Hackers Hit SWIFT Software: How Treasurers Should Respond
- By Andrew Deichler
- Published: 4/25/2016
It is believed that the criminals hacked the Bangladesh central bank’s systems in February and stole credentials that it used to log into the SWIFT network. BAE told Reuters that the hackers likely used malware to manipulate SWIFT’s Alliance Access software on the bank’s computers in order to erase records of illicit transfers.
In a statement, SWIFT said that it has discovered malware that aims to reduce banks’ abilities to recognize fraudulent transactions on their local systems. “We understand that the malware is designed to hide the traces of fraudulent payments from customers’ local database applications and can only be installed on users’ local systems by attackers that have successfully identified and exploited weaknesses in their local security,” the statement read.
The SWIFT network and its core messaging services apparently were not breached. SWIFT is releasing a software update that will help users spot inconsistencies in their local database records. Nevertheless, the financial messaging network advised users to implement appropriate security measures in their local environments to safeguard their systems. “Such protections should be implemented by users to prevent the injection of malware into, or any misappropriation of, their interfaces and other core systems,” SWIFT said.
What does all of this mean for treasury?
Many organizations’ treasury management systems connect directly to SWIFT through Alliance Lite2. “Any corporates using Alliance Lite2, whether their TMS is installed or cloud-based, should make sure they have made the latest updates,” said Magnus Carlsson, AFP’s manager of treasury and payments. “Corporates should also check with their IT departments about the possible malware.”
Although her company is not a SWIFT user, Anita Patterson, CTP, treasurer for Cox Communications and an AFP board member, agreed that companies should make sure their treasury workstations are secure. “It’s almost like a domino effect—and it all depends on the defenses set up by treasury workstation companies to prevent as well as protection within one’s own company,” she said.
Craig Jeffery, CCM, managing director for Strategic Treasurer, commented that treasury groups need to think of security in terms of layers, and each layer must be tightly maintained. “If, for example, you have a gaping hole in your network security as reported in this case—no firewall, outdated network devices—you make it that much easier to target, degrade and destroy other areas of your security apparatus and control structure,” he said. “Every part of every security layer should at least attain the minimum standards of good corporate conduct. It is preferable to exceed those standards. When an organization is not regularly reviewing their perimeter, interior, banking structure, monitoring and personnel status there will be significant issues at some point. This is not a question of if.”
Jeffery added that it is easy to jump to conclusions about the Bangladesh Bank breach and miss what is important. “If the criminals are able to compromise your network, modify or control your environment and send instructions through your systems, it doesn’t matter how secure the bank system or SWIFT network is as they were able to compromise the system access point or human element in the equation,” he said. “For most organizations, it is absolutely vital to step up your defensive posture and undergo a regular review of all parts of your security and control layers. Things continue to change quickly which means that regularly means at least annually.”
Update, 4/26/16: SWIFT issued a confidential alert to its bank customers that it is aware of “a number of recent cyber incidents” in which criminals sent fraudulent messages across its network, Reuters reported. Although it did not name any banks, SWIFT said that “malicious insiders or external attackers” have been able to submit messages from banks’ back offices, PCs or workstations. SWIFT did not disclose the cost of any of the losses.
SWIFT also provided some insight into how the incidents occurred. Using valid credentials for operators who are authorized to create and approve messages, the attackers submitted fraudulent messages over the SWIFT network.
Cybersecurity experts told Reuters that as more of SWIFT’s banking clients investigate whether their own SWIFT access has been compromised, more attacks could surface. Banking security consultant Shane Shook said that hackers are turning to SWIFT and other private financial messaging platforms because the attacks generate more revenue than targeting consumers and small businesses.
With all the malicious activity, one has to wonder if corporate SWIFT users are also on the attackers’ hit list.
Copyright © 2019 Association for Financial Professionals, Inc.
All rights reserved.