SWIFT revealed Tuesday that there have been more successful cyberattacks on its member financial institutions, resulting in fraudulent payments instructions being sent across its network. Could corporations be the next stop for these hackers?
In a private letter to clients, SWIFT explained that its members have incurred a series of attacks since June, when the financial messaging cooperative introduced its new plan to reinforce security. SWIFT did not reveal which clients had been victimized or how much money was stolen. However, all of the banks had weaknesses in local security that the hackers were able to exploit.
“Customers’ environments have been compromised, and subsequent attempts (were) made to send fraudulent payment instructions,” the letter reads. “The threat is persistent, adaptive and sophisticated—and it is here to stay.”
Reuters suggested that cybercriminals have apparently been ramping up their efforts after the Bangladesh Bank heist, targeting banks who have been lax about security procedures.
SWIFT has faced difficulty in forcing banks to improve security, as it does not have regulatory authority over its members. However, it informed members that it may begin reporting them to regulators and banking partners if they fail to install the latest version of its software by November 19. The software includes technology for verifying credentials of people accessing a bank’s SWIFT system, stronger rules for passwords, and improved tools for identifying hacking attempts.
However, current and former executives of SWIFT recently told Reuters that the cooperative has long suspected there could be vulnerabilities in its messaging terminals, yet did nothing about it until the Bangladesh bank heist. “The board took their eye off the ball,” said Leonard Schrank, who was CEO of SWIFT from 1992 to 2007. “They were focusing on other things, and not about the fundamental, sacred role of SWIFT, which is the security and reliability of the system.”
After reviewing SWIFT’s annual reports and strategy plans over the past 17 years, Reuters said that June of this year was the first time SWIFT helped its members secure their systems.
Could corporates be next?
Generally, fraud moves wherever the security isn’t; for example, whenever a nation has adopted chip card technology, card-not-present (CNP) fraud tends to spike. Therefore, if banks en masse vastly improve their SWIFT connections, might cybercriminals move on to the SWIFT’s other customers—corporates?
It’s certainly something corporate treasury professionals need to consider. Those that use the SWIFT network to make large transfers should make sure the entry points are secure. Treasurers have choices when it comes to SWIFT connectivity; they can use a SWIFT service bureau, which takes up much of the responsibility for security, or they can connect directly through Alliance Lite2. If the Alliance Lite2 connection is not hosted by a treasury management system provider that manages the messages as they come through, then it is up to treasury itself to monitor that connection on its own.
Magnus Carlsson, AFP’s manager of treasury and payments, wonders if corporates could already be a target. “Even if the most recent issues were just related to banks I certainly think it could apply to corporates as well, especially those who directly connect to the system,” he said.