Banks Still Losing Money through SWIFT Attacks


It has been half a year since the now infamous bank heist that saw the Bangladesh Central Bank lose over $80 million from its New York Federal Reserve account. Hackers were able to exploit the bank’s lax security framework with SWIFT transfers, at the time. Things haven’t changed much, SWIFT privately disclosed to its client banks.

SWIFT, the co-operative owned by banks and responsible for connecting the global banking system is urging its clients to improve their security framework after privately disclosing that cyber-heists are still costing its member banks.

The attacks are fundamentally targeting the banks’ connectivity to the SWIFT messaging network, particularly those with a vulnerable security framework. Still, it’s plenty embarrassing for SWIFT, which has been in the spotlight for all the wrong reasons lately.

The financial messaging network added that many of the attacks since February have been thwarted due to the newly introduced security procedures mandated by SWIFT, following the high-profile heist. However, new cyber-heist attempts have been successful, SWIFT said.

An excerpt from the private letter, obtained by Reuters, read:

Customers’ environments have been compromised, and subsequent attempts [were] made to send fraudulent payment instructions. The threat is persistent, adaptive and sophisticated – and it is here to stay.

The private letter, sent out to 11,000 members, did not reveal the banks who fell prey to the most recent attacks. While the letter added that banks had lost money, it did not reveal how much, either. The targeted banks had one thing in common, “they all had particular weaknesses in their local security,” SWIFT added.

Also read: Panicking SWIFT Urges Banks to Report Cyber Heists

The letter also indicated that banks around the world are being targeted. “The customers that have been targeted have varied in size and geography; used diversity connectivity methods and a range of interfaces from different vendors,” the letter stated.

Time for That Software Update

The non-profit cooperative is having a particularly hard time enforcing the new security measures among its member banks due to a lack of regulatory oversight. Since the Bangladesh heist, SIWFT developed a more stringent security process for authenticating transfer requests. Predictably, the SWIFT software has also seen updates but, amazingly, not every bank has installed it.

As a result, the private letter has issued a threat saying the network might report banks to regulators if they fail to update to the latest version of the software before the deadline on November 19.

SWIFT has repeatedly insisted that its core messaging service remains secure, pointing to the banks’ local framework for the security shortcomings that sees banks connected to the world’s financial messaging system, repeatedly targeted and exploited by malicious hackers.

Featured image from Shutterstock.

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.