Why SWIFT’s Days are Numbered, and What’s Next

Editor's note: This article references the Society for Worldwide Interbank Financial Telecommunications, which bears no relationship to "Swift Systems," a Maryland MSP of a similar name.

The CEO of SWIFT, a secure messaging system used by financial institutions, is scrambling to salvage the reputation of the decades-old network after several very high-profile hacks – but it may be too little, too late. 

SWIFT’s problems began in February, when the Central Bank of Bangladesh lost approximately $81 million after hackers used malware to steal the bank’s login credentials to the SWIFT system and used them to make several money transfers from the bank’s account at the Federal Reserve in New York to accounts in the Philippines and Sri Lanka.

In the immediate aftermath of the Bangladesh hack, several other banks, most located in Southeast Asia, reported hacks that may have involved the SWIFT system.

Then, in late June, a bank in Ukraine reported losing $10 million to a similar hack. Ukrainian officials have alleged that dozens more banks in Russia and Ukraine may have been victimized.

Since the SWIFT attacks involved banks in a number of countries, each with its own reporting rules, the problem may be far more widespread than reported. To date, the attacks have been confined to banks located outside the U.S., but the Bangladeshi breach originated at the bank’s account at the New York Fed, prompting the U.S. House of Representatives to launch an investigation into SWIFT and its customer banks.

What is SWIFT?

Created in 1974 as a more secure, less error-prone, and faster alternative to Telex messages, “SWIFT” stands for the Society for Worldwide Interbank Financial Telecommunications.

Although it plays a crucial role in international money transfers, it does not actually move money.

Instead, it provides a secure messaging network for financial institutions to transmit information and instructions using a standardized system of codes, which allows banks in different countries to communicate with each other. 

While hackers used SWIFT messaging to send the fraudulent money transfer requests, the SWIFT system itself was not breached, a point that the organization has emphasized since the attacks surfaced.

Hackers have not been able to intercept or alter messages others have sent through SWIFT.

Instead, hackers used malware to break into the end-user banks’ systems, remotely accessed their SWIFT terminals, and used them to send legitimate-looking but fraudulent messages.

In response to the hacks, SWIFT has promised to implement stronger security practices on its own end, including developing a behavioral analysis system like the ones used by credit card companies to identify suspicious card activity.

However, because the hacks originated in its end-user banks’ systems, SWIFT has also gone on the defensive, demanding that its customers implement stronger security procedures and even indicating that it may bar banks with inadequate security practices from using its network.

SWIFT is not wrong in calling for its user base to take on a share of the responsibility for information security; a system is only as secure as the organization that uses it, and the organization is only as secure as its employees.

However, there are serious questions as to whether the hacked banks – largely small institutions located in developing nations – have the monetary or human resources to implement adequate information security procedures.

Many security experts are asking why SWIFT and its customer banks did not address information security years ago, especially in light of the explosion in cyber crime over the past decade.

The methods the hackers used to compromise the banks’ systems were sophisticated in their execution, but they were not new, and the vulnerabilities at the end-user level have been an open secret for years.

Whether SWIFT can recover from the recent hacks remains to be seen.

However, SWIFT’s decades-long near-monopoly of its niche market means that it will probably take years for any serious competitor to emerge, and even when one does, it will face the same information security challenges. 

What Banks Can Do to Protect Themselves Right Now

The SWIFT attacks involved hackers using stolen login credentials, possibly obtained using spear-phishing or other social engineering techniques.

Banks must ensure that their employees undergo continuous training on cyber security awareness and best practices, including how to spot phishing emails and the importance of using strong passwords that are changed on a regular basis and never shared with anyone.

However, employee training is not enough. People make mistakes, and malicious insiders who purposefully violate the rules will always be an issue.

Banks must also implement technological defenses to augment the “human factor” in their cyber security plans, such as:

• Giving employees sufficient system access to do their jobs, and no more. Access to a bank’s SWIFT terminals should be limited only to a small, select group of employees. User access levels should be reviewed on a regular basis. If an employee no longer needs to access a particular system to do their job, their access should be revoked.
• Increasing the monitoring of high-level and privileged user accounts, such as those used to access SWIFT systems. Behavioral analysis can establish baseline user patterns and alert security personnel to deviations, such as logging in from an unusual location or attempting to access parts of the system to which an employee does not have access.
• Establishing appropriate security levels for different types of transactions. Multi-factor authentication and additional verification should be required for sensitive or high-value transactions.
• Establishing dedicated, 24/7 security operations centers (SOCs) to monitor systems and respond to incidents. Many banks do not have the resources to staff and maintain an SOC on their own, which is why they partner with a managed security services provider (MSSP). In addition to providing security expertise that may not be available in-house, MSSPs have the specialized hardware and software needed to operate a 24/7 SOC, monitor an organization’s entire network, immediately investigate unusual activity and respond to incidents.

While the hackers behind the SWIFT attacks used relatively common methods and tools, the attacks were clearly highly coordinated and meticulously planned.

The hackers were intimately familiar with the internal procedures of both the banks and SWIFT itself, indicating that they spent quite some time studying their targets before launching their attack.

For many years, industry-specific technologies such as SWIFT enjoyed some level of “security through obscurity,” but modern cyber criminals are more skilled, well-funded, and determined than ever, and the internet has made even the most obscure systems transparent.

“Security through obscurity” can no longer be banked on.

Mike Baker is founder and Principal at Mosaic451, a bespoke cybersecurity service provider and consultancy with specific expertise in building, operating and defending some of the most highly-secure networks in North America.