The Risks of the SWIFT network

The Risks of the SWIFT network

While the world seems to be full of cryptocurrency hacks, it should not be forgotten that the SWIFT network is still a major security risk. Over the weekend it has been revealed that India’s City Union Bank has been hacked for over $2 million using the SWIFT financial platform. While cryptocurrencies are built on solid cryptography (and where poor handling of the wallets are responsible for most of the hacks), the SWIFT network is built on more traditional methods of money transfer.

The headquarters of SWIFT is in Belgium, and it supports a global network (SWIFTNet) of over 9,000 financial organisations in order to transfer of funds between banks using Business Identifier Codes (BICs), which are also known as “SWIFT codes”. At present there are around 15 million messages per day, and where the network does not hold any of the account details of its members, nor does it clear the transaction. For this it sends payment orders which are then settled by the target of the transaction. Any company which uses the SWIFT network must have a business relationship with an associated member.

The BIC value uniquely identifies the name and country of the bank — and possibly the branch. It was either 8 or 11 characters long. The Bank of Ireland’s BIC has an eight character code which is BOFIIE2D: BOFI (4 digit code for the bank); IE (Ireland ISO Code); and E2 — Location Code. We can also add a three-digit branch code to the end.

The hack involved three “fraudulent remittances” and which were sent to accounts in Dubai, Turkey and China. These included remittances of $1million, $372,150 and $500,000 and sent through Standard Chartered Bank accounts. The $500,000 and $372,150 remittance payments have since been blocked. This comes on the back of the same bank being involved in a suspected $1.7 billion fraud using unauthorized loans to bank employees.

Previous hacks

There have been a number of previous hacks of the SWIFT network, including:

• In February 2016, $81 million had been stolen from the Bangladesh central bank, and that there were a number of other recent incidents.
• Last year, Wells Fargo transferred $12 million from Banco del Austro in Ecuador but it is now believed that these funds have been stolen by hackers.
• A week ago, Tien Phong Bank, a Vietnamese lender, outlined that it stopped a theft of over $1 million on the Swift network.

There are allegations from both sides that the other is to blame, with weak security being pinpointed at the Bangladesh Bank, and where it was stated that engineers left several security holes with its connection from the real-time gross settlement (RTGS) system into Swift network.

UK and US order reviews

Overall SWIFT is a global financial network which involves the transfer of billions of dollars of currency each day and which is co-operative that is owned by 3,000 financial institutions. Carolyn Maloney, a Representative in Congress, wrote to the top banking regulators to request measures to strengthen the security of the network. The level of sophistication shown in the recent attacks shows that there is increasing investment and skill used to compromise the infrastructure. Her focus is related to stolen Swift credentials.

In the UK, the Bank of England has ordered UK banks to test their cyber security in order to reduce the exposure to the Swift hack. This includes completing an Indicators of Compromise review that has been created by BAE Systems after had investigated other attacks. Keys aspect are to review and check the users who can access the network, and in implementing an upgrade to the Swift Alliance Access software within May 2016.

Spoofing

The announcement around the Bangladesh bank hack said that there had been a number of fraudulent messages, and warned their members to update their software (by 12 May 2016), as the hack involved modifying Swift’s software on back office computers within the Bangladesh central bank, in order to hide the transaction.

It is thought that the intruders obtained valid operator credentials using a “spoofed” ID, and which can create and approve Swift messages. They then submitted fraudulent messages based on the identity of those they are spoofing.

Only as strong as the weakest link

Swift connects 11,000 banks across the world and carries more than 25.8 million messages per day, with around half of these being money transfers. BAE reported that they have found malware that could have been used for the Bangladesh Bank in an online malware repository. It is reported that intruders setup a transfer of $951 million from Bangladesh’s central bank holding at the New York Federal Reserve to the Philippines and Sri Lanka.

The transfer to the Philippines (for $81 million) was successfully transferred, and to two Chinese businessmen (but it is thought that these were spoofed), after which it took a convoluted path through casinos and its path has been lost. The Sri Lanka one, though, failed, and a $20 million transfer was stopped due to a typo in the message (using “fandation” rather than “foundation” for the Sri Lankan organisation involved).

The weak point seems to be related to the IT equipment used in the Bangladesh Bank, which included second-hand network switches and where the Swift servers were not isolated from the external network by a firewall. The malware was used to search for Swift messages and extract addresses and transfer references. It is likely they then spoofed their authentication onto the Swift network and generated valid transfer messages, along with disabling the print-outs of the transactions to the printer in the bank.

Conclusions

The SWIFT network has scaled over the years and now has a massive footprint across the world. Unfortunately, its cybersecurity infrastructure is possible not as strong as it could be.

With over 100 financial institutions in India connected to the SWIFT network, there is an increasing worry that the infrastructure has scaled-up to a point which makes it difficult to avoid large-scale fraud.