The financial world was shaken in the last few weeks. It came to light that hackers breached systems of Bangladesh Bank, and attempted to steal $951 million from its account at the Federal Reserve Bank of New York. While the majority of transfers were blocked, $81 million was successfully transferred to accounts in the Philippines, making it one of the largest cyber heists to date.
Investigators believe the attackers have targeted other financial institutions. Easy Solutions can confirm, from our discussions with major financial institutions throughout Latin America, that multiple banks have been hit with similar attacks, some successfully stealing upwards of $10 million per bank.
The SWIFT system is painfully outdated, and is providing cyber criminals with the keys to the kingdom once they are able to access site. Money can be quickly transferred out and placed in any country of the criminal’s choosing, to then be funneled around the world.
SWIFT is the standard for financial messaging services used by most financial institutions across the globe to quickly send and receive information, including money transfer instructions. While it uses a private network, SWIFT is still a messaging system and hence, it’s an avenue for cybercriminals to launch a wide range of electronic attacks.
The banks Easy Solutions are speaking with want to enhance the security of access to the SWIFT system. Because financial institutions use SWIFT mainly as a closed network, many of the traditional anti-fraud techniques used to protect web-based systems do not apply. So in this instance, deploying multi-factor authentication becomes even more critical, as the identity of the user is truly the only avenue into the network. By leveraging multi-factor authentication, be it biometric, push messages, token-based or some other format, banks can prevent criminals from accessing their SWIFT profile, even if they have the SWIFT codes and username and passwords.
New SWIFT Web access – Opening the Door for Criminals?
However, it’s important to note that SWIFT has recently launched SWIFT Web access, which may be the starting point for criminals to start phishing campaigns against bank’s employees to compromise SWIFT credentials.
We expect to see additional banks come forward to admit that they have been victims of SWIFT attacks. Multi-factor authentication adoption should be an immediate priority for all banks who do not already have it protecting their SWIFT network access.