SWIFT to Banks: Get Your Security Act TogetherAfter Finger-Pointing Over $81 Million Bank Hack, Parties Pledge to Cooperate
SWIFT has issued its first-ever information security guidance to banks, telling them to get their act together.
The guidance was issued as finger-pointing has intensified over who's responsible for the failures that led to the theft of $81 million from the Bangladesh central bank's New York Federal Reserve account in February (see SWIFT Warns Banks: Coordinated Malware Attacks Underway).
Bangladeshi police have publicly blamed Brussels-based SWIFT, a bank-owned cooperative founded in 1973, for introducing vulnerabilities into its IT infrastructure that attackers later exploited. But SWIFT, which stands for the Society for Worldwide Interbank Financial Telecommunication, says in a statement that those are "baseless allegations" and that the bank is responsible for the security of all systems that interface with its network, "starting with basic password protection practices."
As part of the audacious online heist - one of the largest in history - hackers attempted to transfer $1 billion out of Bangladesh Bank's account at the Federal Reserve Bank of New York and successfully transferred about $100 million. Most of that money was then laundered via casinos in the Philippines and disappeared, investigators say, although about $20 million has since been recovered.
In the wake of the theft, SWIFT acknowledged that Bangladesh Bank wasn't the first user to be targeted with malware that was designed to subvert the cooperative's messaging platform (see SWIFT Confirms Repeat Hack Attacks).
And for the first time in the cooperative's history, earlier this month SWIFT issued information security guidance to all of its users, urging them to review their security policies and procedures, Reuters reports. "SWIFT is not, and cannot, be responsible for your decision to select, implement (and maintain) firewalls, nor the proper segregation of your internal networks," according to a copy of the letter, dated May 3, and shared by a bank with Reuters for review on May 10.
"As a SWIFT user you are responsible for the security of your own systems interfacing with the SWIFT network and your related environments," the letter says. "We urge you to take all precautions."
SWIFT confirmed the authenticity of that report but declined to share a copy of the letter.
Greater Cooperation Pledged
Bangladesh officials had previously stated that they believe that the New York Fed and SWIFT share at least some responsibility for the February attacks. Of 35 transfer orders created by the hackers and submitted to the New York Fed, the Fed stopped most for being suspicious, but did let five through.
But on May 10, representatives from SWIFT met with the Bangladesh Bank, including its governor, and the New York Fed, including its president, to discuss the February attack, and they agreed to work more closely together. "The parties also agreed to pursue jointly certain common goals: to recover the entire proceeds of the fraud and bring the perpetrators to justice, and protect the global financial system from these types of attacks," the three parties said in a jointly issued statement.
FBI investigators now suspect that at least one bank employee acted as an accomplice, The Wall Street Journal reports, but Bangladesh Bank officials say they have received no related intelligence from the bureau.
Meanwhile, an investigation by digital forensic investigation firm FireEye, which was hired by the bank to investigate the breach, found evidence that three different hacking groups had penetrated the bank's system, Bloomberg reports. Two of those groups have suspected ties to nation states - one to North Korea, the other to Pakistan - but FireEye said it suspects that a third, as yet unidentified group of hackers committed the heist.
FireEye didn't immediately respond to a request for comment about that report.
Police Probe Blames SWIFT
The May 10 meeting followed remarks made by Mohammad Shah Alam, the head of the criminal investigation department of the Bangladesh police, to Reuters, saying that its probe discovered that a SWIFT technician had not followed standard operating procedures when connecting the bank's first-ever real-time gross settlement system to SWIFT, three months prior to the cyber heist, thus leaving "loopholes" that compromised the bank's security (see Study: Banks See Surge in Cyber Fraud).
An unidentified bank official told Reuters that access to the SWIFT messaging system had been left easily accessible, that it lacked even a firewall for protection, and only required a simple password, even for remote access. "It was the responsibility of SWIFT to check for weaknesses once they had set up the system. But it does not appear to have been done," the official said.
But SWIFT quickly dismissed those allegations. "The accusations have no basis in fact," SWIFT said in a May 9 statement. "SWIFT was not responsible for any of the issues cited by the officials, or party to the related decisions."
SWIFT added that when it comes to information security, the buck stops with users, while also getting in a dig about poor password practices at the institution. "As a SWIFT user like any other, Bangladesh Bank is responsible for the security of its own systems interfacing with the SWIFT network and their related environment - starting with basic password protection practices - in much the same way as they are responsible for their other internal security considerations," it said (see Why Are We So Stupid About Passwords?).
"We stand by our investigation," Alam told Reuters in response, adding that he didn't want to debate the matter, but rather help catch the criminals involved.