In February, cybercriminals hacked into Bangladesh’s Central Bank and managed to steal approximately 81 million dollars. As a result of this attack, SWIFT, which is a cooperative association of member banks that provides an international messaging system for banks has been investigating the security of SWIFT members and earlier this week it told its members that since the attack on the Bangladesh Central Bank there have been a number of other cyberattacks on banks around the world. According to the letter, an undisclosed number of attacks against banks around the world were successful although SWIFT did not indicate how many banks were successfully hacked and how much money was lost.
It appears in the hacking of the Bangladesh Central Bank, as with so many types of cybercrimes, this one started with social engineering spear phishing which lured bank employees to unwittingly download the malware used by the hackers to infiltrate the bank’s computers and obtain not just the passwords and cryptographic keys used for electronic fund transfers, but also the emails of bank employees so that they could copy and adapt the emails by which they made their transfers appear legitimate. Armed with this information, the cybercriminals sent dozens of account transfer requests using the international SWIFT banking messaging service from the Bangladesh Central Bank to the Federal Reserve Bank of New York where the Bangladesh Central Bank has accounts containing billions of dollars. The account transfer requests processed by the Federal Reserve Bank of New York electronically sent about 81 million dollars to accounts in the Philippines where the funds were transferred multiple times including transfers to Philippine casinos in an effort to launder the money.
Late last year banks in the Philippines and Vietnam also suffered similar cyber attacks. Now cybersecurity investigators are saying that the same type of malware used in all three attacks was the same used by state sponsored North Korean hackers against South Korean banks in 2013 and Sony in 2014.
Although SWIFT is pressing member banks to increase their security, SWIFT has no regulatory authority to mandate such actions, however, in its recent letter to SWIFT member banks, SWIFT indicated that if member banks fail to update their security to meet SWIFT standards by November 19th, SWIFT might report them to bank regulators. In particular the suggested security measures include better password management and authentication procedures as well as installing better procedures to recognize hacking attempts.
All businesses and governmental agencies have got to do a better job at cybersecurity in general. In particular, greater attention has to be paid to the dangers of social engineering spear phishing which has been at the root of the almost all of the major data breaches at both companies like Target and governmental agencies, such as the Office of Personnel Management. The international banking system is under attack and although the security of the SWIFT system itself appear not to have been breached, that is little consolation when individual banks are hacked thereby obtaining the authorizations necessary to utilize the SWIFT system to steal money. Although SWIFT continues to say that its messaging system is secure, it is apparent that just as the individual banks need to increase their security, so does SWIFT have to recognize the security vulnerabilities that exist in banks around the world and pressure member banks to use dual factor authentication and confirmation protocols in order to protect the security of the international banking system.