Is SWIFT still secure?
14 November 2016
Hackers are using SWIFT to steal millions from over a dozen banks in developing countries. The Central Bank in Bangladesh was victim to an 81 million dollar heist and the criminals are still running free.
In Ecuador a commercial bank stated that 12 million dollars were stolen last year, another in Vietnam claims having suffered a failed attempt to steal 1.1 million from their coffers and it is thought to have been a practice run for the Bangladesh theft.
All these attacks were committed by cyber-criminals and a few have been confirmed to have sent messages that appeared to be from SWIFT’s messaging system. SWIFT connects 11 thousand members including Central and Commercial Banks and MNCs in over 200 countries. While banks in developed countries haven’t been compromised (yet), these attacks have set alarm bells ringing all over the world: there is no such thing as an invulnerable system.
SWIFT itself has said that their system has not been hacked as the messages originate in a bank’s computer. This means that hackers have been able to read or change the messages that travel through its network. In the case of Bangladesh, a malware was introduced into the bank's system which is likely to have allowed hackers to record keystrokes and finally steal the codes required to send fraudulent messages via the SWIFT network.
The network is safe but what SWIFT cannot guarantee is that the person sending the message from the bank is an actual employee of the said bank. This has prompted some financial institutions to take action in order to prevent future events. J.P. Morgan for example has reduced the number of employees with access to SWIFT, but is this enough?
Most banks in developing countries don’t have the maximum security measures recommended by SWIFT in place. These include a secondary external verification process like a retina or fingerprint scanner to gain access to banks' computers. SWIFT also recommends for several people to participate in the process i.e. one person to create the message and another for approval and authentication. SWIFT is considering making these measures mandatory.
These attacks will probably spark an interest to develop other ways of making international payments, but even with the use of the most secure technology that is available, the fallible human element will always be a weak spot that hackers will try to exploit.