Securing the Digital World

Web Threat Detection Services Deliver SWIFT Remediation

Jul 25, 2016 | by RSA |

With the dust settling on a series of high profile cyber heists against international banks SWIFT's network used to facilitate international payments between banks, the service provider is weighing changes that would effectively exclude from its network banks that have, according to reports, "demonstrated weak information security."

The Brussels-based SWIFT (Society for the Worldwide Interbank Financial Telecommunication) operates a vast messaging service network for financial messages such as letters of credit, payments and securities transactions between member banks worldwide, and it also promotes the development of standardized global interactivity for financial transactions.

However, because it is a private network and not run via the Internet, it is only as secure as the endpoints (e.g. computers) connected to this network. Bank endpoints typically interact with the private SWIFT network via web application portals or bespoke "terminal" like software which has been built in-house.

In spite of these recent series of thefts, however, SWIFT has no shortage of customers. In fact, each day nearly 10,000 SWIFT member institutions transmit approximately 24 million messages on SWIFT's network.

Cybercriminals Exploit SWIFT

The first instance of cyber-theft occurred back in February 2016 when hackers breached the Bangladesh bank's systems, stealing credentials necessary to authorize payment transfers from the country's monetary reserves in the Federal Reserve Bank of New York to fraudulent accounts based in the Philippines and Sri Lanka. In this case, the bank's network was compromised by custom malware, probably by spear-phishing or an inside threat. Large payments were then ordered and approved, most likely by using compromised staff member credentials for the SWIFT terminal. Malware introduced by hackers was then used to re-write the transaction record database as well as account balances to provide a window to extract funds prior to detection, resulting in a total fraud loss exposure of more than $81 million USD.

A second, more recent theft resulted in hackers stealing $10 million from an unidentified Ukrainian bank and confirmed by a local branch of ISACA, the Information Systems Audit and Control Association. The aggregate amount, according to Ukrainian investigators, was derived from the proceeds of dozens of banks that were compromised, resulting in hundreds of millions of dollar losses. In this instance, malware installed on the SWIFT messaging system was used against the banks' secondary controls and then removed any sign of the breach.

In its defense, SWIFT issued the following statement: "In both instances, the attackers have exploited vulnerabilities in banks funds' transfer initiation environments, prior to messages being sent over SWIFT. The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process."

A Call for a Swift Fix

Advanced attacks like those performed against the SWIFT payment system often have several attributes in common. Hackers perform reconnaissance of the financial institution's internal networks for months before the event in order to collect the information necessary to carry off the attack. This includes studying the bank's internal processes and controls in order to exploit any loopholes to steal funds.

SWIFT confirms as much by observing the "attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks - knowledge that may have been gained from malicious insiders or cyberattacks, or a combination of both."

While the recent SWIFT incidents did not exploit or go through the Web application, the possibility is there. Web behavior analytics can identify attacks, even in the instance of custom malware, when fraud is initiated from the application side. This includes going after:

  • SWIFT codes outside the U.S.
  • Anomalous spikes in aggregate amounts to specific SWIFT codes/associated banks
  • High-risk SWIFT codes (e.g. those associated with previous fraud from internal tracking or external intel)
  • New SWIFT codes for a given user, especially to foreign countries (based on, for example, previous six-months history)

Each of these metrics, combined with high dollar amounts and amounts above average for individual users, reflect instances of rules that can be created to identify potential hacks.

Indeed, if you could tap into the network where these transactions are initiated, armed with this kind of visibility via early detection tools and methodologies, a member bank in the SWIFT network could save millions of dollars every month by looking for the same kinds of things they'd be looking for in SWIFT transactions in the web channel.

Additionally, introducing measures such as two-factor authentication into the system, relying less on humans to manage to ensure the SWIFT system is working correctly and upgrading the SWIFT software itself may be, required to protect future transactions on the SWIFT network.