A recent attack against the SWIFT (Society for Worldwide Interbank Telecommunication) international financial transaction system has focused attention on the potential cascading threat of an interconnected yet not fully integrated system. Cyber professionals categorise the most crucial component of cyber security into three broad categories: Confidentiality, Integrity and Availability (CIA). Most financial service attacks have focused on Confidentiality and Availability. The SWIFT attack signals a hack on cyber security Integrity, which represents a dangerous escalation of menace.
It has come to light and been reported widely in the media that in February, unknown hackers broke into the Bangladesh central bank’s systems and stole credentials for payment transfers. The hackers then bombarded the Federal Reserve Bank of New York with nearly three dozen requests to move money from the Bangladesh bank's account there to entities in the Philippines and Sri Lanka Bank, successfully transferring US$ 81 million of an intended US$ 1 billion.
It has subsequently been reported in the media that the cyber security credentials of the Bangladesh central bank were below par, with a named British defence contractor having shown that the SWIFT software used to make payments was compromised, enabling the hackers to send money around the world without leaving any trace in Bangladesh. The entry of the hack into the global financial transaction system raises concern over the systemic integrity of the entire network, which has 3,000 financial institution owners and users.
Such is the level of international alarm raised by the breach that this April the Bank of England ordered UK banks to specify how they would protect computers connected to the SWIFT bank messaging system.
DarkMatter conclusion and recommendations
This attack is already having global repercussions. On 20 May, SWIFT itself circulated an open letter to its users providing an update on the steps it is taking in light of a number of fraudulent payment cases, and on specific measures needed to be taken by members to ensure that the community is using its collective force to reduce the risk of cyber intrusions.
SWIFT put forward the following measures:
Information sharing approach
SWIFT has said it will continue to notify members as soon as possible of any cases of malware known to it so that users can better target their preventative and detective efforts in their local environment. SWIFT has also pledged to continue to share best practices to help all users improve their security as it has been doing proactively over recent months.
SWIFT stated that given it is a global community, it needs to share relevant cyber information amongst its community of users. To improve information sharing, as a first step, the society will be centralising all new and existing security information through KB tip 5020928 in the restricted customer section on SWIFT.com.
Going forward, all new and relevant information related to cyber incidents at customers’ institutions known to SWIFT will be posted on that KB tip, allowing customer security teams to have the most up to date information, which it is hoped will enhance their ability to react and respond.
Collaboration against cyber threats
In its letter SWIFT commented that the security of its global financial community can only be ensured through a collaborative approach among SWIFT, its users, its central bank overseers and third party suppliers. As such the society stated it remains essential that users share critical security information related to SWIFT with it.
From a DarkMatter perspective, we support SWIFT’s recommended measures as transparency, information exchange and collaboration is critical to the sustainable success of any trust-based network. However, we do not believe these measures go far enough, nor do we consider their reactive nature as the most effective long-term cyber security strategy.
DarkMatter believes all parties – the sending bank, the receiving banks, and SWIFT - could have done more to prevent the unauthorised transactions. The receiving banks should really be doing more to flag suspect transaction requests, though the main culprit here is the sending bank. What type of logon credentials was Bangladesh bank using? For large sums the bank should have been using multi-factor authentication to accounts, so that even if a password was stolen and access to a system gained, the hackers could not access any accounts or transactions without the corresponding token or biometric for the account.
This way unauthorised transactions cannot occur without the complicity of an insider (i.e. the account administrator). Unless of course they were using multi-factor, and the token was also stolen, which would also point to a failure in the Bangladesh bank’s asset management process. Unaccounted for tokens should be reported and deactivated immediately, which again would have foiled the attack. In short, there is a high probability that this issue could have been avoided completely had the Bangladesh bank been using multi factor authentication with diligent asset management of authentication tokens.
DarkMatter recommends that institutions adopt a pro-active approach to cyber security in which they assume a state of breach in order for them to have the defences and mitigation mechanisms in place to minimise possible disruption caused by any cyber security incident.
SWIFT users need to better understand their respective risk profiles before any mitigation can begin in earnest. This involves understanding their assets, the full range of threats they may face and from whom, and the vulnerabilities. SWIFT as a society needs to develop a network-wide monitoring and mitigation protocol in the face of cyber threats.
Mitigation is a three-part process encompassing visibility, intelligence and integration.
Visibility means truly understanding the configuration of your network and most importantly who has access to it. Large companies in particular, often maintain networks patched together over decades, running different generations of software. It’s a simple truth that you can’t protect what you don’t understand; a thorough audit is vital at the start of any mitigation process. Sophisticated mapping software can certainly accelerate this process, but ultimately a comprehensive audit requires people on the ground to ask the right questions and find the location of servers and access rights.
Intelligence relates individual system’s characteristics to the known threats and a network’s vulnerabilities in relation to them; it takes the threat intelligence gathered in the risk assessment process and relates it to the specifics of the organisation’s system.
Integration aggregates the information found in the first two phases, and displays them in a format that can be readily understood by decision makers to enable them to act quickly. In particular, attacks should be logged and diagnosed in a systematic fashion. SWIFT armed with this complete picture should then be able to create a continuous monitoring and mitigation capability supported by intelligence and securely integrated technology.