SWIFT asks its customers to help it end a string of high-profile banking frauds

The company has promised an update to its security guidelines soon, following criticism of outdated practices

Financial transaction network SWIFT called on its customers Friday to help it end a string of high-profile banking frauds perpetrated using its network.

The SWIFT network itself is still secure, it insisted in a letter to banks and financial institutions. However, some of its customers have suffered security breaches in their own infrastructure, allowing attackers to fraudulently authorize transactions and send them over the SWIFT network, it said.

That's the best explanation so far for how authenticated instructions were sent from Bangladesh Bank to the U.S. Federal Reserve Bank of New York over the SWIFT network, ordering the transfer of almost US$1 billion. The Fed transferred around $101 million of that before identifying an anomaly in one of the instructions. Only $20 million of that has so far been recovered.

"While customers are responsible for the security of their own environment, security is our top priority and as an industry-owned cooperative we are committed to helping our customers fight against cyber-attacks," SWIFT said in the letter.

SWIFT wants its customers to come forward with information about other fraudulent transfers made using their SWIFT credentials, to help it build a picture of how the attackers are working.

It's making more than a polite request: It reminded its customers that they have an obligation to provide such information under the terms of their contract, and also to help SWIFT identify, investigate, and resolve problems, including by providing diagnostic information following an incident.

SWIFT promised its customers it would share new information about malware or other indicators of compromised systems. It said it would add such information to a restricted section of its website, tacking it on to knowledge base tip number 5020928, "Modus Operandi related to breaches in customer’s environment."

"All new and relevant information related to cyber incidents at customers’ institutions known to us will be posted," SWIFT said in its Friday letter. But customers would do well to search elsewhere, too, as the company has scattered recent information about hacks across its knowledge base.

Tip 5020930, for instance, explains how to tell whether a system has been compromised by malware that prevents the storage of transaction acknowledgements in the default location on disk, one of the most likely explanations for how the Bangladesh heist initially escaped detection.

The tip immediately after that, 5020931, describes "indicators of compromise" to help users identify whether they are impacted by malware corrupting the Master Boot Record from the hard disk followed by a reboot, perhaps offering a hint as to how another recent attack on a SWIFT customer was carried out. "This malware known to SWIFT was designed to destroy the MBR (Master Boot Record) of the disk and reboot the system. After reboot the system does not boot anymore," it says.

Knowledge base entries show that SWIFT has updated its Alliance Access software several times in recent months. One of the tips warns that, while keeping the software up to date is important, it is not sufficient in itself. "While the software update provides additional integrity verification and alerting capabilities for this particular modus operandi on your interface to the SWIFT network, it will not help you protect against all malwares or your internal credentials being compromised," SWIFT wrote in another recent letter to customers, entitled "Security Issues."

One of the tips warns that, while keeping the software up to date is important, it is not sufficient in itself. "While the software update provides additional integrity verification and alerting capabilities for this particular modus operandi on your interface to the SWIFT network, it will not help you protect against all malwares or your internal credentials being compromised," SWIFT wrote in another recent letter to customers, entitled "Security Issues."

SWIFT also offers more general security guidance to its customers and says it intends to update this shortly, reinforcing its recommendations for securing access to the network.

The current security guidance is sorely in need of an update, according to Doug Gourlay, corporate vice president of security software vendor Skyport Systems. He reviewed the guidance document issued on March 18 (SWIFT updated it on April 29 to reflect changes in Alliance Access 7.1.15) and found it wanting.

"The document is a fairly comprehensive approach to securing SWIFT against the types of attacks that were prevalent a decade ago," Gourlay wrote in a May 13 blog post. But times have changed, he said, and "their model does not seem to have adapted to the threat landscape we are facing today."

Gourlay advised that SWIFT should make five changes in its security guidance.

Among his recommendations, he suggested limiting the attack surface by only allowing access to the Alliance web platform from secure administrative workstations. Better yet, he suggested, use virtual workstations, rebuilding them after each administrative session to eliminate malware such as keyloggers.

He expressed shock that SWIFT recommended accessing the Web platform using Internet Explorer, the last version of which was released in 2013, or Firefox, but made no mention of either Chrome or Microsoft Edge, the browser included with Windows 10. "I will drop the mic here and avoid any further recommendations regarding the browser choices ... you all know better (I hope)," he wrote.

Join the CSO newsletter!

Error: Please check your email address.

More about Microsoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Peter Sayer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place