Alain Desausoi, SWIFT's CISO took the stage today at the FT's Cyber Summit to discuss SWIFT's experience over the last year.
Turbulence started with the heist on Bangladesh Central Bank in March this year. By gathering local credentials and sending fraudulent requests through SWIFT, which processes millions of international transactions a day, thieves were able to make off with £62 million pounds.
The money was then ex-filtrated in several locations in Sri-Lanka and the Philippines. Law enforcement have since only recovered a fraction of the loot.
There have been several such heists since around the world, conning millions out of banks by sending fraudulent requests through SWIFT for money orders in the millions. The bank robbers, believed to be from the same group, have descended on banks in Ukraine, Vietnam and Ecuador and many others are believed to have been affected.
While the SWIFT messaging system itself was not compromised, the co-operative have set about thinking about how it might better help affiliates avoid such devastating attacks.
Ideas that have been suggested include a requirement of a basic level of security if a bank wants to use SWIFT and suspension for those that fail to meet that level. Desausoi did not comment on whether that would be going ahead.
In concrete terms SWIFT have rolled out a programme to deal with the kinds of problems we've seen over the past year. Earlier this year, the cooperative rolled out its five stream customer security programme. The programme involves information sharing not just between SWIFT users but with SWIFT itself.
Hackers are not like regular bank robbers. They “stay there for weeks and months to learn about the practices of the banks”, said Desausoi, “the best way to stop them is to learn what happened at other places”.
The programme also involves making products and software used by SWIFT customers more resilient as well as reiterating good security practices.
While the previous measures are essential, added Desausoi, attackers are still capable of getting around them. It's important to make sure there is another level of controls above the technical level, what SWIFT calls a traffic pattern detection scheme, to detect anomalies.
These controls need to be at the business level. Especially in SWIFT's experience, the problem was not to do so much with technology as it was human fallibility. “We should not make believe that software is the solution”, said Desausoi, “it's a real challenge to have a piece of technology that will solve everything”.
“What SWIFT is currently doing is a very good idea”, Ilia Kolochenko, CEO and founder of High-Tech Bridge told SCMagazineUK.com.
While SWIFT wasn't breached itself, “taking into consideration that they are providing this service, they can educate,” and make sure customers have a basic minimum level of cyber-security. He added, “When you are selling cars, you need to make sure that the driver knows driving 350 miles in an hour in a city” is a bad idea.
In the last few days, SWIFT have also announced the release of daily validation reports, starting from December, which will show anomalies in transactions made over the last day.