Details emerge of continued attacks on SWIFT transfers
Letter sent to participant banks in November 2016
Mandatory standards to be published in March 2017
Source: Banking Technology
Summary: Since the high-profile Bangladesh attack early in 2016, SWIFT transfers continue to be subject to fraud. SWIFT has stated that mandatory customer security standards are to be published in March 2017.
Point of View
Details about both high profile and less well publicised attacks across the SWIFT network are emerging. The $81m loss suffered by the Bangladesh central bank early in 2016 highlighted the reliance of the network on authentication procedures in the participating banks. In response, SWIFT is introducing mandatory standards for the banks as part of the Customer Security Programme. The standards are expected to be agreed and published by March 2017.
According to the Reuters report, the head of SWIFT’s Customer Security Programme stated that since the Bangladesh attack “banks have been hit with a "meaningful" number of attacks - about a fifth of them resulting in stolen funds”. The Bangladesh attack is reported to be the compromise of simple authentication credentials leading to a malware infection. Reports suggest that SWIFT does not mandate the use of strong two-factor authentication and has been slow to publish requirements. There does not appear to be detailed public information on what specific actions and countermeasures will be required when the new standards arrive.
Unlike retail card payments networks, which publish security requirements through PCI, SWIFT is a relatively opaque organisation. The failure to bring in suitable standards illustrates that openness is important to ensure that security is scrutinised by the widest possible community.
The continued attacks, and relative lack of transparency, erode trust in what is effectively a monopolistic supplier of inter-bank payments. The nature of the attacks illustrates the need to treat authentication and cybersecurity as an on-going project, subject to continuous monitoring and renewal.
Although the scale of SWIFT is unlikely to mean significant change in the short term, this situation may present potential competitors with a narrative with which to gain additional exposure. For example, a blockchain based approach, such as from Ripple, shows how transparency can be built into the service proposition.
The opinions and views expressed in this publication are those of the authors exclusively and do not purport to reflect the opinions, views or official policy position of AusPayNet or its members.