Swift outlines new security protocols as crisis escalates

Swift outlines new security protocols as crisis escalates

Financial messaging network Swift is to launch a five-point security plan in a bid to restore faith in the integrity of the system in the wake of a series of exploits at connected bank sites.

Swift CEO Gottfried Leibbrandt will tell a conference in Brussels that the bank-owned co-operative will introduce certification requirements for interface device vendors and help banks use pattern recognition to identify suspicious behavior. The banking co-operative also plans to provide auditors and regulators with tighter guidelines to help in the assessment of bank security procedures.

Leibbrandt's remarks follow a torrid period for the company after the emergence of a series of attacks on at least three banks connected to the network, including a successful $81 million heist at the central bank of Bangladesh.

Describing the Bangladesh incident as a “watershed event for the banking industry”, Leibbrandt will say: “There will be a before and an after Bangladesh. The Bangladesh fraud is not an isolated incident ... this is a big deal. And it gets to the heart of banking.”

The interbank network, which connects over 10,000 institutions globally, was conceived with resilience and security at its core and designed to meet the highest standards of confidentiality, integrity and availability. While the core messaging network remains impervious to hackers, the latest revelations of inadequate security controls at bank sites has seriously dented Swift's reputation.

The news cycle has been particularly uncomfortable for Swift chairman Yawar Shah after it emerged that his own bank, Citi, was party to a lawsuit lodged by Ecuador's Banco del Austro (BDA) against Wells Fargo over the transmission of three bogus Swift transfers that led to $12 million in losses. BDA says that a similar issue saw Citi transfer $1.8 million after fraudulent requests through the Ecuadorian bank's Swift terminal, but Citi repaid the money.

None of the three banks informed Swift of the attacks, despite the co-operative's insistence that users should "immediately inform Swift of any suspected fraudulent use of their institution’s Swift connectivity or related to Swift products and services"

"Information sharing needs to get better, much better," Liebbrandt will say. "It is critical that the global financial community works together to bolster our mutual security."

The new security procedures have been drawn up by Swift following urgent consultations with board members and regulators over the escalating crisis.

More bad news may be on the horizon. "The Bangladesh fraud is not an isolated incident," Liebbrandt will tell the Brussels conference. "We are aware of at least two, but possibly more, other cases where fraudsters used the same modus operandi, albeit without the spectacular amounts."

In a speech to the same conference last year, Liebbrandt called on EU polcymakers to work towards the creation of a standardised global framework for international cyber-security and admitted to feelings of paranoia over the persistent threat.

"The cyber threat is very real and persistent. Cyber-attacks are getting ever more sophisticated, and the landscape is getting more complex," he said. "Every day we wake up and go to sleep thinking about, and protecting against that threat. It is hard work and never done. When we don't sleep, it is because of cyber risks."

Comments: (5)

Hitesh Thakkar
Hitesh Thakkar - SME - Fintech startups (APAC and Africa) - India 24 May, 2016, 14:14Be the first to give this comment the thumbs up 0 likes

Actions welcomed from SWIFT. Look forward to further announcement of Five Point Security Plan by SWIFT.

Curious to know if SWIFT explores and includes -- Biometric Authentication of Transactions (for High value txns - Single or cumulative) needed before posting it to SWIFT - (may be pipe dream of mine ).

Certification and Audit are welcomed ( I assume it will be more serious now).

A Finextra member
A Finextra member 25 May, 2016, 12:47Be the first to give this comment the thumbs up 0 likes

What is "certification requirements for interface device vendors"? The device used to initiate a payment was a computer. In this case malware was installed and used to commit the fraud. Technically the malware injected malicious code into the Swift application - an application with no self-defending capabilities. Adding biometry on top of an insecure application is not going to help. 

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 25 May, 2016, 16:55Be the first to give this comment the thumbs up 0 likes

"will tell a conference", "will say". 

Predictive journalism?:)

Hitesh Thakkar
Hitesh Thakkar - SME - Fintech startups (APAC and Africa) - India 25 May, 2016, 17:41Be the first to give this comment the thumbs up 0 likes

@Bjorn - Biometric templates are usually unique and secured while scanning ( Atleast Morpho devices) requires unique scan ID created with keys and difficult to break.

How can a transaction be posted with such unique ID with biometric authentication by Melware?

A Finextra member
A Finextra member 27 May, 2016, 06:321 like 1 like @Hitesh: An attacker don't need to break into the parts of the solution that handles the biometric data. The application logic in a vulnerable application is normally easier to manipulate. Malware typically inject malicious code that change a "no" to "yes". Same thing as with cryptography: It is usually bypassed, not broken. To fix this problem you need to add malware resistance into the application.