SWIFT finally pushes two-factor auth in banks – it only took several multimillion-dollar thefts
Better late than never
The international financial network SWIFT has said it will "expand" its use of two-factor authentication when banks shift funds.
The belated decision comes following a turbulent few weeks in which a series of multi-million dollar thefts carried out through the SWIFT system came to light.
Bangladesh's central bank lost $81m, Ecuadoran bank Banco del Austro SA lost $12m, and the same attacks were also used against a bank in the Philippines and the Vietnamese bank Tien Phong.
SWIFT's initial response to the hacks was to stress that its network had not been compromised and the thefts were the result of other banks' systems being hacked.
But that slant on things elicited a fierce response, with experts pointing out that SWIFT's security measures were severely lacking and used a model of threat awareness that was a decade out of date.
Stung by criticism, a few weeks later SWIFT's CEO promised to review the organization's security measures and earlier this week outlined a five-point plan in a speech at a financial conference.
On Friday, that plan was fleshed out a little. It will now "require" more information from customers and share that information with its other customers, plus inform everyone on its system of any incidents, and issue "best practices" for "cyber defense."
Critically, it will "expand" its support of two-factor authentication as well as include "additional tools" such as monitoring software. Although we note that it has still not said it will insist on the basic security measure for transfers.
SWIFT will provide "audit frameworks" and create audit standards and certification, plus compare banks' compliance level with "baselines."
And it will "support increased payment patterns control" as well as "explore tools to allow customers to quickly recall fraudulent payment messages" and make it easier to put a stop on payments.
All of those improvements will help beef up the security of a system that moves billions of dollars around the globe on a daily basis. The fact that it took four incidents of theft and widespread public criticism to force SWIFT to enter the modern world does not put the organization in a good light, however. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust