Call for, er, tailored action after it emerges second cyber-heist was thwarted
Inter-banking messaging systems SWIFT’s security guidelines are “outdated and incomplete”.
The criticism from security vendor Skyport Systems comes days after SWIFT revealed that a second bank had fallen victim to credential theft fraud, creating yet further concern already fuelled by February’s $81m Bangladesh reserve bank cyber-heist.
Vietnam’s Tien Phong Bank has come forward to identify itself as the victim of the second attempted attack, which involved a thwarted attempt to fraudulently transfer more than $1m, according to reports last weekend.
In both cases, the working theory is that hackers managed to get their hands on access credentials needed to send messages on the SWIFT secure financial messaging system after either successfully infecting terminals on the network of the targeted bank or by using a corrupt bank insider.
SWIFT has repeatedly stated that in both cases the fraud arose because of a carefully planned attack against the targeted banks and shortcomings in their security controls rather than any weakness in the SWIFT financial messaging system as a whole.
Independent security experts are split on this point with some at least arguing that a major revamp of SWIFT’s systems is needed.
For example, enterprise security startup Skyport Systems corporate VP Doug Gourlay’s analysis of the SWIFT Alliance’s security guidelines for its users concluded that while they address the “types of attacks that were prevalent a decade ago”, they fail to safeguard against today’s more sophisticated hacks. He claims that had they been updated and modernised – and presumably adhered to by SWIFT’s users – the recent hack might have been avoided.
Gourlay’s five-point prescription covers issues such as improved network segmentation, greater use of two-factor authentication and browser security improvements as part of a five-part plan.
SWIFT supports two-factor authentication but, crucially, use of the technology is far from universal among banks connecting to the SWIFT network – even though hardware token and the like has been a staple of corporate remote access for 20 years or so.
We ran Skyhigh’s plan – outlined in a 1,800 word blog post – past SWIFT and an independent expert who has experience in installing SWIFT terminals at banks but are yet to hear back from either as yet. We’ll update this story as and when we hear more. ®
Rise of the machines