Hackers ran through holes in SWIFT’s network

The Society for Worldwide Interbank Financial Telecommunication (SWIFT) has James Bond-level security at the facilities it uses to move millions of bank-payment orders around the world every day.

Visitors to a Swift operations center in Culpeper, Va., say their car trunks were inspected upon arrival by armed guards, who used mirrors to check under the chassis. Security inside included a fingerprint scan, a test for chemical weapons and an iris scanner in the most restricted areas.

“It’s like Fort Knox,” says Mohan Murali, chief executive of Axletree Solutions Inc., which helps banks and companies connect to Swift.

That isn’t where the thieves hit. In the past year, a spate of cyber-attacks has penetrated banks along Swift’s less-defended perimeter, shaking confidence in the dominant network used by banks for cross-border transactions. While Swift diligently locked down that network’s core, customers were left mostly responsible for their own security, creating an opportunity for hackers.

Targets included banks in India, Vietnam, Ecuador and Bangladesh. Thieves made off with a total of about $90 million from Bangladesh’s central bank and a commercial bank in Ecuador. The other cyber-attacks were unsuccessful.

It was a stunningly simple ruse: The cybercriminals behind the Bangladesh heist used malware to steal bank codes and place fake transfer orders, according to people familiar with the incident.

The attacks also have threatened the trust that banks have had for decades in Swift, a cooperative that runs the international messaging service among banks. Banks use the service to instruct each other what to do, making Swift the lifeblood of the global banking system, where trillions of dollars flow between banks each day.

“Swift was not watching for the launch of cyberattacks on its customers beyond the core network,” says Marcus Treacher, a Swift board member from 2010 to 2016. He now is an executive at digital-payments startup Ripple, an alternative to Swift

An examination of Swift’s culture and practices, including interviews with more than a dozen people who have worked for or closely with Swift, shows it was ill-prepared for some of the toughest challenges of the cyberattack era.

Security standards for banks using the Swift network were dictated in what was an eight-gigabyte handbook but rarely enforced, these people say. That left an opening for thieves to hack into Bangladesh’s computer systems, steal their Swift access codes and send fraudulent messages seeking nearly $1 billion in payments across Swift’s network. The total for all the cyberattack attempts in the past year isn’t known publicly.

Swift has since toughened its standards, including new rules for customers that were released in April, but it is too soon to tell how serious many of Swift’s customers are about reducing their vulnerability to security breaches.

Swift has said it was surprised by the scale of the cyberattacks, rushed to shore up the system’s defenses and remains confident in its overall security. Swift has said repeatedly that its core network, including the fortresslike facility in Virginia, hasn’t been breached. It says customers still have the primary responsibility for their own computer security.

Gottfried Leibbrandt, Swift’s chief executive, said in a statement: “While customers remain responsible for securing their own environment, we are dedicating very substantial efforts and resources to our customer security program, which aims to help customers improve their security and prevent these frauds.”

After last year’s theft from the Bangladesh central bank’s account at the Federal Reserve Bank of New York, he said in an interview: “We knew cyberrisk was a big deal for the industry, and it was only a matter of time before we saw something big happening, but I had not expected it in this form.”

Last summer, a Swift executive told a meeting of the Association of Banks in Singapore trade group that Swift was investigating 26 attempted cyberattacks on bank customers, according to an attendee. Swift spokeswoman Natasha de Teran declined to comment on the remark.

After repeatedly urging customers to follow voluntary guidelines, Swift has rolled out a series of mandatory security measures, introduced a new system to help users identify and block suspicious payments, and is now requiring customers to attest annually to their own security. Swift also warned banks that they will be reported to regulators if they don’t comply.

Swift tripled the size of its security team and hired a new chief information security officer from Deutsche Bank AG in October.

The changes come as cybercriminals take aim at everything from consumer health-care records to the U.S. power grid. Federal prosecutors believe that North Korea might have orchestrated the theft from Bangladesh’s account, according to people familiar with matter. No charges have been filed. North Korea’s permanent mission to the U.N. didn’t respond to requests for comment.

Based in Brussels, Swift has more than 11,000 users, up from about 500 when its electronic messaging service was launched in 1977.

Belgium’s Prince Albert pressed the button to turn on the service, and it soon rivaled the clunky, error-plagued Telex. Bessel Kok, one of Swift’s founders and a former Swift chief executive, says it became profitable within a year.

Growth was important to Swift and its bank owners, who were eager to lower per-message costs by spreading them across a larger base, people familiar with the matter say. Swift agrees that it wanted more users but says it wasn’t sales-driven or distracted by expansion.

Swift entered markets from Argentina to Australia. Much of the extra revenue it earned was distributed to members as rebates. Swift had revenue of €710 million ($773.6 million) and rebates of more than €30 million in 2015, the latest year for which figures are available. Messaging costs fell to slightly more than 2 euro cents in 2015, compared with 26 euro cents in 2001.

