The chief executive officer of Swift, the interbank messaging system embroiled in a global bank-hacking controversy, says to expect more information about breaches to emerge as fully armoring the network’s defenses is likely to take years.
“We don’t think this is going to be solved overnight, so we’ll be looking for a number of quick wins to improve things in the near term,” Gottfried Leibbrandt, Swift’s CEO, said in an interview from the cooperative’s London office on Wednesday. “The full rollout, and the full shore up, will be a matter of years.”
Hackers used Swift messages to steal $81 million from Bangladesh’s central bank in February, and since then investigators are said to have identified breaches at as many as 12 other banks. Swift’s boss talked directly to the media about the attacks for the first time, as the crisis has pushed the little known Belgium-based operation into the center of an investigation into one of the largest cyberheists in history.
“The amounts are staggering,” said Leibbrandt, a Dutch former principal at McKinsey & Co. “For these amounts, it starts to be worth it to develop custom-made malware and to put in a huge effort to pull this off.”
Swift’s role in payments is based on trust in its network: if you receive a message from Swift, you can be sure it is legitimate and move the money as instructed. That trust has secured its dominance of the international payments system over the four decades since it was founded.
For a QuickTake Q&A on the attacks on Swift, click here.
The cooperative, whose full name is the Society for Worldwide Interbank Financial Telecommunication, insists that its “core” messaging service hasn’t been compromised. It says the security breakdown occurred on computers that interact with its system, but which remain the responsibility of its individual members. Some 11,000 institutions use the network.
There are signs, however, that the hands-off approach to its members’ security may be untenable. In a speech in Brussels last week, Leibbrandt unveiled a five-point plan to upgrade defenses, which could include auditing its members’ security.
In the Bangladesh case, the Federal Reserve Bank of New York was tricked by fake Swift messages into wiring money it held for the country to hacker-controlled accounts in the Philippines. Hackers impersonated bank officials to send the messages, and they deployed malware targeting a PDF reader used to check statements. Swift says that the machines involved are the responsibility of its members.
“There is a world before and after Bangladesh,” Leibbrandt said. “It is a big deal and the industry has to address it, and we want to help.”
Leibbrandt, who has been CEO for four years, wasn’t aware of a user ever being kicked out of the cooperative for lax security, but he acknowledged that it may happen in future. An unintended consequence, however, could be that a disconnected bank might have little incentive to shore up its security, while remaining a part of the broader correspondent banking system.
“We’d be foolish to leave anything off the table,” Leibbrandt said.
Another focus for improvement is communication between members. The Dutchman said banks can be loath to share information about a cyberattack, and that he learned of some of the breaches from media reports.
Security firms and intelligence agencies are still trying to figure out who is behind the attacks. Apart from Bangladesh, banks in Vietnam and Ecuador have also been infiltrated. Security company Symantec Corp. said in a blog post that the attacks resemble hacks believed to have been perpetrated by North Korea.
Leibbrandt declined to speculate on who was behind the attack, saying the cooperative isn’t in the business of attributing blame, and that it is too early to tell if the breaches were inside jobs committed by bank employees.
“There are a lot of theories out there and we’ll see where this goes,” Leibbrandt said.