SAN FRANCISCO -- It should come as no surprise that the ongoing SWIFT hacking saga was a hot topic of conversation at the CTC Corporate Treasurers Forum Monday. Corporate treasury executives and payments experts discussed the incidents, and what practitioners need to do to secure themselves.
Implications for real-time
At the opening general session, Steve Mott, CEO of BetterBuyDesign, addressed the impact that the recent series of SWIFT-related hacking incidents are having on payments as a whole.
Mott, a member of the Federal Reserve Secure Payments Task Force, noted that during a conference call earlier in the day, the Fed expressed concern over the SWIFT incidents. The Fed fears that if its forthcoming real-time system—whatever it turns out to be—is not secure, then it will essentially just be getting money into the hands of bad actors faster.
Mott cited Gartner analyst Avivah Levitan, who stressed in a recent blog that the United States is decidedly not ready for real-time payments, and the SWIFT incidents prove it. “Irrevocable real-time payments are fraught with risk,” she wrote. “There is no time for bankers’ fraud staff to manually review transactions, and there is no time to retrieve a fraudulent payment on its way to an unknown bank account far from the reach of U.S. banks and authorities.”
The question then becomes, could this ongoing fraud debacle lead the Federal Reserve to perhaps delay the rollout of its faster payments system, or rethink its strategy altogether? No decisions have been made yet, however, Mott told AFP to “stay tuned.”
At issue here are the endpoints, Mott explained. While the SWIFT network is secure, the recent series of hacks proves that at least some of the endpoints are not. Hackers don’t need to breach SWIFT’s system if they can compromise a SWIFT user and send fraudulent messages across the network.
This is evidenced in the latest development, in which more than $12 million was stolen from a bank in Ecuador. As Reuters first reported, in January, a message from a secure computer terminal at Banco del Austro (BDA) instructed Wells Fargo to transfer money to bank accounts in Hong Kong. Over the course of 10 days, Wells approved 12 transfers over the SWIFT network.
BDA is currently suing Wells over the incident. Wells, however, blamed BDA’s information security policies and procedures, claiming that it simply honored a valid request sent through SWIFT’s messaging system. Hackers had obtained a BDA’s logon credentials, Wells said.
Wells has so far been able to recover $1.85 million of the funds, according to court documents. SWIFT said it had only just learned of the attack.
More scrutiny from treasury
Following a roundtable session on cybersecurity later in the day, Joel Campbell,vice president and treasurer for H&R Block, encouraged treasury professionals who use SWIFT to be more proactive if they are concerned about the security of their connections.
Campbell uses his SunGard treasury workstation to access SWIFT and send payments. Although SunGard makes sure the access points are secure, every year, H&R Block itself does a full evaluation of its connections. “We actually have our IT guys go out to the data center and do audits; we did that before we implemented the system,” he said. “For somebody to get access to our bank accounts to our systems, you’d have to get to SWIFT, through SunGard. So there’s multiple layers that give us some comfort. But certainly, when I see the SWIFT articles in the paper or get emails from a board member, it’s concerning. We should all be concerned about it.”
Campbell believes that these incidents will prompt more scrutiny of SWIFT among treasury departments. “I pay for corporate membership with SWIFT, and I think that I have the right to call up a relationship manager at SWIFT and say, ‘I want details. I want you to come out and visit me. I want to get comfortable with what the processes are and how you do things,’” he said.