Employees at Swift’s headquarters often work without assigned offices or desks and are encouraged to take advantage of themed spaces like the “Vintage Room,” with red and cream patterned wallpaper, and the bamboo-decorated “Zen Room,” according to former employees.

The cafeteria nearly always offers wine with lunch, and employees have access to a swimming pool next to a 19th-century château on the property.

Leonard Schrank, another former Swift executive, says top managers considered an initial public offering during the dot-com boom of the late 1990s. Technology company values were soaring, but Swift backed down when member banks asked it to “stick to its knitting,” Mr. Schrank recalls.

As it grew and prospered, Swift spent heavily to secure its systems. But it saw the challenge largely as making sure intruders couldn’t penetrate crucial facilities and knock the network offline.

“Security issues were always primarily issues of stability, of coping with the volume on the network, and not the broader topic of full end-to-end security,” says Itzi Klein, a Swift board member from 1998 to 2003 who now works as an independent consultant.

Swift’s general counsel, Patrick Krekels, responds that Swift expanded to meet the needs of customers and reduce costs but never skimped on security.

“We are very much a technology and operationally driven company, not a sales-driven company,” says Mr. Krekels. “We have very prudently and deliberately moved step by step into adjacent markets.”

Swift has proclaimed the same motto for decades: “Failure is not an option.” If a bank’s corporate customer in New York needs to pay a supplier in Rome, the bank uses Swift to wire the corresponding bank in Italy to make the payment. Banks trust the authenticity of Swift’s messages so much that they are typically processed automatically.

Bangladesh joined the Swift network in 1995. Over the next two decades, some risky practices by Bangladesh’s central bank went undetected.

The central bank never changed its Swift passwords between late 2015 and early February 2016, according to an official at the bank. During that period, hackers breached the bank’s computer systems, found the credentials to the Swift terminal and ordered the fake money transfers.

The bank also wasn’t using two-factor authentication on the system it used to access Swift, according to a person familiar with the bank’s procedures. Two-factor authentication is a higher security standard that requires a second measure of verification in addition to a password.

Software that Swift provides to customers now has built-in two-factor authentication, but they can opt not to use it. At the time of the Bangladesh cyberattack, two-factor authentication was merely Swift’s preference for local access, according to a copy of its security guidance reviewed by The Wall Street Journal.

Two people briefed on the theft say two-factor authentication might not have made the hacks impossible but would have made them more difficult.

Subhankar Saha, a Bangladesh Bank spokesman, wouldn’t comment on the bank’s password procedures or authentication measures. He said the central bank had firewalls, but they may have been weakened or not implemented in the right places.

The hackers had sent the New York Fed fake payment orders requesting nearly $1 billion. The Fed paid out $101 million, of which $20 million was recovered after a banker in Sri Lanka spotted a typo. The Fed rejected other orders, some for formatting errors, and others after they were detected by a sanctions screen.

The Bangladesh attack was even more embarrassing because Swift officials had been at the central bank in late 2015 to connect its Swift messaging platform to another system that handled payments among the country’s banks, according to people familiar with the matter.

The hackers used malicious software to remotely monitor routine activity at the central bank for weeks before they struck. The Bangladesh central bank has said it is trying to determine if any of Swift’s work played a role in the attack. Ms. de Teran, the Swift spokeswoman, said Swift doesn’t comment on individual customers.

At first, Swift called the attack on Bangladesh Bank “an internal operational issue” at the central bank. When Swift learned that hackers were using software that disabled customers’ ability to print out logs of their messages, it issued a software patch but left it up to customers to implement the upgrade.

Last May, the Journal reported that Banco del Austro SA in Ecuador had suffered a similar attack. Thieves got the Ecuadorean bank’s Swift codes and used them to steal about $9 million with fake transfer orders.

Within days, Swift rolled out a new customer security program, hinting that it wouldn’t rule out the possibility of kicking violators out of the network. Swift didn’t make the controls mandatory until September.

The 16 mandatory standards include tighter password security, such as two-factor authentication. Swift ordered bank customers to update software, threatening to report to regulators anyone who doesn’t obey. Regulators have the power to withdraw licenses from banks deemed insufficiently safe and sound.

Axletree’s Mr. Murali says the number of clients he works with who have requested two-factor authentication for the Swift messaging system has jumped to about 150 from 10 since last year.

Swift will likely need more time to fully win back confidence. The New York Fed stopped making payments on the strength of Swift messages alone and adopted a policy of double-confirming orders from Bangladesh by phone.

A New York Fed official complained last June that the arrangement “is not sustainable,” according to a letter reviewed by the Journal. It isn’t clear if the policy is still in effect. The New York Fed declined to comment.

The Bank of Papua New Guinea uses Swift’s messaging service and has been interested in the cooperative’s newer products, including one that scrapes message traffic for data used in price benchmarks and business analysis.

“We are concerned about what happened,” says Stephen Pouru, a risk analyst at Papua New Guinea’s central bank. “The question everyone is asking is: What Swift is doing?”–The Wall Street Journal


. . . . . . . .

Leave a Reply