After hackers penetrated a second bank and accessed the Swift messaging system to steal money, it is clear that more needs to be done to thwart such attacks.
The rub is that the security of the system is only as strong as the weakest link in the chain. Recall that in the earlier incident, researchers found lax security practices at Bangladesh Bank, including a $10 router and a lack of firewalls.
The Society for Worldwide Interbank Financial Telecommunication revealed the additional hack Friday without identifying the breached bank, its location or the amount stolen. The incident echoed a widely reported one in February in which hackers successfully lifted $81 million out of the Bangladesh Bank's account at the New York Federal Reserve.
In both instances, attackers were able to bypass a bank's risk controls to access the software and hardware they use for Swift transactions. They also found ways to tamper with the confirmations that banks typically use as secondary controls, delaying their ability to detect the fraud.
Once again, Swift stressed that its core messaging services and software have not been compromised. In a letter to member institutions Friday, Swift reminded banks they are responsible for making sure their systems are secure.
"We put out recommendations about security, and we've made it quite clear that these are only a baseline," said Natasha de Terán, head of corporate affairs at Swift. The organization doesn't make the security guidelines public. "Proper preventative and detective measures are customers' best defense against this kind of input fraud and the use of such malware."
While banks could indeed do more to protect the systems they use for Swift wire transfers, so could Swift, some security experts said.
"Swift should stop putting the burden of secure access on the banks and complement the banks' security measures with their own fraud detection measures that mitigate the risk of account takeover," said Avivah Litan, vice president at Gartner. "There are plenty of security measures in place these days — for example gesture analytics and user and entity behavior analytics — that can greatly reduce the risks of fraudulent Swift payments. These are measures that Swift must implement, as the requesting banks don't have the data or computer processes to put them in place, as Swift is the custodian here."
In its letter to customers, Swift, the Brussels-based organization whose messaging system is used by 11,000 financial institutions for wire transfers, said it learned of a second case of fraud at a member bank involving malware. In this case, the malware compromised a PDF reader the bank used to check its statement messages.
"Forensic experts believe this new discovery evidences that the malware used in the earlier reported customer incident was not a single occurrence, but part of a wider and highly adaptive campaign targeting banks," the organization warned. "The attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks — knowledge that may have been gained from malicious insiders or cyberattacks, or a combination of both."
Who is perpetrating these attacks is an open question; researchers at BAE Systems suspect a link to the cyberattack on Sony in late 2014.
Whoever it is, they are professionals.
"The reason we made this public is to really stress that this new malware evidences that this is a highly sophisticated campaign that demonstrates in-depth knowledge of banks' processes," said de Terán. "We are really encouraging our community to ensure they have reviewed and, where necessary, improved their security."
William Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center, an industry group, argued that the onus can't be fully placed on Swift, either.
"Everybody has a responsibility," Nelson said. "The whole community. You can't say, 'It's not my job.' The banks have responsibility and Swift does, too. Swift is responsible for its network. It's the responsibility of whoever's originating or sending payments to make sure they're not clicking on malicious links or phishing emails, that they don't have malware on their systems and that they have good cyber defenses."
The basic security practices for Swift transactions have been the same for decades, and security experts say if they're followed, they work.
"We recommend having a wire room that's segregated, having a dedicated computer where web browsing, email, and even the USB port is disabled, and if you initiate bank-to-bank-type payments in your wire room, it should be segregated from your network," Nelson said. "If you do all that, I can't think of a way it could be compromised. You can't get malware on the system. You've isolated it. That's the way wires have always been done at banks."
Investigations into the $81 million cybertheft at the New York Fed found that when staff at one bank realized something was suspicious about the transactions, employees at the other had gone for the weekend. For that reason, Nelson said, banks ought to have staff checking to their wire operations 24/7.
"That's a business decision," he said. "From a cost standpoint you wouldn't think you'd need that, but from a security standpoint that might be something to consider."
And because of the intricate nature of the customized malware used in these attacks, which was said to include insider knowledge of the banks' Swift operations, some say banks need to take a closer look at their staff.
"It appears that employees at these banks were recruited by criminals in the dark web," Litan said. "This is becoming a very common occurrence. Disgruntled employees who collaborate with cybercriminals are a major threat to banks. These employees help the cybercriminals gain knowledge of complex internal workings of bank payment systems."