Remember last March’s online $81 million Bangladesh Bank heist? The one where everyone was pointing fingers at everyone else?
A few of those fingers were pointed at SWIFT, the global messaging system used by over 11,000 financial institutions in over 200 countries to securely communicate financial payment instructions. Turns out there have been several more attacks since then – and SWIFT’s responding by significantly toughening the rules its member institutions must follow.
At SWIFT’s annual conference this week, SWIFT CEO Gottfried Leibbrandt briefly described recent breaches that hadn’t been publicized before:
A few months ago… one of our banks had been alerted by their clearing correspondent that there was something fishy with their transactions. And we worked in real-time with [them] to retrieve messages, compare them, and indeed we found that the bank had been compromised… payment reports had been altered, as per the modus operandi.
Next day… the clearing correspondent had found that the ultimate beneficiary of these fraud transactions, the mule account, featured in transactions of yet another bank. We contacted that bank, and [it] too had been compromised.
A few weeks later, another case. This bank had the latest anti-virus and had the latest security patches on our software, and alerts on both [AV and Swift software] prevented further fraud from happening as well.
Leibbrandt’s concluded that since SWIFT and the banks involved were alert and cooperated closely, nobody lost any money. However he also addressed that this does not signify the problem could be swept under the carpet and forgotten about: there have been other successful attacks and will continue to be in the future, as they get more sophisticated.
What to do? Leibbrandt compared the current plague of cyberattacks with the spread of dangerous physical diseases throughout history, in which human beings “turned this existential threat into a manageable nuisance, by innovation.”
He compared the financial industry with modern medicine, noting that doctors don’t always wash their hands sufficiently before surgery, even though they know it could prevent many infections:
So we also need basic hygiene – multifactor authentication, securing your credentials, updating your operating system software – [but] we’ll need a little pressure for that compliance.
Banks will soon have to “self-attest” their compliance with SWIFT’s forthcoming set of “objectives, principles, and controls.”
We’ll make that transparent, and back it up with internal and external audits, and the results will be made available to local regulators and counterparties [you] do business with, so you can check whether your counterparty has ‘washed his hands for dinner so to speak.’
ComputerWorld reports that these rules aren’t quite locked down yet but after two months of consultations, due to begin at the end of October, the final details will be published next March.
In a press release, SWIFT said self-attestations would start soon afterwards. Then:
…inspections and enforcement will begin on 1 January 2018, when customers’ compliance status will be made available to their counterparts, ensuring transparency and allowing firms to assess risk of counterparts with whom they are doing business.
From January 2018, SWIFT will report the status of any non-compliant customers to their regulators, and randomly select customers who will be required to provide additional [audit] assurance.
In addition, customers will also be able to choose to disclose their compliance with a further 11 advisory controls.
Along with these mandates, Leibbrandt encouraged financial institutions to “share and prepare.” He added that, in the intensely global financial ecosystem…
What happens to one institution in one geography may well happen to another on the other side of the globe.
Share the details if you’ve been breached so we can make the indications of compromise and modus operandi available to others on an anonymous basis… so [they] can prepare for similar attacks.
United we stand: amen to that.