Was the SWIFT cyber-attack just the beginning?
May 16th, 2016
The $81M cyberattack on the Bangladesh Bank, and the SWIFT system, has proven to be a sign of just how pervasive fraud is about to get in a world of real-time, cross-border payments.
In February we learned that hackers broke into the Bangladesh Bank’s system and attempted to siphon nearly $1B from the New York Federal Reserve into accounts in the Philippines. Thanks to a spelling error on a transfer order, all but $81M of the transactions were stopped.
Hackers reportedly hit the bank’s SWIFT system server, gaining administrative control and launching malware that enabled and covered up such a wide attack.
SWIFT officials now admit that this is only one of many cyberattacks occurring on its messaging system worldwide, and this week the organization reported a second malware attack through an unnamed bank.
SWIFT has updated its software to thwart malware and has issued an advisory to financial institutions on beefing up their security infrastructure. The organization is also reminding banks that they are responsible for protecting themselves against attacks – and liable for their own losses.
When cyber-attackers directly target FIs and payments systems
It’s common to hear about cyberattacks on retailers and health insurers, in which data is stolen and sold into the black market to be used for account takeover and a wide range of other financial crimes.
These attacks are significant, but they don’t produce the kinds of losses that occur when cyber-attackers go straight for banking and payment systems to manipulate money out.
Now such targeted attacks are becoming a pattern. Last year, cyber attackers in the Carbanak scheme made away with $1B after hacking bank systems and manipulating ATMs all over the world to simultaneously spew cash.
Things really get dangerous when payments speed up
As banks across the world turn on instant payments systems, hackers will hone their focus on the infrastructure platforms that enable these new environments, as well as the FIs that use these services. And when they make a hit on an instant payment environment, the loss will be both fast and extreme.
SWIFT will be a key target in the world of faster payments since it will provide the messaging behind some emerging instant payment schemes, but it won’t be the only target.
This year the European Banking Authority (EBA) approved PSD2 regulations, which require FIs to open their doors to third party payment providers, enabling new real-time cross-border payments. PSD2 will bring SWIFT competitors to life, and they’ll be in the crosshairs.
Meanwhile in the U.S., as we move to Same Day ACH in September 2016, and today turn on real-time P2P services, cyber attackers will look to target the underlying systems, and the backend servers used by participating FIs.
Yet, these super-focused attacks don’t mean we should shy away from faster payments and the innovative services they enable. Instead, they require FIs and payment infrastructure providers to place a sharper focus on integrated fraud and cyber strategies and the use of nuanced behavior analytics solutions.
Here are some considerations in understanding where to go next:
Sophisticated fraud detection analytics are key: Systems will be hit. It happens. But FIs and payment platform providers must institute fraud solutions that leverage behavior analytics that catch fraud in real time regardless of a hit. Fraud solutions which use analytics to establish normative behavior and detect anomalies will catch $1 billion in unusual transactions – even if the system has been hacked and transactions are initiated by what looks like a valid party. And while FIs have generally taken on the burden of implementing fraud detection solutions, real-time payments platform providers must also get on board with monitoring solutions of their own. In fact, in many cases, FIs will look to their payments infrastructure providers to ensure a second layer of protection.
Fraud and cyber strategies must be integrated: FIs have started to integrate their cyber and fraud strategies, and this must continue. This is not to say that fraud providers will begin selling firewalls. But complete enterprise fraud detection solutions should ingest data and alerts from a wide array of cyber and fraud tools to gain a more holistic view of the context behind every transaction. They should especially include integration with malware detection tools, which can produce alerts and data to be used in fraud detection models.
Accountability in IT security infrastructure for both FIs and payments platform providers: It has been widely reported that the Bangladesh Bank had no firewalls guarding its SWIFT servers, and that it was using second-hand, $10 routers to connect global financial networks. (I didn’t know such a thing existed.) But the Bangladesh Bank is by no means alone. Many banks, in many nations, are challenged to protect vulnerable IT security infrastructure, and when they’re hit, all of the other banks they do business with become exposed to cyber-criminals. FIs must hold each other accountable for ensuring stronger IT security infrastructure. What’s more, payment infrastructure providers should provide security best practices for member FIs, and check in more closely with them ensure they are following procedures. Payment infrastructure providers should also invest in their own layer of fraud monitoring and detection solutions.