No Easy Fix for Fraud on Swift Networks
Given the news about the recent bank thefts carried out over the Swift messaging system, banks might be wondering if there is an alternative for cross-border payments.
Flatly, there isn't – at least not today, or at least not one that would offer the depth of Swift services while addressing the safety concerns raised by the heists.
For banks, that is likely unsettling news. After the revelation by Symantec researchers that linked North Korea to the series of recent attacks targeting banks in Asia and gaining access to the Swift messaging system, the worldwide financial industry is on increased alert.
The rub is that the global messaging system's security is only as strong as the weakest link.
Officials from the Federal Reserve Bank of New York, Bangladesh Bank and payments network Swift vowed Tuesday to catch the thieves who took $81 million out of the Bangladesh central bank's account at the New York Fed.
As the Central Bank of Bangladesh threatens to sue the Federal Reserve Bank of New York over at least $80 million stolen from its account there, the Fed says its systems were not compromised.
"If there is an alternative, I'm not aware of it. It's pretty crazy – you've got some networks that could handle the payments part, but that's not the only information that flows over the Swift network," said Patricia Hines, a senior analyst at Celent. "There is no direct competitor for the broad strokes of what they do."
For starters, there is the entry-point issue. The hackers are entering the network at the bank level, they aren't breaching Swift's network. Any alternative system would still need to address the security issues at the banks that are putting the whole network at risk. A network that is made up of many members – Swift works with 11,000 banks and other financial services firms – is only as secure as its weakest link, said Dana Bowers, chief executive of the financial technology vendor Venminder.
"The bigger the organization, the more difficult it is to have your arms wrapped around every little thing," she said. "It's like sticking your finger in the dyke; you plug one hole and several more pop up."
Some have suggested that a blockchain-based solution could prevent the thefts given its distributed and transparent qualities, but some security experts say hackers could still get in. "The issue is of these compromised credentials that look legitimate," said Aleksandr Yampolskiy, chief executive of Security Scorecard, a security benchmarking firm. "With a blockchain solution, if [a fraudster] could obtain the private key, then the core issue of the impersonation of a legitimate user is still there."
Others say that while a blockchain-based network would still be vulnerable to breaches, fraudsters would have a harder time covering their tracks given blockchain's auditability.
"But if the front door is still unlocked, it doesn't help much," said Al Pascual, research director and head of fraud and security for Javelin Strategy & Research.
The attacks, which targeted a bank in the Philippines in October 2015, a Vietnamese bank in December of that year, and the central bank of Bangladesh in February, resulted in more than $81 million in stolen funds.
In published reports, Swift said the fault lay not with its core messaging network, but with the individual banks' connection points to its network.
For its part, the collective has been reaffirming that its system is secure.
"Cybersecurity is part of our DNA; it is not just an afterthought," Gottfried Leibbrandt, Swift's chief executive, said on May 24 at a financial services conference Belgium. "It is not just hardware and software but people, processes, procedures, checks and in fact a whole organization for whom failure is not an option."
And in a statement emailed to American Banker, a Swift spokesperson said the organization in a May 13 advisory urged members to review controls in their payments environments.
"This includes everything from employee checks to password protection to cyberdefenses," the spokesperson said. "We recommended that customers consider third party assurance reviews and, where necessary, asked their correspondent banks and service bureaus to work with them on enhanced arrangements."
But nonetheless, Pascual said, "there's plenty of blame to go around" for banks and Swift alike.
Pascual said the banks that were victimized must take responsibility for allowing their systems to be compromised, thus allowing hackers access to the Swift messaging network. "The onus is absolutely on them," he added.
But Pascual said Swift too must take stock of the way it operates and be more proactive in sharing and aggregating information on its network that could give banks a "heads up" that suspicious activity might be happening.
"There needs to be more open conversations," between banks and Swift, and among banks, Pascual said. "Swift should facilitate what information they know, and encourage banks to have conversations."
Further, he added, "the Swift code is a bit antiquated, maybe a bit more sophisticated coding on their end would help."
Hines added that while there is no alternate system today, perhaps Swift and the industry should begin thinking about one.
"Almost any other major system worries about a redundant system," Hines said.
Robert Barba contributed to this article.