Updated Inter-banking messaging systems SWIFT’s security guidelines are "outdated and incomplete".
The criticism from security vendor Skyport Systems comes days after SWIFT revealed that a second bank had fallen victim to credential theft fraud, creating yet further concern already fuelled by February’s $81m Bangladesh reserve bank cyber-heist.
Vietnam's Tien Phong Bank has come forward to identify itself as the victim of the second attempted attack, which involved a thwarted attempt to fraudulently transfer more than $1m, according to reports last weekend.
In both cases, the working theory is that hackers managed to get their hands on access credentials needed to send messages on the SWIFT secure financial messaging system after either successfully infecting terminals on the network of the targeted bank or by using a corrupt bank insider. SWIFT has repeatedly stated that in both cases the fraud arose because of a carefully planned attack against the targeted banks and shortcomings in their security controls rather than any weakness in the SWIFT financial messaging system as a whole.
Independent security experts are split on this point with some at least arguing that a major revamp of SWIFT’s systems is needed. For example, enterprise security startup Skyport Systems corporate VP Doug Gourlay's analysis of the SWIFT Alliance’s security guidelines for its users concluded that while they address the “types of attacks that were prevalent a decade ago”, they fail to safeguard against today’s more sophisticated hacks. He claims that had they been updated and modernised – and presumably adhered to by SWIFT's users – the recent hack might have been avoided.
Gourlay’s five-point prescription covers issues such as improved network segmentation, greater use of two-factor authentication and browser security improvements as part of a five-part plan. SWIFT supports two-factor authentication but, crucially, use of the technology is far from universal among banks connecting to the SWIFT network – even though hardware token and the like has been a staple of corporate remote access for 20 years or so. ®
We ran Skyport's plan - outlined in a 1,800 word blog post - past SWIFT and an independent expert who has experience in installing SWIFT terminals at banks. We've not heard back from SWIFT yet, but the independent SWIFT terminal installer told us: "I think that everything in that blog is very sensible. However, my big fear with fraud at this scale is how easily a low level clerk or sysadmin could be bribed. When you're planning on stealing hundreds of millions of dollars, it's not unreasonable to reserve a couple million for bribing insiders. And a couple million dollars would go a long way in Bangladesh or Vietnam. In this scenario, IT security wouldn't really help."