ukVisit www.vasco.comvisit www.ebaday.com

Who is commenting?

Top topics

Most viewed Most shared
Saudi central bank provides sandbox for banks to try out Ripple techSaudi central bank provides sandbox for ba...
10469 views comments | 16 tweets | 11 linkedin
Aussie real-time payments platform goes liveAussie real-time payments platform goes li...
8257 views comments | 15 tweets | 41 linkedin
ECB launches staunch defence of cashECB launches staunch defence of cash
7745 views 10 comments | 21 tweets | 26 linkedin
hands typing furiouslyHow can Blockchain Help with AML KYC
7618 views 3 | 9 tweets | 4 linkedin

Featured job

Competitive base + commission + benefits
New York City, NY - USA

Find your next job