Anti-Fraud , Anti-Money Laundering (AML) , Compliance

Security Investments Consume SWIFT's Profits

Increased Spending Follows Bangladesh Bank Heist, Ongoing Attacks
Security Investments Consume SWIFT's Profits
SWIFT Chairman Yawar Shah, pictured at a SWIFT conference in Geneva on Sept. 26, 2016, has tied management incentives to security targets. (Photo: SWIFT)

Banks that collectively own SWIFT saw their profits vanish last year as the organization increased its investments in information security, even as the interbank messaging service handled record volumes of money-moving messages.

See Also: Addressing the Identity Risk Factor in the Age of 'Need It Now'

The investment followed the $81 million heist from the central bank of Bangladesh in February last year, accomplished by attackers who issued fraudulent SWIFT money-moving messages from a compromised Bangladesh Bank system. News of the attack sparked a public relations disaster for the Brussels-based cooperative, formally known as the Society for Worldwide Interbank Financial Telecommunication, calling into question the integrity of its messaging service and whether the organization was doing enough to police members' information security practices.

A newly released annual report shows that SWIFT's 2016 profit - before taxes and rebates to its owner-customers - fell by 31 percent, to €47 million ($53 million). SWIFT operates as a cooperative, and at the organization's discretion, profits, which totaled €33 million ($37 million) in 2015, can be distributed to members in the form of rebates or lower service prices. In 2016, however, SWIFT issued no such rebates, reflecting the organization's increased spending on information security.

Meanwhile, the overall volume of messages sent using the service increased by 7 percent from 2015 to 2016, hitting a record-setting peak in June 2016 of more than 30 million messages sent in one day.

SWIFT declined to comment on its financial results.

In its 2016 annual report, SWIFT reports that it has tripled the size of its security team over the past three years and plans to add additional staff. In addition, it now maintains a 24/7 security operations center designed to monitor for and respond to any logical or physical attacks against SWIFT or its messaging system.

"In line with the increased threat, and reflecting our uncompromised focus on security, we have continued to invest in security and grow our dedicated staff; by the end of 2016 we had tripled the size of our security teams over the previous three years," says SWIFT CEO Gottfried Leibbrandt. "We have bolstered our information security function by hiring a new chief information security officer and creating new positions in the CISO office, enhancing the existing talent in this important part of our organization. To ensure our own readiness to respond to unexpected threats, we also continued to test ourselves, carrying out more than 500 business continuity exercises during the year."

SWIFT's management team members now have incentives linked to specific security targets set by Chairman Yawar Shah, Reuters reports.

Those moves followed the February 2016 central bank of Bangladesh heist, which saw attackers use fraudulent SWIFT messages to attempt to steal $951 million from the bank's Federal Reserve of New York account. Ultimately, they made off with $81 million, and other banks revealed similar attacks, some of which had been successful.

SWIFT says more than 11,000 financial institutions across 200 countries and territories now use its interbank messaging system.

U.S. government sources have told media outlets that federal investigators traced the Bangladesh Bank heist to attackers associated with North Korea. But security experts say multiple groups have been launching such attacks.

Bangladesh Bank Heist Fallout

SWIFT has continued to emphasize that its messaging network has not been hacked. "There is no indication that SWIFT's network or core messaging services were compromised in any of these attacks," its annual report reads.

In the wake of the Bangladesh Bank heist, however, critics alleged that SWIFT was failing to do enough to ensure that the institutions that use its system are themselves secure. The apparent ease with which attackers had commandeered Bangladesh Bank's systems and used it to issue fraudulent money-moving messages called into question the integrity of SWIFT's messaging environment. The bank's response - blaming SWIFT and the Federal Reserve Bank of New York - also triggered unwanted scrutiny of banks' information security practices by regulators in multiple countries as well as public relations fallout for SWIFT.

Hearts-and-Minds Campaign

In response, SWIFT issued updated security guidance to customers, warned them that it would soon require them to comply with a number of mandatory security controls and announced the launch of a new Customer Security Program in July of last year.

SWIFT also launched a hearts-and-minds campaign, asking banks to tell it when they saw attacks that touched - or attempted to subvert - SWIFT's messaging system. The organization also created an internal digital forensics and customer security intelligence team to share better attack-related intelligence with customers and contracted with cybersecurity specialists BAE Systems and Fox-IT to provide incident response services for hacked banks.

"Information sharing is being spearheaded by SWIFT's new Information Sharing and Analysis Centre (ISAC), a secure portal that shares intelligence bulletins and other cybersecurity-related information," according to Stephen Gilderdale, head of the U.K., Ireland and Nordics region for SWIFT.

"This initiative is led by SWIFT's Customer Security Intelligence team, which analyzes reported incidents to help customers to protect themselves against similar attacks," he adds. "The CSI team studies the modus operandi of the attackers, develops indicators of compromise, and provides the information back to the financial community through a security notification service in anonymized form."

In July 2016, SWIFT released updated client software - Alliance Access Release 7.1.20 and 7.0.70 - that it says added "stronger default password management," integrity-checking features as well as built-in two-factor authentication.

In December 2016, SWIFT launched daily validation reports, which it bills as a "secondary fraud control" designed to allow "to help smaller banks identify potential fraud by verifying the previous day's transactions, as well as seeing flags for any large, unusual or new types of payments.

Multiple Attack Groups

Attackers have continued to target banks via fraudulent money-moving messages sent from hacked institutions that connect to the SWIFT network. Security firms have blamed some other recent attacks of this type - targeting banks in Europe - on hackers that may be tied to North Korea.

But experts say multiple groups of criminal hackers have been targeting SWIFT-using banks (see Hackers Target SWIFT-Using Banks With Odinaff Malware).

In addition, earlier this year, a dump by the Shadow Brokers revealed an apparent National Security Agency program designed to hack into - and monitor - some SWIFT-using institutions, via a third-party SWIFT service bureau. The impetus for the monitoring, experts say, is likely to track terrorism-related financing or monitor for violations of U.S. sanctions (see Hackers Reveal Apparent NSA Targeting of SWIFT Bureaus).


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network