SWIFT says it cannot secure customers' networks

Global financial messaging network SWIFT says it cannot secure customers' environments where its tools and software are used.

In Bangladesh and other cases, the thieves compromised the IT environment and worked their way to the banking systems where the SWIFT instructions were generated and the confirmations received, said Gottfried Leibbrandt, chief executive of SWIFT.

“We cannot secure our customers' environments and cannot assume responsibility for that,” he said in his keynote speech at the 14th annual European Financial Services Conference in Brussels yesterday.

The recent fraud at Bangladesh has caught multiple headlines and will prove to be a watershed event for the banking industry, he said.

“The Bangladesh fraud is not an isolated incident: we are aware of at least two, but possibly more, other cases where fraudsters used the same modus operandi, albeit without the spectacular amounts,” Leibbrandt said.

“The banks were compromised, credentials to payment generation systems were obtained to send fraudulent payments and the statements/confirmations from their counterparties were obfuscated,” he said.

“So this is a big deal. And it gets to the heart of banking.”

Keeping money secure is core business for banks. “So these events are a problem on at least two fronts.”

First, it is a problem because banks that are compromised like this can be put out of business, he said.

“It's not like retailers losing credit card details or telcos losing customer details. Telcos and retailers will take reputational hits, and may face some financial liabilities, but things will move on.”  When banks lose control of access to their payment channels, it is different. In the recent cases, thieves were able to move just some of those banks' overseas assets.

 “It's a problem because the financial system is hugely interconnected and it operates on trust,” said Leibbrandt, a former McKinsey consultant

During the speech, Leibbrandt announced SWIFT's five-part customer security programme to reinforce the security of SWIFT's shared, global financial system.

SWIFT plans to improve information sharing among the global financial community and harden security requirements for customer-managed software to better protect their local environments, enhance SWIFT's guidelines and develop security audit frameworks for customers.

It also wants to support banks' increased use of payment pattern controls to identify suspicious behavior, and introduce certification requirements for third party providers.

SWIFT's messaging platform, products and services connect more than 11,000 banking and securities organisations, market infrastructures and corporate customers in more than 200 countries and territories.

Banks send payment instructions to one another via SWIFT messages. In February thieves hacked into the SWIFT system of the Bangladesh central bank, sending messages to the Federal Reserve Bank of New York allowing them to steal $81 million.

The attack follows a similar but little noticed theft from Banco del Austro in Ecuador last year that netted thieves over $12 million and a previously undisclosed attack on Vietnam's Tien Phong Bank that was not successful.

The crimes have dented the banking industry's faith in SWIFT, a Belgium-based co-operative owned by its users.